Best Hacking Tools of 2019 – The Chinese Annual Hit List

The human fondness for annual lists ranking the “best of” apparently does not skip the Chinese hacking world. A post on a prominent Chinese hacking forum, published on the afternoon of December 29, 2019, has gained much recognition and popularity both inside and outside the forum in recent weeks. The post, written by the forum’s admin and named “2019 year-end hacking tools inventory,” lists the 30 “most outstanding” hacking tools for 2019, as recommended for the forum’s members.

Starting hours after its initial publication, and continuing for several days thereafter, the post was copied to other Chinese forums, as well as to web security blogs and web security sections in popular Chinese portals. Within the forum itself, it has attracted dozens of supportive comments, most of them praising and thanking the forum’s admin for his “contribution to the community.” This post is part of a larger tendency in Chinese hacking forums, where lists of hacking tools intended for novices who use these forums as learning platforms are becoming increasingly prevalent and popular.

China_Cobalt-Strike

The original forum post, showing the first tool on the list – Cobalt Strike

A Diversified Collection

The list contains 30 tools ranked according to their “superiority”, efficiency and utility. Most of the tools on the list (22) are of non-Chinese origin, whereas the rest (8) seem to be original Chinese creations. Although the original post does not provide links for downloading the tools, most are easily traceable and accessible for downloading on the web. The non-Chinese tools are widely available either from the official or designated website of the developer or on GitHub, whereas most Chinese tools are available either on GitHub or on local Chinese web platforms.

Not all recommended tools on the list are attack tools per se. On the contrary, some are legitimate tools, published as commercial programs by established companies, aimed at increasing users’ awareness and protection levels against vulnerabilities. Others are penetration testing tools, aimed at improving users’ web security protection. However, some are primarily attack tools providing framework for conducting brute-force attacks, DDoS attacks and phishing, among other malicious activities. Furthermore, many of the ‘tamer’ tools presented in the original post, such as vulnerability scanners, penetration testing or intelligence collection tools, can be used by threat actors to detect vulnerabilities among potential victims. That point is also stressed in the description of tools inside the post, which implies the potential use of basically defensive tools as attack accessories. Although many of the non-Chinese and a few of the Chinese tools listed in the post are slightly outdated, and were originally uploaded to GitHub or other platforms well before 2019, the post demonstrates that some members of the Chinese hacking community are well-versed in the hacking world outside China and make use of platforms and tools published abroad. Moreover, a fair amount of the original Chinese tools listed in the post were also uploaded to GitHub, a non-Chinese platform, which may imply an outbound approach of some members in the Chinese web security and hacking community.

GodOfHacker – The #1 Chinese Magic Hacking Tool

Of the original Chinese tools listed, the one that grabbed the number one ranking (and third overall) is a tool named GodOfHacker. This tool was uploaded to GitHub about a year ago by a Chinese prolific user, who frequently uses slang and curse words to describe his creation’s traits. Both in the forum post and on GitHub, the program is portrayed as an all-purpose “magic-tool” for hackers, which “combines all sorts of first-class hacking techniques that cover a wide range of functions.” Its uniqueness is that all its features are available using “one-click.” The program is described as highly customized and one that possesses various powerful plug-ins that can be used to “enrich” its functions .

GodOfHacker

Screenshot of the 1st section of the program “the comprehensive section for fucking websites”

The program is divided into several sections or columns, each with numerous features. The first section is called “Comprehensive Section for Harming [or, using the original word “fucking”] Websites”, and its features are as follows, to name a few:

  • Performing one-click attacks or one-click zero-day attacks based on domain names or IP defined by the attacker.
  • Carrying out one-click attacks by choosing a specific vulnerability defined by the attacker.
  • Defacement, DDoS, knocking down websites’ backend, gaining full admin rights and implanting Trojans, all by one-click.
  • Knocking down batches of web pages on either Baidu or Google, getting free access online.
  • Stealing QQ accounts/numbers, using QQ virtual coins, using [website] membership rights, making free phone calls and charging phone/SIM cards.
  • Gaining access to intranets, surpassing the Great Firewall of China (the Chinese government’s Internet censorship tool), gaining access to gambling arenas in Macao and an IP location finder.
  • Damaging educational systems, “mining” for vulnerabilities, publishing vulnerabilities, reading internal memory, all be one-click.

The second section is called “Cracking” and features the following functions:

  • One-click cracking and source-code reversing based on file type.
  • One-click code annotation (AI), system activation, system penetration and POC generator (for penetration testing purposes).
  • One-click mobile application cracking, gaming and localization [into Chinese].

The third section features several functions related to Hacker CTF (“Capture the Flag”), a game designed to provide a tutorial environment for students of hacking techniques. The fourth section provides features related to WiFi, including one-click WiFi scraping, WiFi middle-man attacks and access to mobile devices’ picture galleries. In addition, this section also has features such as one-click fake-base station [FBS] attacks (where devices connected to a cellular network are made to connect to it to gather information from those devices), WiFi eavesdropping and WiFi phishing. The fifth section, named “Hardware,” features functions such as harming ATMs, harming unmanned machines, stealing bank cards and charging them and other types of cards.

