ARE RUSSIAN CYBERCRIMINALS OFFERING HACKING SERVICES IN CHINA ?

On July 27, 2020, a group of threat actors published a post in the advertisement section of a prominent Chinese Darknet marketplace offering hacking services. Hacking-as-a-service offers appear frequently on Chinese underground platforms, and many actors publish these services – accompanied by varying degrees of details – on both Clearnet hacking forums and Darknet marketplaces. However, what makes this offer unique is the identification of the actors, who claim to be Russian.

WHAT INDICATES THAT THE HACKERS ARE REALLY RUSSIAN ?

  1. Several linguistic features suggest the actors are indeed non-native Chinese speakers. First, they use anachronistic vocabulary and terms rarely seen in contemporary Chinese online chatter, which is common on these forums. Two examples are the use of the term 万维网 for “World Wide Web,” and the rare version of the word “hacker” 骇客 (pronounced haike, instead of the commonly used term 黑客, pronounced heike); Second, some sentences are oddly phrased, using a combination of wrong vocabulary and/or unnatural syntax or formulation, giving the impression the text was translated from a foreign language, possibly via a machine-translation tool; Third, there are linguistic inconsistencies in the group’s posts on the forum: whereas most of the posts are written in simplified Chinese characters, used in mainland China, one is written in traditional Chinese characters, used in Taiwan and Hong Kong – this transition by the same writer is very uncommon. Furthermore, different variations of the same word or term are used simultaneously in the same post.
  2. Contact details include several Telegram, QQ and Jabber accounts, with the former two widely used by Chinese cybercriminals and hackers selling their services. However, in addition to those, they also offer their services via Yandex email service, which is rarely used outside of Russia and the former Soviet Union countries, and even less so by Chinese users. This corroborates the assumption that these actors are not Chinese, and may indeed be Russian, as they claim to be.
The post from July 27, offering “high quality hacking services”, as appeared on the Chinese Darknet marketplace. The sentence highlighted in yellow reads: “we come from Russia”. Source: Verint LUMINAR

THE THREAT ACTORS’ OFFERING

The hacking services on offer are listed in more detail in another post by the same threat actors, published on this marketplace on June 15, 2020. The list of services includes:

  • Web penetration and data extraction. The actors state they have mastered the structure and special features of the main database types, such as MySQL, MSSQL, Oracle and PostgreSQL.
  • Obtaining web shells by exploiting major vulnerabilities, such as CMS, WP and Joomla, among others.
  • Cracking of software and encrypted files; secondary packaging and unpacking.
  • Software and source code secondary development.
  • Various web security-related services, such as penetration tests, code design, vulnerability scanning, emergency response, alerts and web security training, among others.
The post from June 15 listing the services this group offers. Unlike other posts by these actors, this post was written in Traditional Chinese characters. Source: Verint LUMINAR

In addition to these two posts offering hacking and web-security services, in two other posts from May and June 2020, these actors also offer for sale, bots for boosting the number of “friends” and “followers” on social media networks, as well as SMS-bombing services and tools.

Finally, in recent months, we have noticed an increasing trend of Chinese threat actors operating on non-Chinese platforms. They typically use their linguistic skills and familiarity with Chinese underground platforms to make easy profits by offering data sold exclusively on Chinese platforms (usually Darknet marketplaces and Telegram groups) on English-language platforms outside China for a higher price. However, it is highly unusual to see non-Chinese actors actively operating on Chinese-language platforms. If the actors’ claim of being Russian is indeed correct, this is a relatively novel and unusual phenomenon worth noting.

WILL THE NEW SHAREPOINT FLAW BECOME AN ACTORS’ FAVORITE?

