Cybercrime Roundup: Avalanche

Department of Justice Dismantles International Criminal Cyber Infrastructure

On December 5th, the Department of Justice, alongside numerous other domestic, foreign, and international agencies, announced the success of a combined effort to take down Avalanche, an international computer infrastructure used by cybercriminals in order to facilitate malware attacks and money laundering schemes, among other activities.

In order to dismantle Avalanche, the Department relied on a temporary restraining order in a civil case brought against administers of the Avalanche network, known by the monikers “flux” and “flux2.” The order allowed the government, after seizing control of the malicious domain names and blocking access to them, to redirect the infected computers to servers operated by law enforcement—a process known as “sinkholing.” The malware’s vulnerabilities and the methods used to exploit them remain sealed.

The dismantling of Avalanche highlights the importance of transnational cooperation and coordination in pursuing international cybercrime rings. In 2015, several German banks were attacked with malware and millions of dollars were lost as a result. Upon investigation, German authorities were able identify a worldwide hosting infrastructure, including several servers that were located in Germany. Able to keep surveillance on the network, German authorities began to “map out” the infrastructure of Avalanche, taking note of key details like when servers were cycled out and replaced. The FBI joined the investigation in June of 2015, placing pen registers on half a dozen Avalanche servers located in the United States. Those registers yielded information that helped further map the Avalanche network and supported the work of the German authorities, identifying the location of an Avalanche centralized control server in Canada through observing the flow of significant traffic from servers in the United States to a central unit to the north. According to a joint statement on the takedown, the coordinated, multinational effort began on November 30th. Investigators and prosecutors from more than 40 countries, as well as Europol and Eurojust, were involved in the operation.

Avalanche enabled money laundering through providing a platform for “money mules,” intermediary actors who transferred the proceeds of a crime into a different account or purchased goods with it in order to anonymise the crime. The system also established a means by which criminals could install malware on computers with relative ease while remaining shielded from law enforcement through what advertisements in exclusive online forums touted as a “fast-fluxing bulletproof hosting service.” Fast-fluxing refers to the frequent changing of IP addresses, unique numerical identifiers linked to a particular computer that are associated with a single domain name.

To understand the importance of fast-fluxing, we need to review the specifics of how malware functions. Once a computer became infected with malware, it can be controlled by a remote party without the user’s knowledge or permission, making it a “bot.” (A network of these controlled computers is called a “botnet.”) These bots receive commands and report information to centralized computers called control and command servers. The malware forces the bot to contact certain domain names registered by the attacker, and once connected, the bot is able to receive commands.

This contact with domain names can be forced in several ways. The domain visited can appear non-malicious, as in the case of money mules, which lure victims to seemingly legitimate websites. As for facilitating other ransomware and malware attacks, the list of domains to which the computer will be forced to “call back” is hardcoded into the malware itself. For several families of malware operating on the Avalanche network, the malware was instead coded with a domain generating algorithm (DGA), which computes and continuously runs through a list of domain names in attempts to make contact with the command and control server. Since DGA’s are capable of generating tens of thousands of domain names a day, these algorithms greatly frustrate law enforcement efforts by they making the location of the malicious domain incredibly difficult.

Avalanche made matters even more complex by using a tiered structure, with several layers of servers between the contacted domain and the server belonging to the cybercriminals paying to use the Avalanche network. Then, there’s the fast-fluxing, which rapidly switches IP addresses for a single domain every 300 seconds or so (in comparison, computers typically cache IP addresses for several hours and even up to a day). The Avalanche network employed a “double-flux,” meaning that the servers that held the domain name records also fluxed. This makes tracking cybercriminals increasingly difficult for law enforcement, since the IP addresses used for the crimes are constantly shifting.

The Department of Justice flagged two particular malware programs hosted on Avalanche in its December 5th announcement: Nymain and GozNym.

• Nymain

Avalanche hosted numerous families of malware, including a program called Nymain. According to the complaint in the civil case brought against “flux” and “flux2,” Nymain is a program of the type commonly known as “ransomware”: “a malware that, among other things, encrypts files on a victim’s computer until the victim pays a ransom for a key to decrypt their own files.”

In January 2015, an employee in the district attorney’s office in Allegheny County, Pennsylvania clicked on a link in what appeared to be a government email but was actually a phishing scam that sent the computer to an Avalanche domain name. The domain used an exploit kit—a program that runs a survey of the contacting computer to determine its vulnerabilities and exploits them to gain entry into the computer—to infect the computer with Nymain. A payment of $1,400 in bitcoin, a cryptocurrency, was made to regain access to the files.

