During 2016, we witnessed the collapse of three major exploit kits that were previously used for massive malware delivery: Nuclear (first), Angler and then Neutrino (later). Along with other more private EKs (such as Magnitude), they caused major damage in previous years and served as infection vectors for many malicious malware-distributing campaigns. Continue reading “Exploit Kits Out, Loaders and Macros Back in”
The following is an excerpt from the report. To receive a copy, please send a request to: firstname.lastname@example.org
2016 has been replete with an unprecedented volume of cyber events of varying impact and future significance. From our perspective, on account of our persistent presence and active participation in discussions Continue reading “SenseCy 2016 Annual CTI Report”
The prominent products traded during 2015 on Russian underground forums were Ransomware programs and exploits targeting Microsoft Office. Prices on the Russian Underground have remained unchanged during the past two years, due to the vigorous competition between sellers on these platforms. Different kinds of services, such as digital signing for malicious files, injections development for MitM attacks and Crypting malware to avoid detection were also extremely popular on Russian forums.
Check out the new Infographic from SenseCy illustrating key trends observed on Russian underground in 2015.
Please contact us to receive your complimentary 2015 SenseCy Annual Cyber Threat Intelligence Report: https://www.sensecy.com/contact
In 2015 we saw an active underground trading of exploits, botnets and spam tools. The number of Ransomware sales were much lower than it was expected by cyber security experts. Investigate the key trends in hacking tools commerce observed on the English-language underground in 2015 from our short Infographic.
Please contact us to receive your complimentary 2015 SenseCy Annual Cyber Threat Intelligence Report. https://www.sensecy.com/contact
It is summer in Russia, and the time of the year when people head to the seaside on vacation for a couple of weeks’ break. The decline in activity can be clearly seen on the Russian-speaking forums and marketplaces dealing with cybercrime. Apparently, cybercriminals also take a rest from their online activities, just as they would from a regular full-time job. For us, it is the best time to perform a deep analysis of the main trends in the Russian underground boards during the first half of 2015. When preparing the insights from this analysis, our goal was to identify the main scope of interest on closed, Russian-speaking forums these days, as well as to pinpoint the shifts that have occurred in the last six months.
In order to draw conclusions, we analyzed the threads from the last six months from the four leading Russian forums. These forums mainly serve as a marketplace for attack tools and platforms, in addition to being a source of information and consultation for the forum members. Hereinafter, we tried to summarize the main topics of conversation on Russian marketplaces dedicated to cybercrime during the past six months:
Exploit Kits: In recent months, we have witnessed numerous attacks involving EK as the intrusion vector, including Angler, Neutrino, Nuclear, Magnitude and RIG. These EKs are constantly updated with new exploits.
While some EKs are offered for sale on trading boards, others are available exclusively to selected buyers via private sales, using the Jabber instant messaging system for example. For one case in point, RIG EK 3.0 is offered for a monthly rental fee of $700 on a closed Russian forum (this is considered an extremely low price). In comparison, Angler EK, AKA XXX is not advertised at all among Russian forum members on any of the closed forums.
Banking Trojans: During the last few months, we did not spot any new banking Trojans for sale on the Russian underground. The majority of recent attacks against the financial industry clients were perpetrated using DYRE or Dridex banking Trojans. Even though there is evidence that both were developed by Russian coders and are distributed among Russian-speaking criminals, we did not witness any commercial trading of these Trojans.
The two Trojans currently selling on Russian forums are Kronos, whose sales started back in the middle of 2014, and the new version of Tinba, which is based on source code leaked in the 2014 version.
Ransomware: Despite the fact that new campaigns distributing ransomware are uncovered on a regular basis, culminating in an FBI alert at the beginning of 2015, we did not see an elevated interest in this kind of malware on the Russian forums. The sales of CTB-Locker were ceased, at least publicly, probably because of the extensive media coverage. None of the ransomware tools that are widely used in the wild (TorrentLocker, Tesla Crypt, Cryptowall), are offered for sale on Russian marketplaces. The only two new ransomware tools offered during H1 2015 were GM Cryptolocker for Android-based devices and Azazel locker, for just $200. Both are relatively new and there has been no comprehensive feedback from buyers as yet.