Attacking SharePoint servers is a popular threat, apparently because in many cases the SharePoint servers are integrated in the Active Directory service. Gaining access to the Active Directory allows attackers to gain a foothold inside the victim’s network. Furthermore, since SharePoint servers are exposed to the internet, attacks can be executed relatively easily. As an example, the CVE-2019-0604 SharePoint vulnerability, disclosed and patched in 2019, has gained popularity among threat actors, who have exploited it in different attacks since it was published. This is particularly true among nation-state actors (such as the Chinese nation-state Emissary Panda group). The vulnerability even became one of the ten most exploited vulnerabilities between 2016 and 2019, according to authorities in the US. Therefore, we estimate the new CVE-2020-1147 SharePoint vulnerability, patched in July 2020, may gain similar popularity among same threat actors, stressing the importance of applying the security update fixing this vulnerability as soon as possible.

CVE-2020-1147:  NEW AND DANGEROUS

During July 2020, Microsoft patched a critical remote code execution vulnerability (CVE-2020-1147) affecting Microsoft SharePoint servers (CSVV score: 7.8).

The vulnerability resides in two .NET components, namely DataSet and DataTable, used for managing data sets, and stems from the fact that the software fails to check the source markup of XML file input. An attacker can exploit the vulnerability by uploading a specially crafted document to a server using a vulnerable product to process content. In addition, the vulnerability also affects the .NET Framework and Visual Studio. Since the vulnerability was disclosed, a security researcher published a technical analysis that includes an explanation on how it works, and demonstrates how even an attacker with low privileges can exploit it to execute code remotely on a vulnerable SharePoint server. Although the researcher did not provide a full PoC exploit code that can be used to deploy an attack, his analysis included a detailed explanation of the different stages required for exploiting the vulnerability, which can be used by potential attackers to build an exploit script. Of note, we observed that the researcher’s analysis was already shared on several Dark Web hacking forums.

A technical analysis regarding the new SharePoint vulnerability (CVE-2020-1147) shared on the Dark Web

Both Microsoft and the researcher emphasized the utmost importance of applying the patch as soon as possible, and stressed that the vulnerability exists in several additional .NET-based applications, and could therefore be exploited against additional products besides SharePoint, so even if an organization does not use SharePoint, it can still be affected by this vulnerability and exposed to attacks.

SHAREPOINT VULNERABILITIES GAIN POPULARITY AMONG NATION STATE ACTORS

The previous CVE-2019-0604 vulnerability in SharePoint allows attackers to execute arbitrary code remotely. The vulnerability stems from a failure to check the source markup of an application package and can be exploited by uploading a specially crafted SharePoint application package to a vulnerable version of SharePoint. The vulnerability was addressed and patched in February 2019.

We identified that mostly Chinese and Iranian state-sponsored groups exploited the previous SharePoint vulnerability (CVE-2019-0604) against multiple sectors around the world, and therefore it is highly possible the same threat actors will exploit the new vulnerability (CVE-2020-1147) as part of future campaigns. Throughout 2019-2020, we identified attacks against North America, Europe, Australia and the Middle East exploiting this vulnerability, targeting mainly government agencies, energy companies, International organizations, and academic institutions.

In May 2019, two different campaigns exploiting this vulnerability were uncovered. The first campaign, which focused on the technological and academic sectors in Canada, exploited the vulnerability to install the known China Chopper WebShell, active since 2012, mostly in the hands of Chinese threat actors. The second campaign, which targeted organizations in Saudi Arabia, also exploited the SharePoint vulnerability to install the China Chopper WebShell on all the folders on the victims’ SharePoint servers, and then distributed additional malware to collect information from the infected network.

Later, researchers discovered that the Chinese APT group Emissary Panda exploited this vulnerability to install WebShells on vulnerable SharePoint servers of government entities in two different Middle Eastern countries.

The researchers found code overlaps between the WebShells installed on the vulnerable SharePoint servers of the government entities in the Middle East and those used in the attacks against Canada and Saudi Arabia.

In December 2019, details emerged about a new data wiper malware named ZeroCleare that targeted the energy and industrial sectors in the Middle East. The malware was apparently developed by two Iranian APT groups – OilRig (also known as APT34) and xHunt (also known as Hive0081.) First, the attackers used brute-force to gain initial access to the targeted network, and then exploited a vulnerability in SharePoint to install different WebShells (such as China Chopper and Tunna) and move laterally across the network and wipe data from the disk. Although the researcher did not disclose the CVE identifier of the vulnerability, due to the similarities between this attack and the campaigns described above, we estimate this is possibly the same vulnerability – CVE-2019-0604. Either way, this attack demonstrates the popularity of SharePoint vulnerabilities among threat actors, and especially nation-state backed actors.

