The Bagsu banker case

Presented at VB2019, Oct. 3, 2019, 3 p.m. (30 minutes).

The carding ecosystem is constantly evolving. The actors have to adapt their methodology in order to continue to steal from the banks with a good cost-effectiveness ratio. To maintain this balance, the carders have moved towards infrastructure-as-a-service, making the analyst's work more and more complex.

Researchers at CSIS Security Group have discovered the infrastructure of a quiet banking trojan actor that has been targeting German users since at least 2014. Our presentation aims to give a technical insight into the whole operation: infrastructure, multi-platform trojans, money laundering schemes, and the recent move towards malware-as-a-service markets like Dreambot, Trickbot, Emotet or even Cobalt Strike.

With this presentation, we want to show how an actor progresses in the carding business, from the development of his own malware to his first million euros stolen.

We aim to show the big picture of the carding ecosystem and discuss the challenges that come with the model.

Presenters:

• Benoît Ancel - CSIS
  Benoît Ancel Benoît Ancel is a malware analyst specialized in tracking carder infrastructure. After working as a  reverse engineer for six years in France with Stormshield, he is now part of the threat intelligence team of CSIS in Denmark. His research interests include malware hunting, reversing, and tracking money laundering. His latest publications include "Dreambot, Business Overview" and "The Wolf in Sheep's Clothing - Undressed". He spends his free time documenting the history of the profit-driven cybercrime business.

Links:

• https://www.virusbulletin.com/conference/vb2019/abstracts/bagsu-banker-case

Similar Presentations:

• VB2016 / Neverquest: Crime as a Service and On the Hunt for the Big Bucks
• VB2016 / The Good, The bad & The Ugly: The Advertiser, the Bot & the Traffic Broker