‘Avalanche’ Global Fraud Ring Dismantled

In an ‘unprecedented global law enforcement response’ to cybercrime, federal investigators in the United States, United Kingdom and Europe have today announced that they have dismantled a sprawling cybercrime machine known as “Avalanche” — a distributed, cloud-hosting network that for the past seven years has been rented out to fraudsters for use in launching countless malware and phishing attacks.

According to Europol, the action was the result of a four-year joint investigation between Europol, Eurojust the FBI and authorities in the U.K. and Germany that culminated today, Nov. 30, 2016 with the arrest of five individuals, the seizure of 39 servers, and the takedown of more than 830,000 web domains used in the various cyber-crime schemes.

Built as a criminal cloud-hosting environment to be rented out to scammers, spammers other criminals, Avalanche has been a major source of cybercrime for several years. In 2009, when investigators say the fraud network first opened for business, Avalanche was responsible for funneling roughly two-thirds of all phishing attacks aimed at stealing usernames and passwords for bank and e-commerce sites. By 2011, Avalanche was being heavily used by crooks to deploy banking and other Trojans.

The U.K.’s National Crime Agency (NCA), says the more recent Avalanche fraud network comprised up to 600 servers worldwide and was used to host as many as 800,000 web domains at a time.

“Cyber criminals rented the servers and through them launched and managed digital fraud campaigns, sending emails in bulk to infect computers with malware, ransomware and other malicious software that would steal users’ bank details and other personal data,” the NCA said in their statement released today on the crime-ring takedown.

These criminals used the stolen information for fraud or extortion. At its peak 17 different types of malware were hosted by the network, including major strains with names such as goznym, urlzone, pandabanker and loosemailsniffer.At least 500,000 computers around the world were infected and controlled by the Avalanche system on any given day.”

The Avalanche crimeware network was particularly resilient as it utilized a DNS update technique known as fast-flux, a kind of round-robin system that allows botnets to hide phishing and malware delivery sites behind a constantly-changing network of compromised systems acting as proxies in front of the actual hosting environment used for the crimeware.

“The complex setup of the Avalanche network was popular amongst cybercriminals, because of the double fast flux technique offering enhanced resilience to takedowns and law enforcement action,” Europol said in its statement.

As a key member of a technical subgroup, Shadowserver worked with partners to build the sinkholing infrastructure and coordinate the intentional DNS registry/registrar activities. This resulted in disruption of the criminal operated Avalanche infrastructure and sinkholing of elements of the following malware families:

• Bolek
• Citadel
• CoreBot
• Gozi2
• Goznym
• KINS / VMZeus
• Marcher
• Matsnu
• Nymaim
• Pandabanker
• Ranbyus
• Rovnix
• Smart App
• Smoke Loader / Dofoil
• TeslaCrypt
• Tiny Banker / Tinba
• Fake Trusteer App
• UrlZone
• Vawtrak
• Xswkit

This operation has been a mammoth effort involving complex international coordination, with the final operational take down being conducted from Europol/EC3’s Headquarters over the past 3 days. The takedown operation publicly announced by Europol at 15:00 UTC on December 1st 2016.

Remediation Advice

While the sinkholed victims are now hopefully shielded from direct exploitation by this group of criminals – they are still infected with one or more families of malware and likely to be vulnerable to others. Law enforcement have worked with security companies globally to build disinfection tools and have provided an array of links to solutions that will enhance the protection of end users.

In alphabetical order they include:

German BSI:

• https://www.bsi-fuer-buerger.de/botnetz
• http://www.bsi-fuer-buerger.de/EN/avalanche

Avira:

http://install.avira-update.com/package/pccleanerwebloader/win32/de/avira_pc_cleaner_de.exe

BitDefender:

• http://download.bitdefender.com/removal_tools/BDRemTool.exe

Dr Web:

• https://free.drweb.com/download+cureit+free/?lng=en

ESET Online Scanner:

https://www.eset.com/us/online-scanner/

F-Secure:

• https://www.f-secure.com/en/web/home_global/online-scanner

GData:

• https://www.gdata.de/pc/sp/blog/avalanche?utm_id=89

McAfee Stinger:

• http://www.mcafee.com/us/downloads/free-tools/index.aspx

Microsoft Safety Scanner

• https://www.microsoft.com/security/scanner/en-us/default.aspx

Norton Power Eraser:

• https://security.symantec.com/nbrt/npe.aspx