CYBER ATTACKS USING SHAREPOINT FLAWS DURING 2020

Even though this is a vulnerability from 2019, reports about its exploitation continued into 2020. For example, at the end of January 2020, it was reported that the UN offices in Geneva and Vienna had fallen victim to a cyber-attack that affected dozens of their servers and resulted in a data leak. The attack was described as sophisticated, and nation-state threat actors are believed to be behind it. The incident was discovered after an internal UN document was leaked to the press. According to this document, the attackers may have exploited the CVE-2019-0604 vulnerability during the attack.

In April 2020, authorities in the US and Australia issued an advisory warning regarding an increase in the exploitation of vulnerable web servers by malicious actors to install WebShells to gain and maintain access to victims’ networks. The advisory explores the most popular and common vulnerabilities exploited by threat actors to install WebShells, with one being the Microsoft SharePoint CVE-2019-0604 vulnerability. Later, in May 2020, US authorities published an advisory detailing the ten most exploited vulnerabilities between 2016 and 2019, which included the CVE-2019-0604 SharePoint vulnerability.

Finally, in June 2020, Australian authorities published an advisory alerting of an increase in cyber-attacks against Australian companies and government entities, executed by nation-state actors, supposedly from China. According to the advisory, the attackers exploited known remote code execution vulnerabilities affecting Internet-facing systems in an attempt to gain initial access and infect the victims’ network with the PlugX malware, used by multiple Chinese APT groups in the past. One of the vulnerabilities exploited by the attackers for this purpose was the CVE-2019-0604 SharePoint vulnerability.

Finally, we estimate that we will soon witness the new SharePoint vulnerability (CVE-2020-1147) exploited in different cyber-attacks and nation-state campaigns around the world.

GLOBAL RANSOMWARE ATTACKS IN 2020: THE TOP 4 VULNERABILITIES

Our team recently investigated the prominent ransomware attacks reported since the beginning of 2020 in order to draw general conclusions about these attacks and to reveal commonalities between them.  We also wanted to better understand the threat they pose and how to protect against it. While examining approximately 180 different ransomware incidents, we found that the most targeted sectors were Technology (11%), Government (10%), Critical Infrastructure (8.6%), Healthcare and Pharmaceutical (8%), Transportation (7%), Manufacturing (6%), Financial Services (5%) and Education (4%). It was also found that Sodinokibi/REvil, Maze and Ryuk are the most active ransomware strains.

A very interesting finding our investigation uncovered was that the operators behind these ransomware attacks commonly abused four notable vulnerabilities, that will be elaborately discussed in this blog post. This highlights the importance of timely installation of security updates as a defense mechanism to minimize the risk of ransomware and other malware attacks.

Here they are: The four top vulnerabilities abused in 2020 ransomware attacks (ordered from the most abused one):

  • CVE-2019-19781
  • CVE-2019-11510
  • CVE-2012-0158
  • CVE-2018-8453

Let’s take a closer look:

CVE-2019-19781

CVE-2019-19781 Characteristics

The CVE-2019-19781 vulnerability affects remote access appliances manufactured by Citrix, whose products are used by numerous organizations. The vulnerability was publicly disclosed at the end of December 2019 and fixed a month later. The vulnerability affects Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC. Successful exploitation of the vulnerability could allow an unauthenticated attacker to connect remotely and execute arbitrary code on the affected computer.

Since the vulnerability was disclosed, it was successfully exploited by threat actors in a significant number of incidents. In January 2020, security researchers reported the REvil gang leveraged the vulnerability in its attack against the Gedia Automotive Group. No technical details about the attack were disclosed, but from the information published by the attackers, it appears the company used the vulnerable products. The Ragnarok ransomware gang also exploited this vulnerability in January 2020. The attackers exploited the vulnerability to download scripts and scan the targeted system for computers vulnerable to the EternalBlue vulnerability.