While the details have not been announced, Mike Manko, the Allegheny County District Attorney’s Communications Director, released the following statement:

Because this is an ongoing probe by the FBI, it would not be appropriate to comment in depth on specific details. However, I can tell you that the virus used on our office involved a portion of one server affecting a small group of employees. The virus was not invasive, and did not take, download or copy any documents. The virus placed a “lock” on the portion of the server in question preventing that group of employees from being able to access reports and other type of work product. Once we determined the extent of the problem, we referred the situation to the FBI and they were unable to assist us in removing the “lock.” The monetary demand to remove the “lock” was nominal compared to the time that would have been required to re-generate the affected work product.

Prior to releasing that statement, he commented that, “As no cases were compromised as a result of this breach, we consider what happened more of a nuisance than anything else."

• GozNym

GozNym, another malware hosted by Avalanche, was used since January 2016 to target private businesses. GozNym grew from Nymain, which by 2015 was stealing victim’s credentials through keylogging. In order to increase its wire fraud capabilities, Nymain was merged with parts of malware from another family known as Gozi, thus creating GozNym.

GozNym was also transmitted through phishing. Some of the carefully designed emails had hyperlinks that ran exploit kits, while others included malicious attachments that directly downloaded either the GozNym malware or a loader program which then downloaded the malware.

On December 12th, a six-count indictment against Krasimir Nikolov in connection with the GozNym malware was unsealed. Nikolov, a Bulgarian, was arrested on September 8th in Bulgaria and extradited to the United States in early December. He is charged with unauthorized access of a computer to obtain financial information, bank fraud, and criminal conspiracy.

The press release names four western Pennsylvania companies that were infected with GozNym. According to the complaint, Nikolav used GozNym to “capture ... confidential personal and financial information, such as online banking credentials[ ], and then used the captured information [to] access [ ] the victims’ online bank accounts from which funds were stolen through the initiation of unauthorized wire transfers.” All of the victimized companies named in the press release discovered and recalled the wire transfers before the money was stolen.

During the investigation, a PNC employee revealed to the FBI that three separate fraudulent wire transfers had all been initiated by the same IP address. Later, that employee reported that a new IP address was initiating the same type of unauthorized transfers.

A “trusted private security expert” who had previously given the FBI reliable information identified the IP address as an administrative panel used by GozNym actors that went by the monikers “Craft” and “Salvadordali.” Generally, Salvadordali logged in via a virtual private network that hid his IP address. However, he was not always so diligent: on numerous occasions, he logged on via three IP addresses which were traced to an internet service provider (ISP) in Bulgaria. Since ISPs assign IP addresses to their users’ computers, Bulgarian police officers were able to assist in obtaining the subscriber information, which linked Nikolov to all three IP addresses.

When searching his house, Bulgarian police officers and FBI agents discovered that Nikolov’s computer was logged into the administrative panel and was actively targeting banks in the United States. On December 22nd, Nikolov pled not guilty to the charges.

Worried about being an unknowing victim of Avalanche, Nymain, or GozNym? The government has provided links to several scanners to detect the malware.

"Anonymous" Hacker Pleads Guilty

Deric Lostutter, known by the moniker KYAnonymous, pled guilty on November 23rd to one count of conspiring to access a computer without authorization. Lostutter—and his coconspirator Noah McHugh, who pled guilty in September—hacked RollRedRoll.com, a fan page for athletics at Steubenville High School in Steubenville, Ohio.

Lostutter entered himself into the controversy surrounding the sexual assault of a minor by several Steubenville High School football players. Publically linking himself and the takeover of the site to KnightSec, a group within the prominent hacker collective Anonymous, Lostutter hijacked the site by posting the now-infamous picture of the defendants in the sexual assault case carrying an unconscious or limp young woman by her hands and feet, as well as a collection of related and potentially incriminating social media posts by the defendants. In addition, Lostutter threatened to release personal identifying information of the football players, the coaches, and the principal unless all the football players involved came forward and publicly apologized.

Having previously hacked and downloaded all of the contents of the RollRedRoll.com webmaster’s email, Lostutter provided a link where visitors to the website could view the emails in their entirety. Lostutter claimed that the emails contained explicit images that could be child porn and further alleged that the webmaster sent the players to parties with the purpose of taking photos of the young women that the players assaulted, asserting that the players called themselves the “Rape Crew.”

According to the indictment, Lostutter used the takeover of the site to threaten and intimidate those involved with the sexual assault and defame the webmaster. In an anonymous interview about the hack, Lostutter said, “We are the executioners.” In another interview after he was unmasked by the FBI investigation, he stated, “I was just like a pitbull, anything that pissed me off, I was after.”

