SITUATION
FTI Cybersecurity was retained by a major technology company to investigate a “pay-per-install” (“PPI”) service believed to be associated with the distribution of malware. The aim of the investigation was to disrupt the Cryptbot infostealer by taking down a major distribution arm and disabling Command and Control (C2) infrastructure.
OUR ROLE
FTI Cybersecurity’s primary efforts focused on gathering evidence to identify infrastructure that was currently or historically used in connection with this malware family. To complete this, FTI Cybersecurity collected information from a variety of intelligence sources and analyzed malware samples and historical data using industry-leading tools and proprietary techniques. We assisted in the discovery, enumeration, analysis, and investigation of all related botnet operations. This included identifying Trojan distribution techniques to include malvertising, pirated software, and search engine optimization (SEO) poisoning. FTI Cybersecurity was further able to conduct investigations into identified individuals associated with the botnet distribution network.
OUR IMPACT
We provided an expert witness report based on our findings. The client won a temporary restraining order that blocked Internet traffic used as a C2 for distributing malware. Involved individuals were named as being primarily responsible for operating the CryptBot malware and a large distribution network.