In February 2020, the cloud company Bretagne Telecom reportedly suffered a cyber-attack by cybercriminals operating the DopplePaymer ransomware. The DopplePaymer gang stated it carried out the attack in the first half of January 2020, when a fix for the vulnerability had still not been released. This suggests the attackers discovered the vulnerability even earlier. At the end of March 2020, it was reported the MAZE ransomware gang had also leveraged the vulnerability in an attack on the cyber insurer company, Chubb.

In a different incident from the beginning of June 2020, it was reported that the IT services giant, Conduent, had also fallen victim to a MAZE gang ransomware attack. According to reports online, MAZE targeted a Citrix server of the company that was not patched or properly updated. On June 22, 2020, it was reported that the Indian conglomerate, Indiabulls, had suffered a cyber-attack carried out by the CLOP ransomware operators. Cyber security company Bad Packets reported that Indiabulls used Citrix NetScaler ADC VPN Gateway, which was vulnerable to CVE 2019-19781. However, the company did not confirm this vulnerability was exploited in the attack. Recently, the New Zealand CERT (CERT NZ) reported that many threat actors are leveraging this vulnerability, and the Nephilim ransomware gang may have also attempted to exploit it.

CVE-2019-11510

CVE-2019-11510 Characteristics

The CVE-2019-11510 vulnerability affects VPN Pulse Secure products. It allows attackers to remotely access the targeted network, remove multi-factor authentication protections and access the logs that contain cached passwords in plain text. Although the vulnerability has already been publicly disclosed for some time now and patched back in April 2020, many organizations have not yet patched it and remain exposed to attacks.

In recent months, the vulnerability was reportedly successfully exploited in a number of ransomware attack incidents. In two incidents, the attackers gained domain admin privileges and used an open-source remote access software, VNC, to perform lateral movement on the targeted network. Then, the attackers turned off security software and infected the system with the REvil ransomware. The most notable ransomware attack affected Travelex at the end of December 2019. The company did not patch its VPN solution, which allowed the REvil ransomware gang to carry out a successful attack that paralyzed the company’s systems for a number of weeks, persisting into 2020.

In another incident reported in April 2020, the IT systems of several hospitals and government entities in the US were infected with an unknown ransomware by nation-state threat actors. In addition, in June 2020, the operators of the Black Kingdom ransomware reportedly attempted to exploit the vulnerability as well.

CVE-2012-0158

CVE-2012-0158 Characteristics

The CVE-2012-0158 is an old vulnerability in Microsoft products, but is still one of the most exploited vulnerabilities in recent years, according to the US CERT. In December 2019, our team also reported that it is one of the top 20 vulnerabilities to be patched before 2020, based on the number of times it has been exploited by sophisticated cyber-attack groups operating in the world today. The vulnerability allows the attacker to remotely execute code on the victim’s computer through a specially crafted website, Office or .rtf document.

In recent months, security researchers reported exploitation attempts for the CVE-2012-0158 vulnerability in COVID-19-related attacks. The researchers reported attack attempts against medical and academic organizations in Canada. One of the campaigns included infection attempts with the EDA2 ransomware, a strain of a wider ransomware family, known as HiddenTear. The attackers used an email address that resembles and imitates the legitimate address of the World Health Organization. The phishing emails sent to the targeted organizations contained malicious files designed to exploit this vulnerability to execute code remotely and infect them with the ransomware. An additional phishing campaign attempted to infect victims from the above mentioned organizations with a ransomware dubbed RASOM.

CVE-2018-8453

CVE-2018-8453 Characteristics

The CVE-2018-8453 resides in the win32k.sys component of Windows, since it fails to properly handle objects in memory. A successful exploitation can allow an attacker to run arbitrary code in kernel mode, install programs; view, change, or delete data; or create new accounts with full user rights.