RAT malware based on legitimate software – a clear new trend on the Russian underground is the development of malicious tools based on the source code of legitimate software for remote access (such as TeamViewer, AmmyAdmin, etc.). These tools are disguised as an update for the software or as a setup file. Additional tools traded on the forums exploit services and programs for remote control, such as RDS (Remote Desktop Services, RMS (Remote Manipulator System) and RDP (Remote Desktop Protocol).
To date, we have identified five different malicious tools of this kind for sale during the last six months. According to the sellers’ description, they are capable of bypassing defense mechanisms installed on the machine and gaining full access to it.
Loaders and Droppers – In recent months, we have identified a rise in this type of malware for sale on Russian underground forums. Generally, they it is spread via spam emails, and once installed on the system, serves as a tunnel for later installations of malicious programs. In this manner, defense mechanisms can be bypassed. One instance involving this malware was the infamous Andromeda, sold since 2011 to date for only $500. Andromeda was employed by the Carbanak group against financial targets. Aside from Andromeda, we also identified six new loaders and droppers offered for sale during the past six months.
Digital Certificates Trade – This phenomenon started as a sporadic sales thread, appearing occasionally on several forums during the last year. As demand expanded, trade in digital certificates evolved into a successful sub-category on Russian underground marketplaces. Recently, a dedicated online shop for trade in digital certificates was launched. The average price for one certificate is about 1.4 BTC.
The vigorous trade in these certificates demonstrates that they are quite useful for the purchasers, who use them to sign the malicious code they distribute and evade detection.
For obvious reasons, the sellers do not disclose the origin of the certificates, but claim they are authentic and were issued by a Certificate Authority (CA).
When we talk about Brazil, we no longer think only Carnival and caipiriña, or the favelas (slums) that came into being as a result of the highly unequal distribution of income. Bearing in mind that Brazil is one of the largest countries in the world, a major new concern has arisen as the Internet and technological devices are being used to find fast ways to earn money.
In 2014, Brazil was listed as the country with the most number of attacked users. Kaspersky identified over 90,000 attacks in Brazil, with Russia in second place.
Cybercrime has combined the creativity of Brazilian hackers with new forms of illegal activities, specifically online bank fraud, turning the country into a producer of Trojan malware. The increased variety of Trojans produced in Brazil is becoming a trend. Hackers are spreading their tools via hacking communities, by selling or simply sharing tools, tutorials and tips for using Trojans as a means to intercept information on users and their banks. They use social network platforms, personal blogs or “security information web sites,” IRC channels and the forums on the deep web where “laranjas” (oranges in Portuguese, used to denominate a tool/card trader) do business to sell the malware or the stolen data.
While hackers from other countries use malware tools such as Zeus, the uniqueness of the Brazilian hackers is that they develop specific, personalized codes targeting banking frauds. They also find creative ways to use software to access their targets, with the aim of stealing bank accounts. CPL is one of these innovations – a legitimate Windows Control Panel file is being used by cybercriminals to spread banking Trojans targeting Brazilian users.
Cybercriminals send fake emails, using social engineering techniques designed to mislead users. Usually, the email content is a document with a quotation, invoice or receipt, information on a debt or a banking situation, or digital payment instruments used in Brazil, such as Boleto bancário or Electronic tax note, file photographs, videos or similar.
The fact that Brazil has the highest percentage of online banking users has also contributed to the development of different personalized attacks. As a result, banking Trojans have become the number one threat in Brazilian cybercrime. As previously demonstrated in the Brazilian malware arena, some code writers spread their viruses around the world. The security sector, in this case the banking sector, must be aware of the possible dangers and increase their efforts to protect their clients.
One of the most common posts seen on hacker forums is “Hello, I’m new and I want to be a hacker.” Any aspiring hacker must learn coding, networking, system security, and the like, and increasingly, hacking forums are responding to this demand and providing tutorials for those who wish to learn the basics quickly.
