Category: Spain

Sep 04 2013

Spanish RAT

Contributor: Roberto Sponchioni

Symantec Security Response has recently come across a new remote access tool (RAT) called Alusinus, which we detect as Backdoor.Alusins. The program was intended for the Spanish speaking underground and the builder itself is rather straightforward with several standard functions, although one function is interesting and is worth noting. The builder allows the RAT to inject itself into a clean process, such as calc.exe, svchost.exe, or notepad.exe in order to improve its chances of evading detection.

Spanish RAT 1.png

Figure 1. Backdoor.Alusins control panel – user name/computer name, AV and firewall information are reported back to attacker

Real time desktop monitoring
Backdoor.Alusins allows an attacker to view the victim’s desktop and monitor user activity in real time.

Spanish RAT 2 edit.png

Figure 2. Desktop view of compromised computer

Webcam monitoring
It can also monitor and capture real time webcam activity.

Spanish RAT 3.png

Figure 3. Webcam session

Keylogging functionality
Backdoor.Alusins also has the ability to monitor keystrokes on a compromised computer in real time in order to steal information, such as login credentials.

Spanish RAT 4.png

Figure 4. Keylogger

The RAT allows an attacker to communicate directly with the victim by using a series of customizable system error messages. This messaging feature has the potential for great mischief or remote harassment. The attacker could, at any time, send annoying messages or popups to the victim while at the same time, observing the user’s reactions through the webcam. It’s possible that whoever created this tool, had online interactive scams in mind when creating this feature.

Spanish RAT 5.png

Figure 5. Custom error messages that can be displayed on compromised computer

Additionally, Backdoor.Alusins allows an attacker to perform the following actions on a compromised computer:

  • Monitor processes
  • Open Web pages
  • Open and close the optical drive
  • End sessions
  • View installed programs
  • View all services
  • Download and execute files
  • Connect to a remote host to receive commands
  • View the Windows registry
  • Retrieve the type and version of installed firewall
  • Retrieve the type and version of installed antivirus software
  • Exfiltrate system information such as computer name, user name, IP address, operating system version, and language
  • Retrieve a list of processes (PID and associated process name)
  • Send emails using specified user names and passwords
  • Steal user names and passwords for Pidgin and Filezilla
  • View or end system processes

This threat is a low prevalence remote access tool that is targeted at, but not limited to, the Spanish hacker base. Symantec detects the back door builder and the back door as Backdoor.Alusins.

To stay protected against this remote access tool and other threats it is essential that users keep their antivirus definitions, operating system, and software up-to-date.

Jun 10 2013

Scammers Take Advantage of Dance Grand Prix Europe 2013

Contributor: Vivek Krishnamurthi

The International Dance Competition “Dance Grand Prix Europe” is set to begin June 12 and will be hosted in Spain. The purpose of the competition is to showcase all the top dancers from various dance schools and this major event attracts choreographic talent from around the world. Spammers also don’t want to miss this event and the opportunity to circulate a scam.


Figure 1. Dance Grand Prix Europe 2013 spam

To grab the reader’s attention, the spam email reveals some appealing facts about the event along with "only a little fee" required but no additional charges for participation in the event. Clicking the URL will automatically redirect the user to a website containing a bogus offer.


Figure 2. Pirated website looks like original, changed contact information (green box)


Figure 3. Original and legitimate event website

Interestingly, to trick users into trusting the fake website, spammers also added a widget at the bottom left of the page that monitors online visitors and displays a random number of users online. The main motive of these spam campaigns is to lure recipients and acquire their personal and financial information. Users should be careful and avoid clicking the links.

Some of the subject lines observed in this spam campaign include the following:

  • Subject: DanceGrandPrixEurope from the 12th to 16th June 2013. Competition for Dance Schools/Groups from all over.
  • Subject: Grand Prix Spain. Competition for Dance Schools&Groups from the 12th to 16th June 2013.
  • Subject: Greetings from all of us at Dance grand Prix Europe Season 2013! As Holiday Season approaches. GIFT YOURSELF & Your School/Groups a "DanceYear" 2013 to remember! Book our European Dance Competitions now!

Symantec advises users to be cautious when handling unsolicited or unexpected emails related to the Dance Grand Prix Europe 2013 and to update antispam signatures regularly. Symantec also monitors spam attacks around-the-clock to ensure users are kept up to date on the latest threats.

Feb 13 2013

Spanish police bust alleged “ransomware” ring that took in $1.34M annually

Spanish authorities announced Wednesday that they had arrested 10 people who were allegedly involved in a massive “ransomware” ring. The European Cybercrime Centre estimated that the criminal operation "affected tens of thousands of computers worldwide, bringing in profits in excess of €1 million ($1.34 million) per year."

The Spanish Ministry of the Interior described (Google Translate) the lead suspect as a “a 27-year-old citizen of Russian origin who was arrested in December in the United Arab Emirates,” and now awaits extradition to Spain. The newly arrested 10 were linked to the financial cell of the ransomware operation and include six Russians, two Ukrainians, and two Georgians. The Ministry added that the operation remains “open,” suggesting that more arrests could be forthcoming. (Spanish authorities posted a video (RAR) of the new arrests and raid.)

Madrid dubbed the ransomware used by the ring a “police virus” because it throws up a notice that appears to come from law enforcement. The malware requires the user to pay €100 ($134) as a “fine” from a false accusation of accessing child pornography or file-sharing websites. When the victims submit their payment details, European authorities added, the “criminals then go on to steal data and information from the victim’s computer.”

Read 7 remaining paragraphs | Comments

Jun 10 2011

Spanish police arrest Anonymous hacking suspects

Spanish police have arrested three men, suspected of being members of the notorious Anonymous online protest group.

The men, whose names have not been made public, were detained in Alicante, Almeria and Barcelona.

Spanish police press conference

Spain’s Technological Investigation Brigade (BIT), the police unit who conducted the investigation, have held a live TV press conference about the arrests. According to BIT the men operated a cell of Anonymous, directing internet attacks against the likes of the Sony PlayStation store, and websites belonging to the governments of Egypt, Chile, Iran, Colombia, Algeria and Libya.

Fascinatingly, the authorities posted images on Twitter of IRC logs that appeared to show plans to attack Spanish police websites and the electoral board with a distributed denial-of-service attack.

Spanish police evidence

Spanish police are also said to have seized a server hosted in the city of Gijon. No doubt the authorities are hoping that that may yield clues which will help reveal the identities of other Anonymous activists.

The Spanish computer crime cops should be congratulated for their investigation into the more malicious activities of Anonymous.

If nothing else, these arrests may encourage others to think twice before participating in distributed denial-of-service attacks against websites and online organisations – an activity which some forget is against the law.