Want to Kickstart a Hacktivist Campaign – Click Here!

We are currently witnessing a new phenomenon of popular uprising against governments in some post-Soviet Union countries. More and more citizens are forming active groups to protest against government corruption, the licentiousness of officials and government policy on various issues. Alongside these opposition groups in the physical world, anti-government campaigns and the struggle for human rights and democracy, we have identified a similar struggle in the realm of cyberspace.

The Anonymous Russia group regularly publishes leaked data from the hacked databases of buyers of elite watches and luxury housing in various Russian cities. These consumers include numerous state officials. The group additionally hacks the email conversations of Russian officials, thus stealing other sensitive information regarding government policy and actions. This information typically includes personal information regarding the victim – passport numbers, telephone numbers, addresses, etc.

Private residence plans of the sales director of the Russian energy company OAO "Ульяновскэнерго"; the information was leaked by Anonymous Russia

Private residence plans of the sales director of the Russian energy company OAO “Ульяновскэнерго”; the information was leaked by Anonymous Russia

In light of the ongoing conflict between Russia and Ukraine, more and more hacktivist groups are taking action against Russian policy in Ukraine. Anonymous Russia claims it is exposing information regarding the presence of Russian fighters on Ukrainian soil, to raise public awareness of Russian Government policy. The information includes official documents and leaked emails. Beside the Russian government itself, the group is targeting organizations that support Russian policy, as well as those not actively opposing it. Thus, during operation #OpCrimea (#ОПКРЫМ), Russian hackers stole a database that included the personal information of people from Kerch – a city in eastern Crimea – “Because they have not defended their city and they have sold out to Putin.”

A post regarding the database leak during #OpCrimea

A post regarding the database leak during #OpCrimea

On the group’s official website, you can ask for help from Anonymous Russia, report any illegal activities by officials in your region, offer your help, or support the project. The team accepts financial support for the project and gladly converts any monetary contributions to Yandex, WMR or WMZ wallets.

Details of money transfer to Anonymous Russia

Details of money transfer to Anonymous Russia

Many activists groups fundraise for “justified activity.” Such actions encompass a variety of fields – hacktivist, jihadi and other groups united by certain causes. These groups are usually totally dependent on their supporters for funds.

A new trend dubbed crowdfunding in the field of fundraising has become very popular among NGO organizations, artists and other social projects. Crowdfunding is a new method of commerce and patronage. This is not an investment or a loan of any kind and the fundraisers usually state the purpose of the project. People who are interested in supporting such a project are welcome to donate whatever sum they wish.

gius

Crowdfunding post by Anonymous Ukraine

We have not seen the Crowdfunding fundraising method before now in cyberspace. Recently, the Anonymous Ukraine group posted a request for help on the popular Russian-language social network VKontakte. The group acts against the Russian government, the Ukrainian opposition and organizations and media that support pro-Russian policy in Ukraine. Their main activity vector is DDoS attacks on media websites. Alongside their successes, there are many failed attempts. Notwithstanding, the group appealed for financial help from supporters to purchase a botnet that purportedly increases the effectiveness of attacks. For this purpose, Anonymous Ukraine used Crowdfunding to raise 1200 Ukrainian Hryvnia (UAH).

 

Gods, Monsters and Pandas – Threats Lurking in the Cyber Realm

With new viruses constantly being developed and new groups being formed all the time, hackers should use their creative minds to come up with original names to distinguish their tools/group from the rest. While some names are rather trite and corny, others are more amusing and curious. Generally speaking, the names usually fall under one of about ten categories. Here are a few examples:

The following are some elaborations on specific names:

Torshammer666: Thor’s hammer, or Mjölnir in Norse mythology, is depicted as one of the most powerful weapons, forged by the skillful hands of the dwarves. However, it seems that one Nordic god was not enough for this specific hacker, so he walked the extra mile and added the ominous number 666 to the tool name, to create an intimidating effect stemming from the thought of a Nordic-Satanic-almighty-weapon.

Fallaga: The famous Tunisian hacker group Fallaga is named after the anti-colonial movement that fought for the independence of Tunisia (there were also Fallaga warriors in Algeria). The character in the group’s logo resembles the original Fallaga fighters.

熊猫烧香 (Panda Burning Incense) – Everybody loves those adorable, chubby, harmless bears called Pandas! They are native to China, and serve as its national animal and mascot. As such, it is no wonder that panda-themed characters and cartoons figure extensively in China in various contexts, often symbolically representing China internationally. And now the pandas have even invaded the virus realm! In 2006-2007 the 熊猫烧香 virus infected millions of computers throughout China and led to the first-ever arrests in the country under virus-spreading charges. The ultimate goal of the virus was to install password-stealing Trojans, but it was its manifestation on the victim’s device that attracted a lot of attention: the virus replaced all infected files icons with a cute image of a panda holding three incense sticks in its hands, hence the name “Panda Burning Incense.”