Hacking forums have two main kinds of tutorial sections, one open to any forum member and the other exclusively for VIP members. In this post we will review two case studies from closed forums, one from the onion network and the other from the Deep Web.
The first tutorial, taken from a closed forum in the onion network, is actually four tutorials wrapped together to teach POS (point-of-sale) hacking. It includes a list of essential malware and software for POS hacking. While it starts with a basic overview of POS and of RAM (random-access memory) scraping, it very quickly dives into explanations that require an advanced understanding of hacking.
The second tutorial is a basic PayPal hacking tutorial, taken from a closed forum on the Deep Web and oriented toward noobs (beginners). It is actually more about scamming than hacking. It notes that one way to get user details is to hack vulnerable shopping sites using SQL injections and explains how to check whether the stolen user details are associated with a PayPal account. It also mentions that user details can simply be acquired from posts on the forum.
What is really interesting is that this practical forum has many tutorial sections and sub-sections (we counted six), which raises an interesting question: Why do hackers share?
There is no one answer to this question, but we can divide hackers’ motivations into four categories:
- Self-promotion – One of the differences between regular hackers and good hackers is reputation. The most obvious way for hackers to improve their reputation is of course to perform a good hack, but they can also enhance their reputation by being part of a well-known hacking team or displaying vast knowledge, such as by publishing tutorials. It appears that Red, a junior member of the onion network forum who is not known and has a small number of posts, is increasing his value in the eyes of other forum members and site administrators by publishing tutorials, including the POS tutorial. This improved reputation can give him new privileges, such as access to the forum’s VIP sections. In most cases, tutorials shared for this reason range from beginner to intermediate level and can be understand by almost any beginner.
- Site promotion – Commerce in hacking forums hiding deep in the Internet works like any other free market: if you have the right goods, people will come and your business will boom, but if your shop does not look successful, customers will stay away. Hacking forums, like other businesses, compete for the attention of their target audience. The PayPal tutorial was published by BigBoss, a site administrator, who was probably seeking publicity for the site. To ensure that there is a large number of tutorials on the site, the administrators publish their own from time to time. These can be very simple (as in this case) or very specialized and technical (such as those offered in closed forum sections).
- Financial gain – As we noted, these forums are businesses, and like any business, they need to sell products in order to make a profit. They can do this by creating VIP sections with unique content (such as special tutorials) open to paying members only, as opposed to VIP sections based on reputation or Individual members also use the forums for financial gain and sell more concrete items—malware, credit cards, and the like—or more abstract items, like knowledge in the form of tutorials or lessons. In most cases the tutorials are very advanced, with extensive details, so that their creators can charge for them.
- Knowledge sharing — Sometimes, people share their knowledge without any ulterior motive. This is usually done in a closed section of a forum and only with prime members or a group of friends. In this case, the knowledge shared varies according to the group and can be state-of-the-art or very simple.
In a society based heavily on information, we cannot escape the frequently rehashed concept that “knowledge is power.” As the technology world continues to evolve and the hacker community along with it, the need for “how to” knowledge is growing. Tutorials provide beginners with an effective gateway into the world of hacking and expose advanced users to new methods of operation. For us, the observers, they provide a small glimpse into developing trends, attack methods, methods of assessing hacker knowledge, and much more.
Written and prepared by SenseCy’s Cyber Intelligence analysts.
Clearly, 2014 was an important year in the cyber arena. The technical level of the attacks, the variety of tools and methods used and the destructive results achieved have proven, yet again, that cyber is a cross-border tool that is rapidly gaining momentum.
This year, we witnessed attacks on key vectors: cyber criminals setting their sights on targets in the private sector, hacktivists using cyber tools for their ideological struggles, state-sponsored campaigns to facilitate spying on high-profile targets, and cyber conflicts between countries.
The following is an excerpt from an annual report prepared by our Cyber Intelligence analysts. To receive a copy, please send a request to: email@example.com
Below are several of our insights regarding cyber activity this past year:
- The financial sector was and continues to be a key target for cyber criminals, with most of the corporations hacked this year in the U.S. being attacked through infection of Point-of-Sale (POS) systems. Despite the high level of awareness as to the vulnerability of these systems following the Target breach at the end of 2013, ever more organizations are continuing to fall victim to these types of attacks, as the cybercrime community develops and sells dedicated tools for these systems.
