PARIS LA DÉFENSE–(BUSINESS WIRE)–Powered by the cutting-edge technologies and products of Thales and Verint, the two companies are pleased to present The Cyberthreat Handbook,a report of unprecedented scope designed to provide a classification and basis for further investigation of major groups of cyberattackers, including cybercriminals, cyberterrorists, hacktivist groups and state-sponsored hackers. As part of the strategic partnership to create a comprehensive, state-of-the art Cyber Threat Intelligence technologies, threat intelligence analysts from Thales and Verint have worked together to provide this unique 360° view of the cyberthreat landscape, with detailed descriptions of the activities of about sixty particularly significant groups, including their tactics and techniques, their motives and the sectors targeted from analysis of multiple data sources such as web and threat intelligence.
At the beginning of July 2019, we detected that a threat actor dubbed mobeebom created a sales thread for his Android Remote Administration Tool (RAT) MobiHok v4, on a prominent English hacking forum.
A quick research revealed that mobeebom is active on multiple Arab-speaking hacking forums under different pseudonyms, which led us to assess, with high confidence that he is an Arab-speaker. The use of poor English in his posts reinforced this assessment. His activity on the prominent English hacking forum we monitor sparked our curiosity and we decided to take a closer look.
NEW ANDROID RAT?
MobiHok is a RAT coded in Visual Basic .NET and Android Studio, which enables full control, with extensive capabilities over the infected device. This latest release of the malware presents new features, such as a bypass to the Facebook authentication mechanism.
The declared intention of the threat actor is to position MobiHok as the top Android RAT on the market. However, from a research we conducted into mobeebom’s activity in the underground communities, and the analysis of a sample of the malware builder we retrieved, it is apparent that the threat actor based MobiHok on the source code of another prominent Android RAT named SpyNote, which was leaked online in 2016.
The initial findings of our technical analysis confirmed that mobeebom probably obtained SpyNote’s source code, made some minor changes, and now resells it as a new RAT under the name MobiHok.
A DEEPER DIVE INTO MOBIHOK V4
The threat actor has been promoting the malware on multiple outlets (including on a dedicated Facebook page and a YouTube channel), since January 2019.
Mobeebom also runs a website, on which it is possible to purchase the RAT in a variety of options, including the possibility to acquire the entire source code for US$ 15,000. According to the screenshots displayed on the website, the malware features the following capabilities:
Control of the files
Control of the camera
Control of the SMS
Control of the contacts
Control of the apps
Control of the account/phone settings
Bypass of Samsung security mechanisms
Bypass of Google Play security mechanisms
No “rooted” device required
The RAT can be bind to another APK app
To conclude, despite mobeebom’s attempt to market his MobiHok v4 Android RAT as new and his declared intention to make it the top Android RAT on the market, it appears that this malware is based on the leaked source code of the known SpyNote Android RAT with only minor changes and is being reselled by the threat actor under a different name.
In the past few years we have witnessed a growing number of significant data breaches.
The Data Breach Epidemic Report reviews the most significant data breaches that occurred in 2018 and provides our analysis of the major data leaks. It also includes key trends we identified based on ~5B leaked records detected and analyzed by our team.
4,812,840,627 – Total Leaked Records In 2018
1,925,136,251 – Unique Records
24,224,940 – Organizations
53% of all leaked data comes from .com domains
Distribution of “Combo Lists” is the key trend in the 2018 data leaks
Leaked records by region:
APAC – 1.5B records
EMEA – 728M records
LATAM – 34M records
THE ANALYSIS PROCESS
In order to identify and analyze the major breaches of 2018, our analysts have been continuously monitoring activities on the Dark Web, in closed hacking communities and in other sources, to uncover indicators of breaches and data leaks.
In the report you will find a summary of the most popular ways hackers use to exploit stolen data, with real-life examples of attacks that exploited leaked records.
Based on our analysis of the leaked data we obtained from several underground sources, we were able to identify several key trends, for example, the increasing distribution of “Combo Lists”, the demand for region specific leaks and countries that had most government data leaked.
ANALYSIS OF EXPLOITATION METHODS
The report also shares the hackers’ perspective, reviewing the most popular ways hackers use to exploit leaked data. These include credential stuffing attacks, brute force attacks, social engineering and email based-attacks. This information is valuable as it can really help organizations prioritize risk and improve their resilience and readiness against these attack methods.
THE BIGGEST DATA BREACHES OF 2018
In the report, you will find the list of the most prominent data breaches that occurred in 2018, and what we can learn from the millions of compromised records and stolen data.
In the past few months, an alleged group of transparency advocates, headed by activist Emma Best (@NatSecGeek), created an online repository of leaked data similar to WikiLeaks, named “Distributed Denial of Secrets” (@DDoSecrets).
Our initial examination revealed that the repository includes a great volume of data aggregated from past leaks, but also several new ones. The data is extremely diverse and consists of documents, hacked emails, leaked credentials, and other data, which has been leaked over the years, by a variety of actors (hacktivists, APTs, etc).
On December 31, 2018, a cybercrime group going by the handle The Dark Overlord (hereafter TDO) claimed he had hacked an unnamed company, and exfiltrated a large volume of sensitive documents related to the 9/11 terror attacks-related lawsuits. TDOaims to extort the impacted organizations into paying a Bitcoin ransom and he already published batches of the leakage after creating a public auction system, where anyone can contribute Bitcoins to unlock new documents. Continue reading “What will The Dark Overlord Do Next – a CTI Assessment”
PyLocky represents a new ransomware strain that was detected in the wild in late July 2018, and whose volume of infections increased throughout the month of August. The malware is usually distributed through malspam emails claiming to link to a fake payment invoice, and it features advanced anti-detection and anti-sandbox capabilities. Notably, infection telemetry data shows that PyLocky mainly targeted France and German cyberspace, but ransom notes also exist in Italian and Korean.
On September 11, 2018, we detected the leakage of PyLocky source code on Pastebin. Thus far, the incident has not received media attention. However, the paste was viewed by over 2,500 users. Therefore, our assessment is that this leakage might lower the barrier to entry for wannabe cybercriminals, possibly leading to an increase in malspam campaigns distributing this malware strain in the future. Continue reading “PyLocky Ransomware Source Code Leaked Online”
On July 6, 2018, a post claiming to contain the source code of Carbanak group malware was published on a Russian-speaking underground forum. Soon after the sharing of the code on the Russian underground, it was uploaded by an unknown actor to the text-sharing platform Pastebin, making it accessible to all. At the same time, malware researchers analyzing the shared code discovered the malware is not one used by the Carbanak group, but rather, it is the Ratopak/Pegasus spyware, used in attacks against Russian banks in 2016. Continue reading “Source Code of Ratopak/Pegasus Spyware Targeting the Financial Sector Recently Leaked”