In his own interview, Noah McHugh stated that the hack was not difficult: he gained access to the website after guessing the password. Lostutter and McHugh used social media to promote the hack, which brought increased national media attention to the sexual assault case. However, the involvement of wider-based hacking-related groups did not end with the website takeover: Occupy Steubenville led ground protests where many protesters wore Guy Fawkes masks, a traditional marker of the Anonymous community. And the group Local Leaks released droves of documents that it claimed were evidence of a larger conspiracy, which included a gambling ring and fingered the prosecutor as involved in covering up the investigation.

Lostutter achieved significant notoriety from the hack, including an interview on AndersonCooper360 and a lengthy piece by Rolling Stone—for which Plan B, Brad Pitt’s production company, has purchased the film rights.

Lostutter also pled guilty to lying to an FBI agent. He is scheduled for sentencing on March 8th and is facing a maximum sentence of five years per count, for a total of ten years at the most.

Minnesota Man Sentenced for Sextortion

On November 29th, Anton Alexander Martynenko was sentenced to 38 years in prison and 15 years supervised release after pleading guilty to producing, distributing, and advertising child pornography. While Martynenko was sentenced under child pornography laws, and made history as the most prolific producer of child pornography ever prosecuted in Minnesota, his criminal activity is more accurately described as sextortion.

Posing as a young woman over social media, Martynenko struck up conversations with underage boys, eventually soliciting explicit images and videos from them. After some victims sent the desired images, Martynenko—again, posing as a young woman—threatened to distribute the images if the boys did not send additional explicit images. His threats were not empty: according to the complaint, Martynenko distributed some of the images on Twitter via anonymous accounts. Once one tweet disappeared (at times due to the victim reporting the tweet to Twitter), a new account would tweet the same image, creating a vicious cycle.

Martynenko also pled guilty to advertising child pornography. According to the plea agreement, he used decoy accounts on Facebook to offer explicit images of the victims by name to other individuals. On one occasion, law enforcement created an undercover Facebook profile, purporting to be a 24-year-old young woman who went to the same high school as the victim. Martynenko’s decoy account messaged the undercover account stating the names of victims that “she” had explicit images of and asked if the undercover account wanted to see them.

His criminal escapades were not limited to the internet. As detailed in the plea agreement, Martynenko—still posing as female—messaged at least two victims on social media and promised that if the victims let the decoy’s male friend (that is, Martynenko) perform sex acts on them, then either the victim’s explicit photos would not be distributed or the victim could have sex with the young woman who Martynenko was pretending to be. On both occasions, Martynenko engaged in sexual activity with known minor victims.

After Martynenko solicited explicit images from a victim, he would methodically catalogue what he received. Law enforcement officers found his digital folders neatly organized by victim’s name, age, and often their high school. Martynenko admitted to receiving images from at least 20 victims, but the government estimates the number of victims at around 178. As for distributing the images, he admitted to doing so at least 50 times, but the government contends that it was over than 1,000. Finally, Martynenko admitted to advertising child pornography at least 50 times, but, once again, the government estimated that he did so over 1,000 times.

This case intertwined with a high-profile missing persons case in Minnesota. On October 22, 1989, 11-year-old Jacob Wetterling was held at gunpoint and kidnapped. Wetterling’s whereabouts remained unknown for the next 26 years. In 2015, Danny Heinrich, a person of interest in the initial investigation, was once again publically named in the investigation into Wetterling’s disappearance.

On October 2th, during a search of Heinrich’s home for evidence of two kidnappings—both Wetterling’s and an unrelated case—officers found child pornography. In an astonishing coincidence, Heinrich was jailed in the cell next to Martynenko at the county jail, where both were being held on child pornography charges. While Martynenko's attorney claimed that Heinrich confessed to Martynenko prior to confessing his role in the sexual assault and murder of Jacob to the prosecutor, the government insists that this never happened. Arguing that he was inflating his role for a more lenient sentence, it claims Martynenko provided Heinrich's bottom line in plea negotiations and non-substantive background information. Either way, Heinrich eventually led law enforcement to the location where Jacob Wetterling’s remains were recovered.

The prosecution recommended a sentence that fell below the Sentencing Guidelines due to the helpful background information provided as well as his guilty plea that spared victims the difficulty of testifying. However, the government insisted that Martynenko never took full responsibility for his crimes, rather he both minimized them and blamed the victims.

Martynenko’s prosecution was brought under Project Safe Childhood, a nationwide initiative by the Department of Justice to combat child sexual exploitation and abuse.

This post has been updated to more accurately reflect the available information regarding Danny Heinrich's ostensible confession to Anton Alexander Martynenko.