- In 2014, we saw another step up in the use of cyber as a cross-border weapon, the use of which can be highly destructive. This was evidenced in the attack on JPMorgan, which according to reports was a response to sanctions imposed by the U.S. on Russia. The ensuing Sony breach and threats to peoples’ lives should the movie The Interview be screened exacerbated the state of asymmetrical war in cyber space, where on the one hand, we see countries attacking companies, and on the other, groups of hackers attacking countries. This trend becomes even more concerning following the reports of the deaths of three workers at a nuclear reactor in South Korea, after it became the target of a targeted cyber-attack, evidently by North Korean entities.
- This past year was rife with campaigns by anti-Israel hacktivist campaigns, whose motivation for attacking Israel’s cyber networks was especially strong. Again, it was clearly demonstrated that the relationship between physical and virtual space is particularly strong, when alongside Operation Protective Edge (July-August 2014), we witnessed a targeted cyber campaign by hacktivist organizations from throughout the Muslim world (but not only) and by cyber terror groups, which in some cases were able to score significant successes. We believe that in 2015, attacks by hacktivist groups will become higher quality (DDoS attacks at high bandwidth, for example) and the use of vectors, which to date have been less common, such as attacks against mobile devices, will become increasingly frequent.
- Involvement of the internal factor in cyber-attacks: According to some speculations published recently in the global media regarding the massive Sony breach, former company employees may have abused their positions and status to steal confidential information and try to harm the organization. This underscores the importance of information security and internal compartmentalization in organizations with databases containing sensitive information.
The Past Year on the Russian Underground
In 2014, we saw active underground trading of malware and exploits, with some of them being used in attacks inside and outside Russia that gained widespread media coverage in sources dealing with information security.
The following is a list of categories of malware and the main services offered for sale in 2014 on the Russian-speaking underground forums. Note that in this analysis, we only included important tools that were well-received by the buyers, which indicates their reliability and level of professionalism. Additionally, only tools that were sold for over a month were included. Let us also note that the analysis does not include special PoS firmware, but only programs designed to facilitate remote information theft through takeover of the terminal.
The average price of a tool offered for sale in 2014 was $1,500. Since 2013, the average price has increased by $500. The following graph lists the average price in each of the categories outlined above (in USD):
Key Trends Observed on the Russian Underground this Past Year
Trojan Horses for the Financial Sector
Malware designed to target financial institutions is a highly sought-after product on the Russian underground, and this past year we observed the development of malware based on Kronos source code – Zeus, Chthonic (called Udacha by the seller) and Dyre malware. Additionally, the sale of tools designed to sell login details for banking sites via mobile devices were also observed.
In this context, it should be noted that the modular structure of many types of financial malware allows flexibility by both the seller and the buyer. Most financial malware is sold in this format – meaning, various modules responsible for the malware’s activity can be purchased separately: Formgrabber module, Web-Injections module and more.
This type of attack vector, known to cyber criminals as Web injections, is most common as a module in Trojan horses for the financial sector. Members of many forums offer their services as injection writers, referring to creation of malware designed to be integrated into a specific banking Trojan horse (generally based on Zeus), tailored to the specific bank, which imitates the design of its windows, etc. In 2014, we saw this field prosper, with at least seven similar services offered on the various forums.
This year we witnessed a not insignificant amount of ransomware for sale on Russian-speaking forums. It would appear that the forums see a strong potential for profit through this attack vector and therefore invest in the development of ransomware. Furthermore, note that some of the ransomware uses the Tor network to better conceal the command and control servers. Since CryptoLocker was discovered in September 2013, we have seen numerous attempts at developing similar malware both for PCs and laptops.
Additional trends and insights are detailed in the full report.
During November 2014, the popular hacker group AnonGhost attempted to deface academic websites from around the world.
