A bank account brute forcing tool is a small program that is used by criminals to verify bank accounts credentials validity against the bank website. All it needs is a list of credentials in the following format – username:password.

We found one of this program, called CapitalOne Brute created by Strannik. This program is meant to check accounts against CapitalOne bank. It’s very easy and straightforward to use and have only a few buttons:

Base – List of credentials to use
Proxy – Proxy settings
Start – Start the brute forcing
Stop – Stop the brute forcing
Сбросить – Reset button

At the bottom, there are a bunch of information to notify the criminal:
Source – Gives the number of credentials present in the list added
Proxy – Proxy list
Good – How many were successful
Bad – How many were unsuccessful
Error – How many got an error

On the center of the window, the program tells you which username:password combination worked.

 

 

The package we found also included a list of credentials in a text file called 1_mill.user_pass.txt. The file actually has 2,310,095 unique username and password combinations, which is way more than what the filename suggests.

Upon execution, we observed the program loaded in memory successfully and used the string “Skype” as a description.

 

 

The file properties suggest that the program was created last October 11^th, 2016 while the compilation date and time extracted from the binary reveals the date of March 27^th, 2016.

 

 

What about the threat actor? What do we know about him so far?

During our investigation, we’ve found that the threat actor Strannik also known as reaktor1488 has been selling brute forcing tools targeting several other banks last April on a criminal forum. The price ranges from $60 to $250 depending on the banks.

IOCs:
SHA1(capitalone.exe)= c78612cdf4809c6fd528a7ce8dd7a1b9117a5397