Bozok (Turkish) – It may refer to one of the two branches (along with Üçok) in Turkish and Turkic legendary history from which three sons of Oghuz Khan (Günhan, Ayhan, and Yıldızhan) and their 12 clans are traced (from Wikipedia.)

推杆熊猫 (Putter Panda, putter=golf stick) – Another Panda-themed name. It is widely recognized that golf is the sport of white collar professionals, usually those on the upper end of the salary ladder. That is why, when these prominent figures travel abroad to a convention or on a business trip (and engage in semi-business/semi-pleasure golf activities), they are sometimes subjected to sophisticated hacker attacks, usually initiated by their host country, as suspected in the case of Putter Panda and its ties with the Chinese government.

As you read these lines, more tools are being written, and we can expect to continue to see more intriguing names. The Chinese idiom 卧虎藏龙 (literally: “crouching tiger, hidden dragon”), which was the inspiration for the successful namesake movie, nowadays actually means “hidden, undiscovered talents.” Maybe it is time the gifted tigers and dragons of the hacker community climbed out of their dark caves, stopped performing illegal activities, and put their pooled talents (be they computing or copywriting) to good use?

 

Malware is Coming to the Trusted Software Near to You – Trade in Code Signing Certificates is on the Rise on the Russian Underground

Written by Tanya Koyfman

Instead of spending days and nights coding, crypting and modifying the malware to avoid AV detection, the underground market offers to sign it by a digital certificate issued for a legitimate entity.

While monitoring our Russian-speaking sources, we identified a Russian forum member offering code signing certificates issued by one of the largest CAs for sale.

The forum thread was opened on a Russian password-protected forum that serves as an illegal platform for cybercrime related discussions. On the forum, one can find sales of financial malware, stolen databases and exploits, as well as technical discussions regarding hacking and programming.

The post about the sale of certificates was initially published two months ago, and the topic is still updated regularly. In the first message, the post author offered one certificate for sale in exchange for almost $1000. According to the seller, the certificate can be used to sign exe files. Forum members who are interested in purchasing are requested to connect via Jabber (an instant messaging service based on XMPP protocol, highly popular among Russian cybercriminals).

The next day, the author published another post claiming that the certificate had been sold. He said that he could obtain 1-2 certificates per week, and that if there was a demand he could get his hands on also driver signing certificates.

The thread also included feedback messages from buyers, who testified that the certificates were useful in avoiding AV detection, but only for a specific malware infection. In a case of a mass distribution of malware programs, the certificate would be cancelled within days.

During the forum discussion, the seller mentioned that signing an exe file by certificate helped avoid detection by all AV pro-active detection mechanisms, except for one. He also clarified that the certificates could be used for .exe, .dll, .jar and .doc files, but not for .sys files (drivers).

To date, after almost two months of sales, at least 7-10 certificates have been sold (providing a profit of $10,000 for the seller).

The first message regarding the sale of the certificates

The first message regarding the sale of the certificates

Taking into account that the above forum member has regular access to legitimately issued certificates from one of the top five Certificate Authorities (CA) in the world, the above case is probably only the tip of a slippery slope. We may soon witness an increase in malware distribution attacks based on using genuine code signing certificates. The $1,000 paid for the certificates is an incredibly low price for the hacker to pay, compared to the large sums of money he can earn using these certificates in his attacks. While we do not know the precise origin of the certificates (a breach in an organization that purchases certificates, a breach in a reseller supplying the CA certificates or simply an “illegal” reselling or legally purchased certificates), the volume of certificates that the seller is supplying is reminiscent of the DigiNotar case.

The Case of DigiNotar (July-August 2011)

DigiNotar was a Dutch Certificate Authority company owned by VASCO Data Security International. DigiNotar went bankrupt following a security breach that resulted in the fraudulent issuing of CA certificates on September 3, 2011. DigiNotar hosted a number of CA’s and issued certificates including default SSL certificates, Qualified Certificates and ‘PKIoverheid’ – government accredited certificates.

In August 2011, a rogue certificate for *.google.com signed by DigiNotar was revoked by several Internet user browsers in Iran. Fox-IT conducted an investigation of the events in their report ‘Operation Black Tulip’ and found that a total of 531 fraudulent certificates had been issued. They identified around 300,000 requests to google.com with IPs originating from Iran that used the rogue certificate before it was revoked. The attack lasted nearly six weeks.