The Sodinokibi/REvil ransomware was first spotted exploiting CVE-2018-8453 in 2019 in multiple attacks in the Asia-Pacific region, including Taiwan, Hong Kong, and South Korea. In July 2020, it was reported that it was exploited again by the same ransomware gang against Brazilian-based electrical energy company Light S.A. The attackers first demanded a ransom of 106,870.19 XMR (Monero), and after the deadline has passed the ransom doubled to 215882.8 XMR, which amounts to approximately $14 million.

SUMMING UP: THE PATCHING PARADOX

In an ideal world, organizations would patch every new vulnerability once it’s discovered. In real-life, this is impossible. Security analysts responsible for vulnerability management activities face multiple challenges that result in what the industry calls “The Patching Paradox”: common sense tells you to keep every system up to date in order to be protected, but this is not possible due to limited resources, existence of legacy systems and slow implementation of patches. The goal of this analysis is to provide security professionals with an incentive to improve their patching management activities.

PERSONAL DATA OF TAIWAN’S ENTIRE POPULATION FOR SALE

A May 2020 media report disclosed that a Taiwanese database containing personal data from over 20 million citizens (Taiwan’s entire population) was posted for sale on the Dark Web. According to researchers, the source of the leak is governmental and originates from the Department of Household Registration, under the Ministry of Interior.

The sale offer was posted on May 19, 2020 in an English language underground Dark Web marketplace. The seller indeed claimed the database contains data of the entire country’s citizens and attached a sample where one can see each line in the database is arranged by full name, landline number, ID number, home address and sex. The seller has offered to sell the database for US$ 2,500.

Taiwan’s Population Database for Sale
Source: Verint Luminar

NOT THE FIRST TIME WE’VE SEEN SUCH AN OFFER

Although this database leak was defined by the above reports as unique, this is not the first time we have seen an offer for a database consisting of personal information for the entire population of Taiwan. In Chinese sources, such offers have appeared since August 2018 at least. Our findings, detailed below, may imply the database offer is in fact a resell of a previous database offered several times in the past in Chinese underground sources. These findings show the flow of data from one underground arena to another and stress the importance of multi-language monitoring across various sources to get a full picture of the origins of leaked databases.

THE TAIWANESE DATABASE ON THE CHINESE DARK WEB

Our first indication of a Taiwanese population database was in August and September 2018. In August 2018, an offer appeared on the Chinese Darknet marketplace to sell a Taiwanese population database consisting of the full names, landline numbers, gender and home addresses of 21,141,314 people.

Taiwan’s Population Database for Sale, August 2018
Source: Chinese Dark Web marketplace

About a month later, an actor who has offered several other major database leaks on the same Chinese language Darknet marketplace (including the Marriott database), offered a full database of the Taiwanese population, consisting – according to him – of approximately 25 million lines of data, claiming the data was updated to September 2017.

Taiwan’s Population Database for Sale
Source: Chinese Dark Web marketplace

Since then, similar offers have occasionally appeared in both the Darknet marketplaces and other underground chat groups operating on Telegram.

SIMILARITIES BETWEEN LEAKED SAMPLES SHARED ON THE DARK WEB

According to our research, the last time a similar offer was published was January 2020, when an actor on a Chinese Darknet marketplace offered a 25 million line Taiwanese population database containing – once more by that order: full names, landline telephone numbers, ID numbers, home addresses and sex. The actor also attached a short sample to prove the authenticity of the database. According to the marketplace’s inner data, this transaction was completed twice, meaning two different actors have purchased the database since. Of note, the same actor also offered the same database in April 2019, attaching a similar sampler. The two screenshots below show the two offers, from January 2020, and April 2019.

Offer to Sell Taiwan’s Full Population Database, Containing ~25 million Lines, January 2020. Source: Chinese Dark Web Marketplace
Similar Offer from the Same Actor, April 2019
Source: Verint Luminar

The two samples attached to the offers – the two Chinese posts from April 2019 and January 2020 and the English post from May 2020 – show different names but look strikingly similar. The pattern of the data is identical, and it is arranged in the exact same order: full name, landline number, ID number, home address and sex. Furthermore, the current seller admitted he obtained the data in 2019, which is in line with the date the same offer was published on a Chinese marketplace.

