Jihadi Cybercrime (Increasing Interest in Spam and Phishing Methods on Closed Islamic State Platforms)

While monitoring closed platforms that propagate an Islamic State agenda, we detected an initial interest in hacking lessons, focusing on spam and phishing methods. Many discussions in the technical sections of closed platforms affiliated with the Islamic State deal with the implementation of Continue reading “Jihadi Cybercrime (Increasing Interest in Spam and Phishing Methods on Closed Islamic State Platforms)”

Anna-senpai – Analysis of the Threat Actor behind the Leak of Mirai

The Mirai IoT Botnet has made a lot of headlines in recent weeks. While the botnet itself was analyzed and discussed by a number of security researchers and companies, none addressed the threat actor behind the recent attacks and the leak of Mirai source code. Such an analysis can provide useful insights into Continue reading “Anna-senpai – Analysis of the Threat Actor behind the Leak of Mirai”

Office 365 Administrator Accounts Traded on the Darknet

In early September 2016, a new advertisement appeared on various Darknet platforms, promoting a new hidden service. The service, dubbed Open Hacking Lab (OHL), offers three categories of products: hacking tools and resources, hacked credentials and services. While numerous hidden services on the Darknet sell hacked credentials, this is the first time we have observed the sale of administrator credentials for Office 365 accounts.

hacking-lab
Screenshot of the Open Hacking Lab platform

Microsoft Office 365 is a software package that includes cloud services, sold to corporates and private customers. The organizational package includes email, storage, social network, SharePoint and other services provided via cloud. Acquiring administrator’s access to organization that use Office 365 will provide a potential attacker with access to sensitive organizational information and may even lead to the threat actor gaining full control over the organization network.

Currently, 12 accounts are being offered for sale, with prices ranging from $15 for a logistics company account to $100 for a law firm. For each company, the seller provides a short description of the company, its country of origin, and which data the buyer will gain access to. Eight of these companies are based in the U.S., two in Europe and two in Canada.

office-365-darknet
Office 365 accounts for sale on a Darknet platform

The operator of the hidden service is a well-known actor in several communities on the Darknet; he is considered credible and he possesses high technical skills. The hidden service owner also runs a Twitter account dedicated to the service, where he updates about the platform and its products.

#OpClosedMedia: Hacktivists Threaten to Target the Media Sector on September 22, 2016

Hacktivists are threatening to launch #OpClosedMedia, a month-long cyber campaign against websites and platforms of “mainstream media,” on September 22, 2016, for failing to inform the public about the real news.

The campaign’s official target list includes the websites of the BBC, The Daily Mail, The Independent, Reuters, Channel One (Russia) and others.

opclosedmedia
#OpClosedMedia – September 22, 2016

Thus far, participants have claimed responsibility for hacking several websites related to the media sector from around the world, but they also claimed to have hacked other websites with a loose connection to this sector.

Calls to launch attacks against media outlets on September 22, 2016
Calls to launch attacks against media outlets on September 22, 2016

This is not the first time that the media sector has been targeted by hacktivists. In June 2016, the Ghost Squad Hackers group launched the #OpSilence campaign against prominent news agencies, such as Fox News and CNN, protesting against what they called the “silence and lies” regarding the Palestinian situation. However, it seems that the Ghost Squad Hackers are not involved in this campaign.

In conclusion, popular news platforms and the media sector in general are targeted by hacktivists who wish to shut them down. Only time will tell if they will succeed or not.

#OpIcarus – a War against the Global Financial Sector

During May 2016, we witnessed the second phase of the #OpIcarus cyber campaign against banks around the world, launched by the Anonymous collective in February 2016. The participants carried out DDoS attacks against bank websites in various countries on a daily basis. Several cyber-attacks succeeded in shutting down the websites of central banks in Greece, Cyprus and other countries.

Platforms

The initiators created two Facebook event pages and opened an IRC channel to coordinate their cyber-attacks. Approximately 2,000 participants joined the #OpIcarus event pages, but many more hacktivists expressed their support of this campaign via their social media accounts. With regard to the dedicated IRC channel, it appears not to have been as active as the campaign platforms in Facebook and Twitter.

From the #OpIcarus IRC Channel

Attacks and Tools

According to news reports, #OpIcarus participants shut down bank websites around the world on a daily basis. We cannot confirm that all of the mentioned banks websites were actually offline, due to the participant DDoS attacks, but we wish to point out several incidents that caught our attention.

A member of the Ghost Squad Hackers group dubbed s1ege took responsibly for shutting down the email server of the Bank of England. The bank did respond to this attack, but according to news reports, the bank’s mail server was offline on May 13, 2016.