The compromised IP users might have had their emails intercepted, and their login cookie could have been intercepted making the attacker able to enter their Gmail accounts and all other services offered by Google. Having access to the e-mail account, the attacker is also able to reset passwords of other services with the lost password button. Fox-IT further examined the hacking tools and found some of them to be amateurish and some very advanced, some were published hacking tools and some specifically developed.

Anonymous versus ISIS

Alongside the war being waged against ISIS in Iraq and Syria, there is another battle front against ISIS in cyber space. Anonymous has declared war against ISIS platforms, to destroy ISIS propaganda and influence throughout the web. Anonymous supporters and opponents of ISIS are using social networks to spread their message. The following is a short summary of Anonymous efforts to block ISIS ideology on Facebook, Twitter and YouTube:
On October 4, 2014, a cyber-campaign was launched against ISIS. 110 Facebook users joined the event page that was created to organize DDoS attacks against websites affiliated with ISIS.

Event Page against ISIS

Event Page against ISIS

However, a more potent campaign against ISIS and its supporters is running on Twitter and Facebook, under the hashtags #OpIceISIS and #No2ISIS. There is also a Twitter account named Operation Ice ISIS.

There is also another anti-ISIS campaign on Twitter calling for an ISIS Media Blackout. The most active Twitter account in this operation named Bomb Islamic State.

Some tweets say that supporting ISIS is like supporting Assad or even Israel.

It should be noted that we also found an anti-ISIS group on the Darknet. The founder of the group, that has 32 members, invited all who wishes to eradicate ISIS to join the group.

ISIS in Cyber Space

We tried to search for ISIS cyber forces, if there is such thing, and we found some evidence on Twitter indicating the existence of an Islamic State Electronic Brigades. These brigades also have a YouTube channel and chat room. Here you can see a screenshot of an image in Arabic announcing that ISIS Electronic Brigades hacked the Twitter account @SawaTblanc.

Furthermore, the trend to support ISIS among hackers from the Muslim world is becoming more popular by the day. On Facebook, you can find many hacker groups affiliated with ISIS, such as the Army of the Electronic Islamic State that has 146 members. This group tried to launch a cyber-campaign against Arab TV Channels on September 27, 2014. There is another Facebook group that gives hacking lessons to ISIS supporters. Moreover, a Twitter account named Lizard Squad claimed that he uploaded an ISIS flag to Sony servers.

It should be noted that there can sometimes be conflicts among Arab hacker groups affiliated with Anonymous that also support the ISIS agenda, such as Anonymous Official Arabe, who posted on its Facebook page that they would not hack ISIS websites, despite their Anonymous affiliation.In conclusion, our examples show that ISIS has a presence in cyber space but there is also high motivation to hack their platforms to delete their spreading influence.

After Intimidating Humankind Around the World, the Ebola Virus is now Threatening the Cyber Arena

It is a well-known fact that hackers can be very creative, not only when writing malicious code, but also when bestowing a name on their creation or connecting it to some sensational subject.

This time, inspired by the outbreak of the Ebola epidemic in Africa, the authors of the ransomware discussed below coded it to change filenames on the infected computer into a string containing the word “Ebola”. Let us take a deeper look at this new malware.

We first encountered the malware in a discussion on VKontakte, a very popular Russian social network. One of the participants uploaded a sample of the virus that infected his computer.

According to his description, he received the malware via an email message that contained a link. Clicking the link initiated the downloading of an .RAR archive that DOES NOT pop-up an AV alert. After unzipping the archive, all the files on the PC (extensions: PDF, DOC, DOCX, XLS, XLSX, JPG, DWG) became encrypted and their names were changed to *id-*help@antivirusebola.com. The shared folders were also encrypted and access denied. To recover the contents of the PC, the victim had to send an email to the address help[at]antivirusebola.com, and was subsequently instructed to pay 1 Bitcoin (approximately US$380) to a given address.

Further investigation on the Russian-speaking web revealed many other reports of Ebola virus infections. In most of the cases, the malicious link was sent via an email message, allegedly from the tax authorities or traffic police.

The ransomware was reported on several security firm forums (such as Kaspersky, Symantec and Dr.Web), but no solution to decrypting the files was found.

According to the Russian security company Dr.Web, the malware, now called “the Ebola Virus,” firstly appeared on August 20. The same ransomware has been distributed since August 7, albeit in a slightly different format – the file names were changed to id-*_decrypt@india.com or id-*_com@darkweider.com). All three versions are probably variants of the same malware identified by Dr.Web as Trojan.Encoder.741, and coded by a Russian nicknamed Korrektor (presumably the author of other ransomware as well). The malware is written in Delphi language, packed with an Armadillo packer and uses the algorithm AES-128 for encryption.