AnonGhost was established by a famous hacker dubbed Mauritania Attacker. The group has launched many wide-scale cyber campaigns against the U.S., Israel and other countries around the world. The group’s most popular repeat campaign is #OpIsrael, which was relaunched on April 7, 2014 (one year after its inaugural launch), targeting Israeli cyber-space.
Their most recent ongoing campaign is #OpGov, where group members attempt to hack government websites in different countries. In the following image, you can see an example of the group’s intention to hack Jamaican government websites:
The group has also leaked information from databases, such as emails, passwords and personal details.
Targeting Academic Websites
Recently, we noticed that AnonGhost is focusing on academic websites in the U.S., such as Washington University, Olin College of Engineering and Utah State University. On its official Facebook and Twitter accounts, the group announced that they had successfully defaced these American academic websites. In the following images, you can see the group’s post and their tweet regarding Washington University websites:
In the following image, you can see the group’s post on Facebook listing its achievements in hacking government and academic websites:
Defaced Websites as Tools for Future Attacks
It should be noted that cyber researchers have recently warned about new methods used by hacktivist groups to attack users who visit defaced websites, using a malicious link that leads to a Dokta Chef Exploit Kit hosting website. The Dokta Chef EK takes advantage of a recently disclosed vulnerability that allows remote code execution related to the Internet Explorer browser. In the following image, you can see a defaced website with the malicious link (lulz.htm):
#OpIsraelReborn Campaign launched by AnonGhost September 5, 2014
#OpSaveGaza – by the Tunisian AnonGhost July 13, 2014
Banks and other financial institutions often serve as key targets for malicious activity committed in cyber space. Owing to their large-scale financial operations, banks have always attracted scammers and thieves searching for easy ways to get rich quick. The rapid development of technologies used in the different industries has shifted banking operations to a much more virtual level, opening up new, sophisticated ways for criminal actions to be perpetrated. Aside from traditional, profit-motivated cybercrime, a large part of a bank’s technical infrastructure, such as online banking services, is located on the Internet. This exposes another Achilles’ heel of banking institutions, while serving as a weapon for ideologically motivated hackers trying to undermine a bank’s reputation and normal functioning. In this blog post we will focus on threats coming from the cybercrime arena, the next one describing the hacktivism world is to be followed.
Cybercriminals act from different vectors, such as developing malware for stealing login details for banking sites and applications, extracting credit card data from hacked databases, etc. The main motivation of cyber criminals is financial profit. Subsequently, they use closed web forums and online shops to support their illegal activity and develop new fraud schemes. In most of the cases, financial institutions face one of the following three threats:
Man-in-the-Middle (MitM) Attacks
Also called web injections, this attack method is very popular among cyber criminals targeting the financial sector. If the attack is successful, the hacker manages to infiltrate the web-session between the customer (while he is surfing the bank website) and the bank. He then intercepts the messages sent between the two parts of the conversation, including credentials and classified information, and injects new messages, without arousing the suspicion of either party.
In most cases, the injections are adjusted per victim, and are delivered via banking Trojans, Zeus for example. On closed forums, injections are sold as separate modules for banking malware, or they are offered as a tailored service for cyber criminals targeting a specific bank.
Client Detail Trading
One of the most popular areas of activity on underground forums is the trading of login details to bank websites and client personal data. Typically, this data originates from computers infected with malware designed to steal data inserted into form fields on websites. The operator of the botnet comprising these infected computers will not always use all the stolen data by himself, but may sell it to ‘professionals’ who specialize in cashing out money from these hacked accounts.
A term that should be mentioned in this context is the “drop” – a person who receives the stolen money into his account – sometimes without even knowing that he is supporting illegal activity, as legends and cover stories are frequently used. Drops are usually operated by the buyers of the login details – scammers who have a stabile infrastructure for cashing out stolen money. Posts on the subject of buying and selling credentials are frequently found on closed forums.
Compromised Credit Cards
Online shops offering different kinds of credit card data for sale are very popular among those cyber criminals specializing in “carding.” These shops are very convenient for their users. They include numerous filtering options, thus matching the data to the scammers needs. Prices may vary considerably, depending on the rarity of the card and the demand for the data of the issuing bank, as well as elapsed time since the data theft.