Member of Ghost Squad Hackers claimed they shut down the mail server of the Bank of England
Member of Ghost Squad Hackers claimed they shut down the mail server of the Bank of England

In addition, according to a single news report shared on various Facebook accounts, Chase Bank ATMs stopped working on May 14, 2016, as a result of the Anonymous collective cyber activity. The Twitter account of Chase Bank’s technical support tweeted that their ATMs did not accept any deposits on this day, but they did not mention what had caused the problem. Meanwhile, the Ghost Squad Hackers group tweeted that the incident was part of the #OpIcarus campaign.

Chase Bank's technical support tweeted about a problem with their ATMs
Chase Bank’s technical support tweeted about a problem with their ATMs
Ghost Squad Hackers claim that Chase ATMs were hacked during #OpIcarus
Ghost Squad Hackers claimed that Chase ATMs were hacked during #OpIcarus

Additionally, s1ege claimed on May 18, 2016, that they had shut down a website related to the NYSE. The NYSE Twitter account tweeted that they had experienced a technical issue in one of their trading units. They did not mention what had caused the problem. Therefore, it is unclear if there is any connection to the Ghost Squad Hackers group, aside from the latter’s claim of responsibility.

A member of Ghost Squad Hackers claimed they hacked a website related to the NYSE
The NYSE announced that they had a technical issue that affected their daily activity
The NYSE announced that they had a technical issue that affected their daily activity

With regard to the attack tools, the participants used a variety of DDoS, some of which were simple online tools with no sophisticated DDoS abilities. However, there were indications that they used DDoS-as-a-Service (DaaS) platforms, such as Booters/Stressers that require payment and registration. In addition, the New World Hackers (NWH) team that took responsibility for shutting down the HSBC Bank website on January 29, 2016, supported the #OpIcarus campaign.

A call to use Booters on an #OpIcarus event page
A call to use Booters on an #OpIcarus event page

This campaign gained high popularity among hacktivists from all over the world who were motivated to DDoS bank websites protesting corruption and other issues. It is possible that the initiators will decide to engage an additional phase of this campaign, since one of them claimed in an interview that “Operation Icarus will continue as long as there are corrupt and greedy banks out there.”

#OpIsrael 2016 – Summary

This year, #OpIsrael hacktivists focused on defacing private websites, carrying out DDoS attacks and leaking databases. Hundreds of private Israeli websites were defaced, mostly by Fallaga and AnonGhost members. Various databases containing Israeli email addresses and credit cards were leaked, but the majority were recycled from previous campaigns.

The hacktivists attacks commenced on April 5, 2016, two days before the campaign was launched, with a massive DDoS attack against an Israeli company that provides cloud services. The fact that no one took responsibility for the attack, alongside the massive DDoS power invested, may indicate that threat actors with advanced technical abilities were responsible.

On April 7, 2016, approximately 2,650 Facebook users expressed their desire to participate in the campaign via anti-Israel Facebook event pages. There are several possible reasons for the low number of participants (compared for example to the 5,200 participants in #OpIsrael 2015). One reason might be disappointment in last year’s lack of significant achievements. Another reason could be the devotion of attention to other topics, such as the cyber campaign against the Islamic State (IS), in the wake of the recent terrorist attacks in Brussels. Moreover, it is possible that anti-Israel hacktivists have abandoned social media networks for other platforms, such as IRC and Telegram.

1
Number of participants in the #OpIsrael campaign since 2014

During the campaign, we detected many indications of the use of common DDoS tools, such as HOIC, and simple DDoS web platforms that do not require any prior technical knowledge in order to operate them. Most of the DDoS attacks were directed against Israeli government and financial websites. Hacktivists claimed they managed to take down two Israeli bank websites. While this could be true, the websites were up and operational again within a short time. In addition, there were no indications of the use of RATs or ransomware against Israeli targets.

2
Using common DDoS tools against an Israeli website

As mentioned previously, most of the leaked databases were recycled from previous campaigns. However, we noticed that almost all of the new leaked databases were stolen from the same source – an Israeli company that develop websites. Notably, during the 2014 #OpIsrael campaign, this company website appeared on a list of hacked websites.

There was no immediate claim of responsibility for the leakage of these databases, which raises many questions, since anti-Israel hacktivists typically publish their achievements on social media networks to promote the success of the campaign. Moreover, almost all of these databases were first leaked in the Darknet, but anti-Israel hacktivists do not use this platform at all. In addition, all of the data leakages were allegedly leaked by a hacker dubbed #IndoGhost, but there are no indications to suggest that this entity was involved in the #OpIsrael campaign or any other anti-Israel activity.

