Money Laundering 101, and why Joe is worried

Money Laundering 101, and why Joe is worried

/in

Money Laundering 101, and why Joe is worried

Welcome to this week’s edition of the Threat Source newsletter. 

Howdy friends! One of things I learned early on in cyber security is that crime does, in fact, pay. It can pay very well, actually. If it didn’t, we wouldn’t have ransomware cartels raking in obscene amounts of money year after year. Ransomware victims pay ransoms with cryptocurrency — typically Bitcoin. A criminal who has their ill-gotten BTC gains then needs to introduce it into a banking system that lets them spend that crypto currency with no questions asked.  

You might be unsurprised to learn that that isn’t as easy as it sounds, but it’s also not a new problem. In the 1980s, South American drug cartels had a similar issue. They were making obscene amounts of money and had massive piles of cash. However, one cannot show up and start dropping massive amounts of money buying very expensive things without drawing legal attention. Plus, it turns out, cash was the preferred way to bribe corrupt officials. As a result, they found legal and banking loopholes, and less than reputable financial practices in the U.S and in other countries to inject ill-gotten money into a legitimate banking system where they could access the funds.  

This is called money laundering, and it is at the heart of every successful organized crime organization. Money Laundering 101 is done in three basic steps: Placement, Layering, and Integration.  

  1. Placement: You need to get your money into the financial system(s). 
  2. Layering: You need to move the money around so it’s harder to trace and to link it to the crime.  
  3. Integration: Now that the connection to the crime is obfuscated, you can spend that money. You can invest it, buy expensive cars, or whatever. That money is now in someone else’s pocket. I used to joke that Ferrari dealerships don’t exactly accept cryptocurrency, but it turns out that joke is now on me. More and more businesses now accept cryptocurrency as a direct means of payment it seems.  

We often think of the crime of ransomware attacks at the point of impact and victimization, but rarely do we think of the reverse — the money that is paid out that flows back into the cartel and its affiliates. Cryptocurrency is fantastic for money laundering. It lags far behind regulatory standards, is largely anonymous, and can be “mixed” and directed to decentralized exchanges where Know Your Customer (KYC) and Anti-Money Laundering (AML) controls are not applied.  

So why am I bringing this up? Well, law enforcement attacking money laundering infrastructure really works. If you can impact how criminals launder their money, you put the brakes on the crime itself happening. After all, what good are the spoils of crime If you can’t do anything with it? 

My fear is that regulatory climates have shifted, which will allow laundering to more easily happen. Time will tell if I’m right, and I don’t want to be.

The one big thing 

I’m a huge fanboy for clever evasion tactics. Cascading Style Sheets (CSS) evasion tactics in spam emails is just a wicked cool trick. Game knows game, and I have to say, this is super smart. Spam filters play a constant cat and mouse game against adversaries. It goes to show that the threat actors are always innovating neat tricks to exploit victims. 

Why do I care? 

Spam emails account for a massive threat footprint, especially in enterprise email security. Any attack that sneaks malicious spam emails through a spam filter is worth paying attention to. 

So now what? 

Knowing is half the battle. Time to look at your email defenses and shore them up. Consider an email proxy service or something similar to help augment your email threat defense.

Top security headlines of the week 

Airport outages: Malaysia PM says country rejected $10 million ransom demand (The Record

Satellites! I am an absolute sucker for space hacking. ENISA released a great guide on securing commercial space assets. (ENISA)  

One-click phishing attacks: Google hastily patched a Chrome zero-day vulnerability exploited by an APT. (Dark Reading

Can’t get enough Talos? 

  • Patch Tuesday was a doozy this time. Check out our blog post here
  • Also, keep your eyes peeled: Talos’ 2024 Year in Review will be available for download on Monday, Mar. 31. 

Upcoming events where you can find Talos 

  • RSA (April 28 – May 1, 2025) San Francisco, CA 
  • PIVOTcon (May 7 – 9) Malaga, Spain 
  • CTA TIPS 2025 (May 14 – 15, 2025) Arlington, VA 
  • Cisco Live U.S. (June 8 – 12, 2022) San Diego, CA

Most prevalent malware files from Talos telemetry over the past week  

SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5 
MD5: ff1b6bb151cf9f671c929a4cbdb64d86  
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
Typical Filename: endpoint.query 
Claimed Product: Endpoint-Collector 
Detection Name: W32.File.MalParent     

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
MD5: 71fea034b422e4a17ebb06022532fdde   
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
Typical Filename: VID001.exe  
Claimed Product: N/A    
Detection Name: Coinminer:MBT.26mw.in14.Talos  

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
MD5: 7bdbd180c081fa63ca94f9c22c457376   
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0  
Typical Filename: c0dwjdi6a.dll   
Claimed Product: N/A    
Detection Name: Trojan.GenericKD.33515991   

SHA 256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: VID001.exe  
Detection Name: Simple_Custom_Detection 

Cisco Talos Blog – ​Read More