All the above leads us to conclude the current offer of the Taiwanese population database is an attempt to resell the same database leaked in the past in Chinese underground platforms. As the asking price for the data sold on the Chinese platform was merely US$ 200, whereas he offered the same database for US$ 2,500, we believe it is highly probable this actor acquired the database on the Chinese marketplace and then tried to make an easy profit from actors operating on other platforms who do not have access to the Chinese marketplace and/or cannot read Chinese.

THE SELLER HAS OTHER ACTIVITIES ON THE DARK WEB

According to our analysis, the seller was seen operating under the same nickname on a Chinese Telegram underground chat group, a Russian Clearnet hacking and fraud forum, and two English-language Darknet forums.

In all instances, he offered credit card user data from China Industrial Bank containing over 460,000 lines. In one of the offers seen below and posted on the English-language forum, the actor quoted a price of US$ 380 for the database.

The China Industrial Bank Credit Card User Database offered on a Chinese Underground Telegram Group
A Similar Offer by the Same Actor Posted on an English-language Darknet Forum for US$ 380
Source: Verint Luminar

BUY IN ONE LANGUAGE, RESELL (FOR A NICE PROFIT) IN ANOTHER

As in the case of the Taiwanese population database, the China Industrial Bank database offered by this actor appeared before in Chinese underground platforms. In March 2020, the offer was posted on a Chinese Darknet marketplace for US$56 (see first screenshot below.) According to this marketplace’s inner data, it was sold 21 times. A month later, in April 2020, it was also offered on a Chinese-language underground Telegram group (see second screenshot below.) This demonstrates a similar modus operandi by this actor, and presumably by many other actors who operate across various, multi-language platforms: acquiring databases in one language (Chinese) and reselling them at higher prices on platforms in other languages.

The Chinese Industrial Bank Database offered on a Chinese Darknet Marketplace, March 2020
The Same Database offered on a Chinese Telegram Group, April 2020. Source: Chinese Darknet Marketplace

Best Hacking Tools of 2019 – The Chinese Annual Hit List

The human fondness for annual lists ranking the “best of” apparently does not skip the Chinese hacking world. A post on a prominent Chinese hacking forum, published on the afternoon of December 29, 2019, has gained much recognition and popularity both inside and outside the forum in recent weeks. The post, written by the forum’s admin and named “2019 year-end hacking tools inventory,” lists the 30 “most outstanding” hacking tools for 2019, as recommended for the forum’s members.

Starting hours after its initial publication, and continuing for several days thereafter, the post was copied to other Chinese forums, as well as to web security blogs and web security sections in popular Chinese portals. Within the forum itself, it has attracted dozens of supportive comments, most of them praising and thanking the forum’s admin for his “contribution to the community.” This post is part of a larger tendency in Chinese hacking forums, where lists of hacking tools intended for novices who use these forums as learning platforms are becoming increasingly prevalent and popular.

China_Cobalt-Strike

The original forum post, showing the first tool on the list – Cobalt Strike

A Diversified Collection

The list contains 30 tools ranked according to their “superiority”, efficiency and utility. Most of the tools on the list (22) are of non-Chinese origin, whereas the rest (8) seem to be original Chinese creations. Although the original post does not provide links for downloading the tools, most are easily traceable and accessible for downloading on the web. The non-Chinese tools are widely available either from the official or designated website of the developer or on GitHub, whereas most Chinese tools are available either on GitHub or on local Chinese web platforms.

Not all recommended tools on the list are attack tools per se. On the contrary, some are legitimate tools, published as commercial programs by established companies, aimed at increasing users’ awareness and protection levels against vulnerabilities. Others are penetration testing tools, aimed at improving users’ web security protection. However, some are primarily attack tools providing framework for conducting brute-force attacks, DDoS attacks and phishing, among other malicious activities. Furthermore, many of the ‘tamer’ tools presented in the original post, such as vulnerability scanners, penetration testing or intelligence collection tools, can be used by threat actors to detect vulnerabilities among potential victims. That point is also stressed in the description of tools inside the post, which implies the potential use of basically defensive tools as attack accessories. Although many of the non-Chinese and a few of the Chinese tools listed in the post are slightly outdated, and were originally uploaded to GitHub or other platforms well before 2019, the post demonstrates that some members of the Chinese hacking community are well-versed in the hacking world outside China and make use of platforms and tools published abroad. Moreover, a fair amount of the original Chinese tools listed in the post were also uploaded to GitHub, a non-Chinese platform, which may imply an outbound approach of some members in the Chinese web security and hacking community.