A closer look at the sample revealed the IP address of the C&C server – 31.220.2.150 – which belongs to a company called KODDOS, registered in Hong Kong (offering Offshore hosting and DDoS protection). The network is generated over HTTP – the infected machine sends out a unique string, probably the UID of the infected machine.

The post in VKontakte

It is important to note that to date, the malware is largely unrecognized by AV vendors. (The detection rate varies for different samples on VirusTotal - the highest is 15/55.)

Another Phish in the Sea

The rise in scamming campaigns has become a focal issue for the InfoSec world in recent years. More and more attacks have been targeting everyone from large corporates, by using specific techniques “tailored” for the target, to simple users, by spreading it to anyone available. The platforms from which the malware is spread vary from standard email messages and social networks to more complicated SMS scams.

We will attempt to describe herein the basic steps to take to determine if a suspicious email, text message or Facebook post is actually malicious – in order to stay safe from falling victim, while still being able to keep up with the latest 9GAG spam.

Source Identity

When receiving a new email or text message, check who the sender is. If the message comes from an unknown person – a source you are not expecting contact from or a strange looking email name – do not open it! Browsing social networks like Twitter can also lead you to malicious actors that will try to lure innocents and curious people.

One such example is a reservation email scam that “accidentally” sends a room reservation email to you instead of the hotel manager. The email has an attachment, purportedly containing a list of special requirements for the guests, which turns out to be a malicious element that downloads additional executable malware.

Another Phish in the Sea_1

Content

We have all heard the joke about receiving a scam email from a Nigerian prince, where the victim is asked to provide their bank account details in order to receive a large sum of money, but reality is not so far off. Attackers use sophisticated techniques to capture your attention, be it by intimidation, exploiting the latest trending topic or informing you of a transaction.

The recent iCloud hacking leak scandal has been a hot topic on the Internet, and the phishing attacks soon followed. The tweet, which tries to grab your attention by sharing a link to the alleged nude video of Jennifer Laurence, redirects visitors to a download page for a video converter. Of course, the downloaded file turned out to be adware, not to mention the fact that it forces its victims to share the malicious site on their Facebook profiles.

Another Phish in the Sea_2

Grammar

I believe that the easiest way to observe that something about a message of any kind is wrong is bad grammar. Foreign scammers who are not fluent in target audience languages encounter a barrier that they try to bypass by using online translators or just trying their luck at translating the message on their own. A poorly written letter from a formal organization or a shifty looking website should definitely raise a red flag.

Another Phish in the Sea_3

Links

Apart from the content itself, the message might also contain links. The URL that appears in the text might seem legitimate, but it is important to get a closer look at the domain name, in addition to ‘hovering’ over the link with a mouse to see if the actual web address is compatible with the one presented to you (for other fake-link-finding techniques, see our previous post).

Let’s say you received an email from the human resources department in your company – Sounds like a legitimate item to open. But what if it contains a link to download CryptoWall ransomware? In this particular situation, it is very difficult to distinguish whether this is phishing scam, but by taking a closer look at the shared link, you can notice if it redirects you to a gaming website and forces you to download a suspicious ZIP file that contains the malware.

Another Phish in the Sea_4

Attachments

Some scammers direct you to open files attached to their message. They might appear legitimate because they are Word or ZIP files, but they end up being disguised malware. Be aware of attachments you are not expecting to receive, especially executable files like .EXE, .PIF, .JAR, .BAT and .REG.

Curiosity killed the cat, and apparently also some people’s computers. An innocent-looking email suggesting that you view someone’s new photo contains an attachment called photo.zip, which unfortunately does not contain an attractive person’s selfie, but rather a Zbot Trojan.

And just like the old Japanese saying goes “Attack a man with a phish and you’ll scam him for a day; Teach a man to phish and you keep him safe for a lifetime.”

Another Phish in the Sea_5

Hacker Idol

The cyber world is anxiously awaiting the next big event and you can feel the buzz in the air since the Anon Official Arab hacker group announced their survey of the “Best Hacker Group in the Arab World for Year 2014″. People have been asked to vote for the best hacker group according to its achievements during 2014. The survey will be available to the public for 48 hours, after which time the organizers will announce the winners.

The Survey

The Survey

The nominees for the title “Best Hacker Group” are Anonymous, AnonGhost, Gaza Hacker Team, Fallaga, Moroccan Kingdom and Moroccan Islamic Union Mail. All are very popular groups with undisguised agendas against Israel, the U.S. and other governments around the world.
We have already voted for our favorite group. Have you? :)