Joe Stewart, Director of Malware Research at SecureWorks, discovered that a group of Russian hackers used a type of trojan that affected over 378,000 computers. The computers, all part of the same network, were infected via a genuine Microsoft application. Coreflood is the name of the trojan used to steal data from the affected machines, in ways that have never been employed before.
The targeted companies reported a precise interval during which they felt the effects of the attack. SecureWorks observed some "infection events," with hundred of thousands of computers becoming infected on the same day. As trojans cannot spread all by themselves through a network, specialists took into account all the possibilities for that to happen. The team noticed that a Windows administration tool, PsExec, was used to infect all the computers in a network whose owners had domain administrator privileges. ie1823en.exe was then launched on every affected system.
The hackers, who were identified as being Russians, mostly used Coreflood to get information on bank accounts. They also had access to computers from major institutions, which means they could have gotten their hands on even more important data than previously estimated. Also, the hijackers had another advantage over the people and the institutions they attacked: Coreflood allowed them to get account details without having to log in, because the malicious software has the ability to read screen information. This is one of the reasons that make Coreflood so dangerous. Because of the free access to all data stored on a computer, investigators don't know yet the exact extent of incurred damages.
One of the most affected people was Joe Lopez, a businessman who lost $20,000 when this amount was withdrawn by an unauthorized person. After discovering that the money was missing, he also learned that his computer was infected with the trojan. Joe Stewart stated for the New York Times that the situation was under investigation and that, for this very reason, he could not give explicit details about the case.
Stewart also revealed that, while translating some blog posts that allegedly belonged to one of the members of the group of hackers, he found out that another one of them was dead. However, he also emphasized that, no matter the difficulties these hackers might come across, their illicit activity is still being carried on.