GodOfHacker – The #1 Chinese Magic Hacking Tool

Of the original Chinese tools listed, the one that grabbed the number one ranking (and third overall) is a tool named GodOfHacker. This tool was uploaded to GitHub about a year ago by a Chinese prolific user, who frequently uses slang and curse words to describe his creation’s traits. Both in the forum post and on GitHub, the program is portrayed as an all-purpose “magic-tool” for hackers, which “combines all sorts of first-class hacking techniques that cover a wide range of functions.” Its uniqueness is that all its features are available using “one-click.” The program is described as highly customized and one that possesses various powerful plug-ins that can be used to “enrich” its functions .

GodOfHacker

Screenshot of the 1st section of the program “the comprehensive section for fucking websites”

The program is divided into several sections or columns, each with numerous features. The first section is called “Comprehensive Section for Harming [or, using the original word “fucking”] Websites”, and its features are as follows, to name a few:

  • Performing one-click attacks or one-click zero-day attacks based on domain names or IP defined by the attacker.
  • Carrying out one-click attacks by choosing a specific vulnerability defined by the attacker.
  • Defacement, DDoS, knocking down websites’ backend, gaining full admin rights and implanting Trojans, all by one-click.
  • Knocking down batches of web pages on either Baidu or Google, getting free access online.
  • Stealing QQ accounts/numbers, using QQ virtual coins, using [website] membership rights, making free phone calls and charging phone/SIM cards.
  • Gaining access to intranets, surpassing the Great Firewall of China (the Chinese government’s Internet censorship tool), gaining access to gambling arenas in Macao and an IP location finder.
  • Damaging educational systems, “mining” for vulnerabilities, publishing vulnerabilities, reading internal memory, all be one-click.

The second section is called “Cracking” and features the following functions:

  • One-click cracking and source-code reversing based on file type.
  • One-click code annotation (AI), system activation, system penetration and POC generator (for penetration testing purposes).
  • One-click mobile application cracking, gaming and localization [into Chinese].

The third section features several functions related to Hacker CTF (“Capture the Flag”), a game designed to provide a tutorial environment for students of hacking techniques. The fourth section provides features related to WiFi, including one-click WiFi scraping, WiFi middle-man attacks and access to mobile devices’ picture galleries. In addition, this section also has features such as one-click fake-base station [FBS] attacks (where devices connected to a cellular network are made to connect to it to gather information from those devices), WiFi eavesdropping and WiFi phishing. The fifth section, named “Hardware,” features functions such as harming ATMs, harming unmanned machines, stealing bank cards and charging them and other types of cards.

The tool contains several plug-ins (including using txt and exe files as plug-ins) and supports various languages, such as C/C++, Java, Python, Ruby, JavaScript, php and more.

GodOfHacker-2

The plug-in section of the program, showing how a certain IP address is entered by the user and then given the option to conduct tests in English, Chinese or Japanese or to perform brute-force attacks against the site’s backend

ARABIC-SPEAKING THREAT ACTOR RECYCLES THE SOURCE CODE OF POPULAR RAT SPYNOTE AND SELLS IT IN THE DARK WEB, AS NEW

At the beginning of July 2019, we detected that a threat actor dubbed mobeebom created a sales thread for his Android Remote Administration Tool (RAT) MobiHok v4, on a prominent English hacking forum.

A quick research revealed that mobeebom is active on multiple Arab-speaking hacking forums under different pseudonyms, which led us to assess, with high confidence that he is an Arab-speaker. The use of poor English in his posts reinforced this assessment. His activity on the prominent English hacking forum we monitor sparked our curiosity and we decided to take a closer look.