Finally, we detected several attempts to organize another anti-Israel campaign for May 7, 2016. As an example, we identified a post calling to hack Israeli government websites on this date. We estimate that these attempts will not succeed in organizing another anti-Israel cyber campaign.

#OpIsrael 2016 – Intelligence Review

The #OpIsrael campaign has been repeated every year since 2013. Last year, the campaign failed to achieve his main goals, as the participants did not succeed in carrying out any significant cyber attacks against high-profile targets, such as government or financial websites. They only managed to deface private Israeli websites and leak databases (most of which were recycled from previous campaigns).

This year, we noticed that the number of the expected participants is relatively low – approximately 2,100 Facebook users have expressed a desire to participate in the campaign via dedicated #OpIsrael anti-Israel Facebook event pages. This constitutes half the number of participants that we detected in 2015 (approximately 5,200 Facebook users). There may be several reasons for this low number, one being disappointment from last year’s lack of significant achievements. Another reason could be attention devoted to other factors, such as the cyber campaign against the Islamic State (IS) following the recent terrorist attacks in Brussels.

This year we detected 13 different #OpIsrael event pages – the same number of event pages detected in 2015. The most popular page is one created by two Tunisian hacker groups dubbed Fallaga and Tunisian Cyber Resistance.

picture blog post 1
Fallaga and Tunisian Cyber Resistance #OpIsrael event page

Of note, many participants will join several event pages concurrently. Therefore, the actual number of Facebook users that wish to participate in this year’s campaign is actually less than 2,000. According to our analysis, most of the discussions about the campaign on social media networks are taking place in North Africa (Tunisia in particular) and Southeast Asia (notably in Indonesia).

picture blog post 2

We have identified additional platforms where anti-Israel hacktivists are preparing for the #OpIsrael campaign: closed and secret Facebook groups, Telegram and IRC channels and closed forums. The AnonGhost team has opened two Telegram channels for the purposes of updating and sharing information. In addition, the group has opened a dedicated website for the campaign, but it is offline at present.

We also witnessed an interesting chat on an IRC channel dedicated to #OpIsrael, where one of the conversation participants said that hacktivists affiliated with Anonymous do not have time to participate in the #OpIsrael campaign because they are preoccupied with their cyber war against targets identified with the Islamic State.

picture blog post 3
From a chat on an IRC channel dedicated to #OpIsrael

With regard to the attack vectors, we assume the attackers will attempt to carry out DDoS attacks or leak the databases of small Israeli websites (based on past experience, most of the data leakage will be recycled from previous campaigns). We also believe they will use familiar or self-developed DDoS tools, as well as malware based on njRAT, which is very popular among Arabic-speaking hacktivists.

It is also possible that there will be attempts to infect Israeli end-points with Ransomware via emails with malicious files during this campaign. In most cases, these malicious emails pose as invoices, fax notifications or fake purchase orders to deceive unsuspecting users. Moreover, attackers sometimes spoof an internal email address to alleviate the concerns of potential victims.

Russian Cyber Criminal Underground – 2015: The Prosperity of Ransomware and Office Exploits

The prominent products traded during 2015 on Russian underground forums were Ransomware programs and exploits targeting Microsoft Office. Prices on the Russian Underground have remained unchanged during the past two years, due to the vigorous competition between sellers on these platforms. Different kinds of services, such as digital signing for malicious files, injections development for MitM attacks and Crypting malware to avoid detection were also extremely popular on Russian forums.

Check out the new Infographic from SenseCy illustrating key trends observed on Russian underground in 2015.

Please contact us to receive your complimentary 2015 SenseCy Annual Cyber Threat Intelligence Report: https://www.sensecy.com/contact

Russian_underground_final

Is There A New njRAT Out There?

The answer to this question is Yes and No (or Probably Not).

Recently, we noticed a heated debate among Arabic-speaking hackers regarding rumors about a new njRAT version, dubbed v0.8d. Some doubted the credibility of the report, cautioning that the new version was probably a fake that would infect everyone who tried to use it. They also claimed that the original njRAT programmer, njq8, had stopped updating it.

Notwithstanding, there is a tutorial with a download link that shows the features of the new version. The video was published on several YouTube accounts and some of them linked the new version to an unknown hacker called Naseer2012 (whose name is similar to njq8‘s real name). In addition, this new njRAT version has aroused interest among Portuguese-speaking hackers, raising assumptions that the njRAT v0.8d developer is actually “Ajnabi” (foreign in Arabic).

The allegedly new njRAT version piqued our curiosity, so we downloaded it from the tutorial. First, the GUI of the new version closely resembles njRAT v0.7d. In addition, our technical analysis revealed that it belongs to the njRAT malware family, based on its Imphash (hash based on portable executable imports that are the functions of the specific malware) and its network signature.