The tool contains several plug-ins (including using txt and exe files as plug-ins) and supports various languages, such as C/C++, Java, Python, Ruby, JavaScript, php and more.

GodOfHacker-2

The plug-in section of the program, showing how a certain IP address is entered by the user and then given the option to conduct tests in English, Chinese or Japanese or to perform brute-force attacks against the site’s backend

ARABIC-SPEAKING THREAT ACTOR RECYCLES THE SOURCE CODE OF POPULAR RAT SPYNOTE AND SELLS IT IN THE DARK WEB, AS NEW

At the beginning of July 2019, we detected that a threat actor dubbed mobeebom created a sales thread for his Android Remote Administration Tool (RAT) MobiHok v4, on a prominent English hacking forum.

A quick research revealed that mobeebom is active on multiple Arab-speaking hacking forums under different pseudonyms, which led us to assess, with high confidence that he is an Arab-speaker. The use of poor English in his posts reinforced this assessment. His activity on the prominent English hacking forum we monitor sparked our curiosity and we decided to take a closer look.

NEW ANDROID RAT?

MobiHok is a RAT coded in Visual Basic .NET and Android Studio, which enables full control, with extensive capabilities over the infected device. This latest release of the malware presents new features, such as a bypass to the Facebook authentication mechanism.[1]

The declared intention of the threat actor is to position MobiHok as the top Android RAT on the market. However, from a research we conducted into mobeebom’s activity in the underground communities, and the analysis of a sample of the malware builder we retrieved, it is apparent that the threat actor based MobiHok on the source code of another prominent Android RAT named SpyNote, which was leaked online in 2016.[2] 

The initial findings of our technical analysis confirmed that mobeebom probably obtained SpyNote’s source code, made some minor changes, and now resells it as a new RAT under the name MobiHok.

Screenshot of MobiHok’s sales thread

A DEEPER DIVE INTO MOBIHOK V4

The threat actor has been promoting the malware on multiple outlets (including on a dedicated Facebook page and a YouTube channel),[3] since January 2019.

Screenshot of MobiHok sales post from an Arabic hacking forum
MobiHok’s dedicated Facebook page

Mobeebom also runs a website, on which it is possible to purchase the RAT in a variety of options, including the possibility to acquire the entire source code for US$ 15,000. According to the screenshots displayed on the website, the malware features the following capabilities:

  • Control of the files
  • Control of the camera
  • Keylogging
  • Control of the SMS
  • Control of the contacts
  • Control of the apps
  • Control of the account/phone settings
  • Terminal
  • Bypass of Samsung security mechanisms
  • Bypass of Google Play security mechanisms
  • No “rooted” device required
  • The RAT can be bind to another APK app

To conclude, despite mobeebom’s attempt to market his MobiHok v4 Android RAT as new and his declared intention to make it the top Android RAT on the market, it appears that this malware is based on the leaked source code of the known SpyNote Android RAT with only minor changes and is being reselled by the threat actor under a different name.

 

THE DATA BREACH EPIDEMIC – KEY FINDINGS FROM VERINT’S COMPREHENSIVE CTI REPORT

In the past few years we have witnessed a growing number of significant data breaches.

The Data Breach Epidemic Report reviews the most significant data breaches that occurred in 2018 and provides our analysis of the major data leaks. It also includes key trends we identified based on ~5B leaked records detected and analyzed by our team.

KEY FINDINGS:

  1. 4,812,840,627 – Total Leaked Records In 2018
  2. 1,925,136,251 – Unique Records
  3. 24,224,940 – Organizations
  4. 53% of all leaked data comes from .com domains
  5. Distribution of “Combo Lists” is the key trend in the 2018 data leaks
  6. Leaked records by region:
  • APAC – 1.5B records
  • EMEA – 728M records
  • LATAM – 34M records
Many “Combo Lists” published in 2018 targeted specific regions, indicating leading interests of hackers’ groups

THE ANALYSIS PROCESS

In order to identify and analyze the major breaches of 2018, our analysts have been continuously monitoring activities on the Dark Web, in closed hacking communities and in other sources, to uncover indicators of breaches and data leaks.

In the report you will find a summary of the most popular ways hackers use to exploit stolen data, with real-life examples of attacks that exploited leaked records.

Want to know more? Download the report here

SOME LEAKS ARE MORE VALUABLE THAN OTHERS

Based on our analysis of the leaked data we obtained from several underground sources, we were able to identify several key trends, for example, the increasing distribution of “Combo Lists”, the demand for region specific leaks and countries that had most government data leaked.

ANALYSIS OF EXPLOITATION METHODS

The report also shares the hackers’ perspective, reviewing the most popular ways hackers use to exploit leaked data. These include credential stuffing attacks, brute force attacks, social engineering and email based-attacks. This information is valuable as it can really help organizations prioritize risk and improve their resilience and readiness against these attack methods.

THE BIGGEST DATA BREACHES OF 2018

In the report, you will find the list of the most prominent data breaches that occurred in 2018, and what we can learn from the millions of compromised records and stolen data.

Download the Full Report Here