Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


Russian Authorities Make Rare Arrest of Malware Author

Russia has a history of turning a blind eye to cybercrime operations that attack organizations outside of Russia. They often ignore or dismiss indictments by US authorities so long as the attack did not affect Russian citizens. In a rare move, Russian authorities arrested a cyber threat actor operating under the Username “1ms0rry” in late September. 1ms0rry and six other accomplices created several malware strains that earned them close to 4.3 million Russian rubles ($55,000 USD) over a two-year period. 1ms0rry reportedly sold his malware strains on Russian criminal forums, some of which were used to make even more powerful malware strains. The criminal community has condemned 1ms0rry’s actions on criminal forums. They have reiterated their rule that hackers are forbidden from attacking Russian citizens. As long as they follow this rule, they usually can operate freely.

Analyst Notes

A report by Benoit Ancel, a malware analyst with CSIS security group, linked 1ms0rry to the following malware strains:

• 1ms0rry-Miner: a trojan that, once installed on a system, starts secretly mining cryptocurrency to generate profit for its author.
• N0f1l3: an info-stealer trojan that can extract and steal data from infected computers. Capabilities include the ability to steal browser passwords, cryptocurrency wallet configuration files, Filezilla FTP credentials, and specific files stored on a user’s desktop.
• LoaderBot: a trojan that can be used to infect victims in a first stage and then deploy other malware on-demand during a second stage (aka a “loader”).

Enterprise network defenders should plan to detect and deter cyber criminals that continue to operate out of Russia and other countries that have a track record of not investigating crimes committed against the rest of the world. Although arrests are unlikely, it is still useful to report relevant information about major cyber crimes to law enforcement authorities for two reasons. First, because law enforcement can often seize servers operated by criminals and share more detailed information about malware operations with defenders, and also because when foreign criminals travel to countries from which extradition is possible, sometimes even well-protected Russian criminals have been brought to justice in US courtrooms and in the criminal justice system of other countries.