However, it does not have any unique capabilities that distinguish it from the old 0.7d version. Its capabilities, according to our technical analysis, are keylogging, remote shell, remote desktop, password recovery, registry manager, file manager, remote webcam, microphone control, download & execute and DDoS. Unlike njRAT v0.7d, this malware does not have any security features, other than change icon. It can be spread by USB.

njrat
njRAT v0.8d user interface

Notably, the fact that Naseer2012 thanks njq8 suggests it this not an official upgraded version of the njRAT malware developed by the original programmer.

njrat2
Naseer2012 thanks njq8

Since the source code of the worm version of the famous njRAT malware (Njw0rm) was leaked in May 2013, many hackers have developed new malware under different names with numerous capabilities, security features and propagation protocols. However, they all have a common behavior pattern, since they are based on the same source code. In addition, our technical analysis of different RAT malware samples that we detected during 2015 revealed that almost a dozen of them belong to the njRAT family.

So we can all relax as there is no new official njRAT version, but rather a new GUI and new technical indicators of another njRAT-based malware sample.

The following is a YARA rule based on our technical analysis:

rule njrat_08d
{
meta:
author = “SenseCy”
date = “23-12-2015”
description = “Njrat v0.8d”
sample_filetype = “exe”

strings:
$string0 = “U0VFX01BU0tfTk9aT05FQ0hFQ0tT” wide
$string1 = “netsh firewall delete allowedprogram” wide
$string2 = “netsh firewall add allowedprogram” wide
$string3 = “cmd.exe /k ping 0 & del” wide
$string4 = “&explorer /root,\”%CD%” wide
$string5 = “WScript.Shell” wide
$string6 = “Microsoft.VisualBasic.CompilerServices”
$string7 = “_CorExeMain”
$string8 = { 6d 73 63 6f 72 65 65 2e 64 6c 6c }

condition:
all of them
}

The following are technical indicators of njRAT v0.8d stub files that we created in our technical lab:

MD5: 2c7ab4b9bf505e9aa7205530d3241319
SHA1: 31112340c4f36c7153bef274f217726c75779eaf
MD5: 620c8dc42dcad7d8e72dd17ac2fa06a1
SHA1: d88907822d7d7f14347059ba0b85d9f7d50a6d7a

Brazilian Trojans Poised to Spread around the World

When we talk about Brazil, we no longer think only Carnival and caipiriña, or the favelas (slums) that came into being as a result of the highly unequal distribution of income. Bearing in mind that Brazil is one of the largest countries in the world, a major new concern has arisen as the Internet and technological devices are being used to find fast ways to earn money.

In 2014, Brazil was listed as the country with the most number of attacked users. Kaspersky identified over 90,000 attacks in Brazil, with Russia in second place.

Brzail_number_of_attacksCybercrime has combined the creativity of Brazilian hackers with new forms of illegal activities, specifically online bank fraud, turning the country into a producer of Trojan malware. The increased variety of Trojans produced in Brazil is becoming a trend. Hackers are spreading their tools via hacking communities, by selling or simply sharing tools, tutorials and tips for using Trojans as a means to intercept information on users and their banks. They use social network platforms, personal blogs or “security information web sites,” IRC channels and the forums on the deep web where “laranjas” (oranges in Portuguese, used to denominate a tool/card trader) do business to sell the malware or the stolen data.

A hacker asks for help in generating Boletos, a payment method consisting with bank tickets, commonly used in Brazil
A hacker asks for help in generating Boletos, a payment method consisting with bank tickets, commonly used in Brazil

While hackers from other countries use malware tools such as Zeus, the uniqueness of the Brazilian hackers is that they develop specific, personalized codes targeting banking frauds. They also find creative ways to use software to access their targets, with the aim of stealing bank accounts. CPL is one of these innovations – a legitimate Windows Control Panel file is being used by cybercriminals to spread banking Trojans targeting Brazilian users.

Cybercriminals send fake emails, using social engineering techniques designed to mislead users. Usually, the email content is a document with a quotation, invoice or receipt, information on a debt or a banking situation, or digital payment instruments used in Brazil, such as Boleto bancário or Electronic tax note, file photographs, videos or similar.

An example for the use of the CPL malware in a phishing email
An example for the use of the CPL malware in a phishing email

The fact that Brazil has the highest percentage of online banking users has also contributed to the development of different personalized attacks. As a result, banking Trojans have become the number one threat in Brazilian cybercrime. As previously demonstrated in the Brazilian malware arena, some code writers spread their viruses around the world. The security sector, in this case the banking sector, must be aware of the possible dangers and increase their efforts to protect their clients.