Bank account brute forcing tool by Strannik

A bank account brute forcing tool is a small program that is used by criminals to verify bank accounts credentials validity against the bank website. All it needs is a list of credentials in the following format – username:password.

We found one of this program, called CapitalOne Brute created by Strannik. This program is meant to check accounts against CapitalOne bank. It’s very easy and straightforward to use and have only a few buttons:

Base – List of credentials to use
Proxy – Proxy settings
Start – Start the brute forcing
Stop – Stop the brute forcing
Сбросить – Reset button

At the bottom, there are a bunch of information to notify the criminal:
Source – Gives the number of credentials present in the list added
Proxy – Proxy list
Good – How many were successful
Bad – How many were unsuccessful
Error – How many got an error

On the center of the window, the program tells you which username:password combination worked.

 

screen-shot-2016-12-30-at-10-44-57-am
CapitalOne Brute forcing tool

 

The package we found also included a list of credentials in a text file called 1_mill.user_pass.txt. The file actually has 2,310,095 unique username and password combinations, which is way more than what the filename suggests.

Upon execution, we observed the program loaded in memory successfully and used the string “Skype” as a description.

 

screen-shot-2016-12-30-at-10-44-42-am
Capitalone.exe memory process details

 

The file properties suggest that the program was created last October 11th, 2016 while the compilation date and time extracted from the binary reveals the date of March 27th, 2016.

 

screen-shot-2016-12-30-at-11-54-26-am
Capitalone.exe properties

 

What about the threat actor? What do we know about him so far?

During our investigation, we’ve found that the threat actor Strannik also known as reaktor1488 has been selling brute forcing tools targeting several other banks last April on a criminal forum. The price ranges from $60 to $250 depending on the banks.

IOCs:
SHA1(capitalone.exe)= c78612cdf4809c6fd528a7ce8dd7a1b9117a5397

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s