Group-IB helps bust Southeast Asian cyber fraud syndicate

Group-IB announced its involvement in a joint operation by the Singapore Police Force (SPF), the Hong Kong Police Force (HKPF), and the Royal Malaysia Police (RMP) that dismantled a cyber fraud syndicate. Dubbed Operation DISTANTHILL, the operation culminated in the arrest of cybercriminals responsible for an Android Remote Access Trojan (RAT) campaign. The campaign targeted victims across Southeast Asia, including Singapore, where the police recorded 1,899 cases in 2023, with total losses exceeding USD $25 million.

Group-IB's role in the operation involved extensive investigation, data analysis, and the use of advanced Graph Network Analysis technology. This contributed to identifying the syndicate's network and infrastructure.

Dmitry Volkov, CEO of Group-IB, emphasised the importance of collaboration in tackling global cybersecurity threats: "We are delighted to contribute to Operation DISTANTHILL and the dismantling of the malicious Android Trojan campaign. This successful operation is a testament to the power of collaboration between law enforcement agencies and the private sector in the fight against digital threats."

The HKPF apprehended ten men and four women, aged between 19 and 61 years old, on charges related to fraud and money laundering. The investigation uncovered at least 260 variants of the Remote Access Trojan stored on command and control (C2) servers located in Hong Kong and other Southeast Asian countries. Additionally, on 12 and 13 June 2024, two men in Malaysia, aged 26 and 47, were arrested as the primary culprits behind the cyber-attacks. These individuals were believed to control over 50 servers used in the phishing campaigns.

During the course of the investigation, Group-IB's High-Tech Crimes Investigation unit discovered that the RAT targeted Android users through phishing campaigns. Victims were enticed to download and install fake apps that appeared to offer special prices for goods and food items. Once installed and granted necessary permissions, the RAT allowed threat actors to capture sensitive data, including personal credentials and SMS-based one-time passwords (OTP) sent by financial institutions. The malware also enabled real-time geolocation tracking and persisted even after the device rebooted.

Group-IB's unit played a critical role by analysing the malware-as-a-service campaign and tracking over 250 phishing web pages used to spread the fake apps. Employing their Graph Network Analysis technology, the company was able to correlate C2 servers from over 100 malware samples, providing comprehensive insights into the syndicate's network infrastructure and operations.

Chief Inspector CHENG from the HKPF commended the collaborative efforts, stating, "Group-IB's dedication to cybersecurity, as a member of the Cyber Security Action Task Force (CSATF) established by the Hong Kong Police Force (HKPF), reflects the collective effort of both public and private sectors in safeguarding our digital landscape. Group-IB's invaluable contributions exemplify the spirit of cooperation essential in this endeavour."

Group-IB is also an APPACT partner of SPF and has been recognised for its contributions to various investigations in recent years. The company has emphasised the importance of public-private partnerships in enhancing global cybersecurity and urged other entities to join efforts to combat cybercrime.