2014-07-02 04:12 PM
With the 2014 World Cup in full swing, all eyes have been on Brazil since the middle of June. As the world watches their favorite national teams battle on the pitch, IT security professionals at a number of Brazil’s banks are being challenged in a separate battle of their own with cybercriminals.
Through a coordinated investigation spanning three continents, RSA Research has uncovered details of a substantial malware-based fraud ring that is operating with significant effectiveness to infiltrate one of Brazil’s most popular payment methods – the Boleto.
Based on evidence gleaned from this fraud investigation, RSA Research discovered a Boleto malware or “Bolware” fraud ring that may have compromised 495,753 Boletos transactions over a two-year period. While the investigation did not yield evidence as to whether the fraudsters were successful in collecting on all of these compromised transactions, RSA researchers did find evidence of their value – estimated to be up to $3.75 Billion USD (R$ 8.57 Billion).
Read all about this and access the full report by RSA Research via the following link: https://blogs.rsa.com/rsa-uncovers-boleto-fraud-ring-brazil/
2014-07-03 10:58 AM
RSA Security Analytics will monitor all the communication to/from the organization to the Boleto malware C&C server, and can spot fraudulent activities by using Boleto IOCs that are in the RSA Live feed. The feed will be updated as needed, providing protection to companies against the Boleto malware.
RSA LIVE feed info regarding Boleto fraud is as follows:
o Feed: RSA FirstWatch Command and Control IPs
o Pivot: threat.desc = c2-ip-bolware
Note: RSA Security Analytics only has visibility into employee machines and not customer endpoints
2014-07-03 11:01 AM
From one of our researchers:
Boleto malware samples, hashes, IOCs, PCAP, etc.
Please find all the relevant information attached. Additionally, I’ve attached the relevant samples which have been analyzed by our team (pass: infected).
MD5 | Drop IP |
abd12e781bf793611f6c85209beb998b | 75.102.25.197 |
a0bf5d7d4382712ac08aed531242ea40 | 75.102.25.197 |
75e04fca3ac0fd6e9fee6ddb1a67bca0 | 75.102.25.197 |
7c6bbe185d37148f026d75ca97311a6d | 216.246.91.222 |
b202b2756c8931d790244e4d01359eea | 216.246.91.222 |
6938eee6056f8f92a45894b7a2fd7164 | 216.246.91.222 |
5f856a3edf769f01061b13b2a1165d2c | 216.246.30.5 |
8817ccde8d83e9ba9f1856a6fcdd3dd9 | 216.246.30.5 |
c339462a644297abae22380329a63578 | 216.246.30.5 |
da00f584285da62b26a687fc3af08086 | 216.246.30.5 |
79a1807c42d586fb4e6e2309fc05cceb | 216.246.30.5 |
6a18c9826065c1eb01e0f32e9d27182c | 216.246.30.5 |
bb7909125aa1d1576324a05830873cb9 | 216.246.30.5 |
a6fdb84512df3eee6b06c467fedc7ff3 | 216.246.30.5 |
4b669b18093620922f4569301aef76da | 216.246.30.5 |
ef56bbdc9a4d23c6ca7936d59e379052 | 216.246.30.5 |
258fc4c6a28ba74525f406a5260dde62 | 216.246.30.5 |
ae01a2408cbb26d69133c8bf0db3a4c5 | 216.246.30.5 |
16ea140573f37e5c0bbb99e7123f9af4 | 216.246.30.5 |
2015-04-02 02:17 PM
What is the password to open the file bolware_samples.zip? I tried infected, but without success.
2015-04-02 02:29 PM
I’m working on getting the password. Sorry about that.
2015-04-03 08:00 AM
The correct password is actually "rsa".
2015-04-03 08:21 AM
Thak you very much!