Soft2Secure

The Avalanche malware deployment platform taken down

Autumn 2016 didn’t end well for the international organized cybercrime. The U.S. Department of Justice, the FBI, Europol, Eurojust and Ukraine’s Department of Cyber Police, in collaboration with law enforcement agencies, prosecutors and investigators from 30 countries, zeroed in on a far-flung malware delivery network dubbed “Avalanche”. This well-orchestrated global operation with headquarters in The Hague resulted in the takedown of the distributed cybercriminal infrastructure as of November, 30, with 5 individuals being arrested, 39 servers seized, and more than 800,000 malicious domains blocked or sinkholed.

The Avalanche platform had operated since 2009. It provided cybercrooks with a massive, bulletproof cloud-hosting environment applicable for serving malicious software, conducting global phishing campaigns and money mule recruiting. The network played a major role in the distribution of banking Trojans and file-encrypting ransomware for years, with the estimated overall loses amounting to hundreds of millions of euros.

Operation Avalanche flowchart, courtesy of Europol

Some of the notorious malware families whose proliferation relied on Avalanche include ZeuS, SpyEye, Citadel, Goznym, Pandabanker, and TeslaCrypt, with a total of 17 different strains hosted on the platform. The fraud network was used to contaminate over 500,000 computers around the globe within a single day. Furthermore, it allowed malefactors to send out more than 1 million spam emails with malicious attachments per week. One of the reasons why the Avalanche infrastructure was so popular with the threat actors is that it featured a so-called “double fast flux” detection evasion mechanism. This approach made the network highly resilient to takedowns and prevented the law enforcement from tracking down the campaign operators.

Avalanche ring leader arrested, photo courtesy of the Cyber Police of Ukraine

A crucial contribution to the success of Operation Avalanche was made by the law enforcement of Ukraine, with a total of 180 police operatives engaged in the takedown. In an effort coordinated with international partners, representatives of the Prosecutor General’s Office of Ukraine, the state’s National Police and the recently created Cyber Police department searched 40 premises, seized tens of Avalanche servers and made a series of arrests. According to a statement by Ukraine’s law enforcement officials, 3 out of 5 apprehended individuals, including the fraud ring leader, are Ukrainian citizens.

According to seized driving license, the felon’s name is Hennadiy Kapkanov

The organizer of the Avalanche cybercriminal network, Hennadiy Kapkanov, was chased down and arrested in Poltava, сentral Ukraine. The arrest proper was reminiscent of gang movie plots. The suspect attempted to fight back and flee, using the Kalashnikov assault rifle and a rubber-bullet gun. Officers of the KORD special police force unit were able to successfully disarm and apprehend the criminal.

Weapons seized

During a search conducted in Kapkanov’s apartment, the police found and seized computers, flash memory devices, hard drives, directional Wi-Fi antennas, mobile phones, SIM cards of Ukrainian and foreign mobile network operators, financial documents, and $72,000 in cash. The objects seized also include multiple credit cards issued by Ukrainian and foreign banks, as well as several different passports in the arrestee’s name.

The seized cash, credit cards, IDs, financial documentation and more

Operation Avalanche is definitely a big unprecedented win of the international law enforcement over cybercrime. It demonstrates how effective the cooperation of different countries can be in this realm. Now that the malicious global infrastructure of the Avalanche platform has been dismantled, the attack vectors relying on it will discontinue. Although the computers already infected with the associated malware are no longer remotely controlled by the botnet operators, they will continue to be at risk until users completely remove the perpetrating code. No ratings yet.