NEW ANDROID RAT?

MobiHok is a RAT coded in Visual Basic .NET and Android Studio, which enables full control, with extensive capabilities over the infected device. This latest release of the malware presents new features, such as a bypass to the Facebook authentication mechanism.[1]

The declared intention of the threat actor is to position MobiHok as the top Android RAT on the market. However, from a research we conducted into mobeebom’s activity in the underground communities, and the analysis of a sample of the malware builder we retrieved, it is apparent that the threat actor based MobiHok on the source code of another prominent Android RAT named SpyNote, which was leaked online in 2016.[2] 

The initial findings of our technical analysis confirmed that mobeebom probably obtained SpyNote’s source code, made some minor changes, and now resells it as a new RAT under the name MobiHok.

Screenshot of MobiHok’s sales thread

A DEEPER DIVE INTO MOBIHOK V4

The threat actor has been promoting the malware on multiple outlets (including on a dedicated Facebook page and a YouTube channel),[3] since January 2019.

Screenshot of MobiHok sales post from an Arabic hacking forum
MobiHok’s dedicated Facebook page

Mobeebom also runs a website, on which it is possible to purchase the RAT in a variety of options, including the possibility to acquire the entire source code for US$ 15,000. According to the screenshots displayed on the website, the malware features the following capabilities:

  • Control of the files
  • Control of the camera
  • Keylogging
  • Control of the SMS
  • Control of the contacts
  • Control of the apps
  • Control of the account/phone settings
  • Terminal
  • Bypass of Samsung security mechanisms
  • Bypass of Google Play security mechanisms
  • No “rooted” device required
  • The RAT can be bind to another APK app

To conclude, despite mobeebom’s attempt to market his MobiHok v4 Android RAT as new and his declared intention to make it the top Android RAT on the market, it appears that this malware is based on the leaked source code of the known SpyNote Android RAT with only minor changes and is being reselled by the threat actor under a different name.

 

THE DATA BREACH EPIDEMIC – KEY FINDINGS FROM VERINT’S COMPREHENSIVE CTI REPORT

In the past few years we have witnessed a growing number of significant data breaches.

The Data Breach Epidemic Report reviews the most significant data breaches that occurred in 2018 and provides our analysis of the major data leaks. It also includes key trends we identified based on ~5B leaked records detected and analyzed by our team.

KEY FINDINGS:

  1. 4,812,840,627 – Total Leaked Records In 2018
  2. 1,925,136,251 – Unique Records
  3. 24,224,940 – Organizations
  4. 53% of all leaked data comes from .com domains
  5. Distribution of “Combo Lists” is the key trend in the 2018 data leaks
  6. Leaked records by region:
  • APAC – 1.5B records
  • EMEA – 728M records
  • LATAM – 34M records
Many “Combo Lists” published in 2018 targeted specific regions, indicating leading interests of hackers’ groups

THE ANALYSIS PROCESS

In order to identify and analyze the major breaches of 2018, our analysts have been continuously monitoring activities on the Dark Web, in closed hacking communities and in other sources, to uncover indicators of breaches and data leaks.

In the report you will find a summary of the most popular ways hackers use to exploit stolen data, with real-life examples of attacks that exploited leaked records.

Want to know more? Download the report here

SOME LEAKS ARE MORE VALUABLE THAN OTHERS

Based on our analysis of the leaked data we obtained from several underground sources, we were able to identify several key trends, for example, the increasing distribution of “Combo Lists”, the demand for region specific leaks and countries that had most government data leaked.

ANALYSIS OF EXPLOITATION METHODS

The report also shares the hackers’ perspective, reviewing the most popular ways hackers use to exploit leaked data. These include credential stuffing attacks, brute force attacks, social engineering and email based-attacks. This information is valuable as it can really help organizations prioritize risk and improve their resilience and readiness against these attack methods.

THE BIGGEST DATA BREACHES OF 2018

In the report, you will find the list of the most prominent data breaches that occurred in 2018, and what we can learn from the millions of compromised records and stolen data.

Download the Full Report Here