Researchers at security firm Fox-IT recently published a detailed report analyzing the Pobelka botnet.
"Pobelka was outed in late December and discovered to be spreading the Citadel Trojan to harvest credentials, largely from online banking customers in Germany and Holland," writes Threatpost's Michael Mimoso. "While stolen credentials are gaining considerable value for attackers, particularly those involved in APT-style, state-sponsored attacks, Pobelka was exclusively a financial botnet, raiding online bank accounts and stealing credit card information."
"The attacker, using the handle 'Finist,' originally started the campaigns relying on a server-based attack kit known as the 'Bentpanel,' where he even left his email address within the command and control interface in order to receive notifications for the successfully stolen account/bank credentials," writes ZDNet's Dancho Danchev. "He then started using the Black Hole Exploit Kit in an attempt to convert all the Dutch and German traffic he was buying into crimeware-infected hosts, by dropping SpyEye and Citadel variants on the affected hosts."
"The researchers believe that Finist sells the stolen information to the highest bidder, and occasionally uses stolen banking information to steal money," writes Help Net Security's Zeljka Zorz. "At one time, Finist even employed money mules to get to the money he transferred to accounts set up specifically for this purpose."