Security Firm Websense Reveals - Cybercriminals Gang Employs Mevada Botnet to Infect Organisations

Researchers at Websense Security labs have exposed an extensive cybercrime campaign utilizing the mevada malware botnets which infecting hundreds of organizations.

The attacks apparently originating from Russia and Ukraine, are mainly targeting government, business services, manufacturing and transport industries in the US, UK, Canada and India.

Websense identified business services as the biggest target with 87 attacks on them by the gang followed by manufacturing with 32 attacks, government with 28 and transport with 27 attacks. According to Websense, healthcare, mining, agriculture, communication, education and retail/trade industries are also infected by Mevade malware.

e-WEEK published a statement on 27th October, 2013 quoting Alex Watson, Director of research for Websense Labs as "the list of targeted industries is interesting as the Mevade malware is focused on generating cash for the botnet operators and it could easily become a data-stealing espionage network."

The investigation revealed that the malware have infected thousands of computers all over the world and the virus is being used to redirect network traffic and click fraud with search result high-jacking.

The firm has found that Mevada has a capacity to reverse proxy similar to the shylock malware indicating "a very flexible dropper which is well suited to rerout network traffic targeting theft of information and to facilitate lateral movement through target networks and create a network-level backdoor."

Websense said that heavy use of infrastructure related to attacks are located in Ukraine and Russia and Mevade malware links this group to a potentially well financed gang of cyber-crime operating from Khartov, Ukraine and Russia.

Interestingly, the players attacking are also using Tor to anonymize traffic and encrypted communications to disguise their activities.

Theregister.co.uk published a statement on 25th October, 2013 quoting Jason Hill, Lead Security Researcher of Websense as saying "The malware associated with this campaign has been linked with a large spike in TOR traffic which indicates that nefarious parties are taking steps to secure the anonymity of their command and control (C2) infrastructure and themselves."

» SPAMfighter News - 11/2/2013