Archer

Researchers find signs of collaboration between two of the world’s malicious hacking powerhouses.

On the dark screen, a white skull appears, along with the word “Hackers” in English. The music starts, and then the “Hacker’s Rap”—in Portuguese—begins.

“I’m a virtual terrorist, a criminal,” a man sings in this Brazilian music video, according to a translation by Kaspersky Lab. “On the Internet, I spread terror, have nervous fingers. I’ll invade your PC, so heads up. You lose, playboy. Now your passwords are mine.”

Those “nervous fingers” in Brazil are now trying out the Cyrillic keyboard, connecting with malicious hackers six time zones away. The result, Kaspersky Lab security researcher Thiago Marques says, is a collaboration between Brazilian and Russian hackers that is giving rise to more formidable online attacks.

Brazilian malware, once very basic and easy-to-detect, has become sophisticated and hard to uncover, Marques said in a blog post.

“This is thanks to malicious technologies developed by Russian-speaking criminals. And this cooperation works both ways,” said Marques.

Culture clash

Brazil and Russia developed their own malicious hacking cultures separately—as different, perhaps, as cool Siberian vodka and hot Brazilian cane rum.

They became—on their own—powerful online attack forces, each with their own “local flavor,” said Kaspersky analyst Fabio Assolini in a post.

In Brazil, it appears to be a “Bonnie and Clyde” crime lifestyle where hackers flaunt their new-found wealth and live a life of decadence, he said.

“The Brazilian criminal underground includes some of the world’s most active and creative perpetrators of cybercrime,” said Assolini.

The kind of creativity that lead to the hacking of a Brazilian bus station last year, where hackers replaced the bus schedules in the giant monitors with pornography, as reported by Techworm, may also have helped Brazilian hackers to establish a world of crime so powerful and daring that cyber gang members post pictures of themselves with wads of cash and buy expensive mansions with their take.

But their unsophisticated malware was stoppable. Enter the Russian hackers.

Change in technique

Researchers began to see a change in Brazilian cyber crime.

“We detected some malicious activities where techniques commonly found in malware from Eastern Europe were then found in Brazilian malware and vice versa,” Marques told Archer News.

One example of the collaboration, he said—the malicious PAC [proxy auto-config] scripts that Brazilian hackers used heavily later showed up in Russian banking attacks.

“They are cooperating with malicious code that will be used on local attacks as well as some features that will be implemented in new attacks,” he said.

In addition, he said Brazilian cyber criminals have started using the same criminal infrastructure as their Russian counterparts, like the DGA [domain generation algorithm] domains hosted by “bulletproof” companies from Ukraine. A domain generation algorithm can create a large number of seemingly-random domain names that can be hard for law enforcement and security researchers to track.

Language barrier?

Portuguese-speaking hackers are willing to venture into Russian-speaking territory online, the underground forums where Russian hackers hawk their wares, Marques said.

“It is not unusual to find Brazilian criminals trying to negotiate malicious services on those forums,” he added.

In one case, a Brazilian hacker named Doisti74 who is known to spread ransomware appeared in an underground forum popular with Russian speakers, according to Kaspersky Lab.

Doisti74’s goal—to see if any Russian forum-users had “Brazilian loads,” in other words, victims in Brazil who already had malware on their computers and were ripe for the picking. 

Smooth operators

Brazilian hackers now run trickier, more complex malware, said Marques.

For example, Brazilian malware can now send a message to a person logging onto their bank account that looks like it is from the bank and appears to show a security update in progress. In reality, the hackers have locked your screen, and are busy stealing information. If the bank requires a special security code from a text message to get in, the attackers can get the bank to send you the code on your phone, and then trick you into entering the code as part of the “update” process.

“It was clear that they had moved on completely from using beginner’s code to a much more professional development,” Marques said.

They also run more businesslike operations, according to Assolini.

“The professionalization of organized cybercrime, as observed in Eastern Europe, is now adopted by the Brazilian crime underground,” he wrote. “Investment in technology and marketing is aimed at increasing their profits.”

He cited Brazilian posts on underground forums advertising buy-one-get-one-free-style incentives for malware customers.

“Buying any social engineering kit, you also earn kits for banker, credit card and frequent flyer miles,” one ad reads. Plus, you get “one million free spam messages.”

Another seller is ready for you to pay him to do a DDoS attack [a distributed denial of service attack that can shut down a website], and offers you his bronze, silver, gold or platinum plan. You can even go for his “ultimate” plan, which will buy you a full hour of DDoS for only $40.

Who will be their victims?

Brazilian usually hackers rip off their fellow countrymen, their banks, their businesses and their government, and apparently with gusto, according to researchers.

“Brazil is one of the most attacked countries in the world,” said Marques, “with a very specific type of attack targeting local users.”

But that does not mean they won’t target people outside the country.

Kaspersky Labs reported in 2013 that researchers found Brazilian banking Trojans [a malicious computer program] targeting banks across Latin America, from Mexico to Argentina. Brazilian bank attacks hit Europe too, including Portugal and Spain.

“All these Brazilian Trojans demonstrate that cybercrime has no borders!” wrote Assolini.

Brazilian hackers have made some forays into the U.S. as well, including an attempt to hack the National Security Agency, according to The Telegraph, and a sabotage of the Citigroup’s U.S. website, reported The Wall Street Journal

Foreign exchange

Cyber attacks are on the rise in Latin America, and not just because of Russia’s connections with Brazil, said Kaspersky’s Dmitry Bestuzhev last year, according to Reuters.

He told Reuters that a significant number of Peruvian students go to Russia to attend Russian universities, and come home with new and potentially dangerous knowledge and connections.

“They return and often they are demotivated, they have studied six or eight years, and when they return to their country the work offered is low profile and mediocre paid,” Bestuzhev said.

With assistants in Brazil and Peru, Russian hackers can then test out new malware on Latin American countries before letting it loose in the parts of the world, he said.

Double-teaming

The international collaboration between malicious hackers in two of the world’s largest countries, Russia and Brazil, will probably continue, Marques said.

“It means that this cooperation will likely increase over the years as Brazilian cybercriminals are always looking for new ways to attack businesses and online users,” he predicted.

This emerging global economy of cyber thieves will make it easier for criminals, but harder for the investigators who try to catch them.

You can expect “even more complex local malware attacks with enhanced obfuscation, encryption, anti-debugging tricks,” Marques said. “The defenders should be ready for that.”