Written by Hila Marudi and Tanya Koyfman
As the saying goes, bad habits can be contagious… Our experience shows that expertise in illegal fields and sophisticated methods developed to break the law are traits shared among criminals that sometimes find their way across the globe, between places located thousands of miles apart from each other.
Many instances of this phenomenon can be seen in the sphere of physical threats. Weapons and techniques that evolve in one conflict zone and are proven efficient are quickly transmitted to other battlefields and adopted by other terror organizations with totally different agendas to the original one. For instance, our colleagues that trace developments in the physical world recently noticed that explosive “suicide” belts (PBIEDs) that were first deployed in the Caucasus region have found their way into the Syrian conflict, and further afield, into Iraq. These devices are likely intended for use by militants who may choose to initiate the device as a last resort when cornered, thus taking out their adversaries with them.
The cyber battlefield is no exception. Web platforms are used to share information and knowledge, often overcoming language obstacles. Once a hacker manages to code an efficient malware or to reveal a crucial vulnerability, we should not be surprised to find it has soon spread on forums associated with groups that totally differ in agenda and motive. This time we wish to focus on the exchange of capabilities between Russian cyber-criminalists and Arab hackers and hacktivists.
We recently identified discussions on Arab hacker forums about tools developed by their colleagues around the world. For example, on Dev-Point, an Arab forum that deals with programming and penetration testing, one member published a thread about a DDoS tool with a Russian interface named Dirt Jumper. We continued to follow the research into this tool in Arabic and found another message on a hacking forum named v4-team, asking for links to Dirt Jumper.
This malware was already recognized on the Russian underground in 2011, where it was sold for $600 on closed Russian forums. Later, its files were leaked on one of these forums, and today it can be downloaded at no charge. We can only guess at how it “travelled” from a closed Russian forum to an Arabic one, but obviously it took a while.
This exchange of abilities has also been witnessed in the opposite direction. The LostDoor RAT is a popular malware found on Russian forums. Links for downloading versions of the malware are periodically posted on several platforms and discussions about its abilities are held. A deeper investigation of this malware revealed its origins to be Tunisian, owing to the fact that it is displayed on different platforms as the first Tunisian RAT tool.
LostDoor is a product by a company named Hackers®Insides Inc. and its developer is a Tunisian computer specialist nicknamed Unique Oussamio. He often uploads links to new versions of his tool via Twitter, Facebook and a dedicated blog.
Apparently, Oussamio has ties to hacktivism, as he uploaded pictures of himself wearing an Anonymous mask. This may indicate a trend, when malware developed by hacktivists spreads into the cyber-crime world.
To conclude, in the hacker world it does not matter where the malware originates. Northern Africa or Eastern Europe – the only thing that matters is its efficiency. If it can cause enough damage, it will find a way to reach the “right hands” (and shortly afterwards your computer).
SenseCy is coming to town! Come meet us at the RSA USA 2014 conference, February 24-28, in San Francisco.