ARABIC-SPEAKING THREAT ACTOR RECYCLES THE SOURCE CODE OF POPULAR RAT SPYNOTE AND SELLS IT IN THE DARK WEB, AS NEW

At the beginning of July 2019, we detected that a threat actor dubbed mobeebom created a sales thread for his Android Remote Administration Tool (RAT) MobiHok v4, on a prominent English hacking forum.

A quick research revealed that mobeebom is active on multiple Arab-speaking hacking forums under different pseudonyms, which led us to assess, with high confidence that he is an Arab-speaker. The use of poor English in his posts reinforced this assessment. His activity on the prominent English hacking forum we monitor sparked our curiosity and we decided to take a closer look.

NEW ANDROID RAT?

MobiHok is a RAT coded in Visual Basic .NET and Android Studio, which enables full control, with extensive capabilities over the infected device. This latest release of the malware presents new features, such as a bypass to the Facebook authentication mechanism.[1]

The declared intention of the threat actor is to position MobiHok as the top Android RAT on the market. However, from a research we conducted into mobeebom’s activity in the underground communities, and the analysis of a sample of the malware builder we retrieved, it is apparent that the threat actor based MobiHok on the source code of another prominent Android RAT named SpyNote, which was leaked online in 2016.[2] 

The initial findings of our technical analysis confirmed that mobeebom probably obtained SpyNote’s source code, made some minor changes, and now resells it as a new RAT under the name MobiHok.

Screenshot of MobiHok’s sales thread

A DEEPER DIVE INTO MOBIHOK V4

The threat actor has been promoting the malware on multiple outlets (including on a dedicated Facebook page and a YouTube channel),[3] since January 2019.

Screenshot of MobiHok sales post from an Arabic hacking forum
MobiHok’s dedicated Facebook page

Mobeebom also runs a website, on which it is possible to purchase the RAT in a variety of options, including the possibility to acquire the entire source code for US$ 15,000. According to the screenshots displayed on the website, the malware features the following capabilities:

  • Control of the files
  • Control of the camera
  • Keylogging
  • Control of the SMS
  • Control of the contacts
  • Control of the apps
  • Control of the account/phone settings
  • Terminal
  • Bypass of Samsung security mechanisms
  • Bypass of Google Play security mechanisms
  • No “rooted” device required
  • The RAT can be bind to another APK app

To conclude, despite mobeebom’s attempt to market his MobiHok v4 Android RAT as new and his declared intention to make it the top Android RAT on the market, it appears that this malware is based on the leaked source code of the known SpyNote Android RAT with only minor changes and is being reselled by the threat actor under a different name.

 

THE DATA BREACH EPIDEMIC – KEY FINDINGS FROM VERINT’S COMPREHENSIVE CTI REPORT

In the past few years we have witnessed a growing number of significant data breaches.

The Data Breach Epidemic Report reviews the most significant data breaches that occurred in 2018 and provides our analysis of the major data leaks. It also includes key trends we identified based on ~5B leaked records detected and analyzed by our team.

KEY FINDINGS:

  1. 4,812,840,627 – Total Leaked Records In 2018
  2. 1,925,136,251 – Unique Records
  3. 24,224,940 – Organizations
  4. 53% of all leaked data comes from .com domains
  5. Distribution of “Combo Lists” is the key trend in the 2018 data leaks
  6. Leaked records by region:
  • APAC – 1.5B records
  • EMEA – 728M records
  • LATAM – 34M records
Many “Combo Lists” published in 2018 targeted specific regions, indicating leading interests of hackers’ groups

THE ANALYSIS PROCESS

In order to identify and analyze the major breaches of 2018, our analysts have been continuously monitoring activities on the Dark Web, in closed hacking communities and in other sources, to uncover indicators of breaches and data leaks.

In the report you will find a summary of the most popular ways hackers use to exploit stolen data, with real-life examples of attacks that exploited leaked records.

Want to know more? Download the report here

SOME LEAKS ARE MORE VALUABLE THAN OTHERS

Based on our analysis of the leaked data we obtained from several underground sources, we were able to identify several key trends, for example, the increasing distribution of “Combo Lists”, the demand for region specific leaks and countries that had most government data leaked.

ANALYSIS OF EXPLOITATION METHODS

The report also shares the hackers’ perspective, reviewing the most popular ways hackers use to exploit leaked data. These include credential stuffing attacks, brute force attacks, social engineering and email based-attacks. This information is valuable as it can really help organizations prioritize risk and improve their resilience and readiness against these attack methods.

THE BIGGEST DATA BREACHES OF 2018

In the report, you will find the list of the most prominent data breaches that occurred in 2018, and what we can learn from the millions of compromised records and stolen data.

Download the Full Report Here

Political Tension in Spain Leads to Cyber-Attacks against Spanish Websites

The political tension after the Catalonia referendum on October 1, 2017, has influenced the virtual arena as well, resulting in cyber-attacks against Spanish websites carried out by hacktivists leaking information about high profile targets and claiming responsibility for shutting down websites. These threat actors use various anti-Spain hashtags that indicate the different cyber campaigns: #OpEspana, #OpCatalonia, #OpCatalonya and #OpSaveCatalonia. Continue reading “Political Tension in Spain Leads to Cyber-Attacks against Spanish Websites”

Significant Increase in Cloud-Based Attacks in the Last Year

According to a recently published report for the first quarter of 2017, there has been a significant rise in consumer and enterprise accounts in the Cloud. As more and more organizations migrate to the Cloud, the frequency and sophistication of Cloud-based attacks is growing. Continue reading “Significant Increase in Cloud-Based Attacks in the Last Year”

Massive Cyber Attack Causing Chaos as World Still Recovers from WannaCry

In the past few hours, multiple reports were published about a mass-scale cyber-attack taking place in Ukraine. The attack hit multiple government resources, as well as corporate, financial and critical infrastructure systems (Kyiv subway and airport, electricity and oil companies, etc). Continue reading “Massive Cyber Attack Causing Chaos as World Still Recovers from WannaCry”

#OpIcarus Cyber Campaign – Round 5

Hacktivists recently launched the fifth phase of the #OpIcarus cyber campaign (also dubbed #OpSacred) against the financial sector around the world. This campaign was first launched in February 2016, and as in previous phases, the official target list contains mainly websites of central banks around the world. In addition, the initiators share links to download known DDoS tools, such as Continue reading “#OpIcarus Cyber Campaign – Round 5”

Shadow Brokers’ Massive Leak Spreads Quickly Across the Dark Web

Since April 14th, when the Shadow Brokers leaked a new batch of files allegedly affiliated with Equation Group – an APT threat actor suspected of being tied to the NSA – Darknet forum members have been sharing the leaked attack tools and zero-day exploits among themselves. Continue reading “Shadow Brokers’ Massive Leak Spreads Quickly Across the Dark Web”

Updates about the Upcoming #OpIsrael Campaign

The number of participants in the event pages of the #OpIsrael campaign, as of the first week of April 2017, is approximately 600 Facebook users – a very low number of supporters compared to the same period in previous campaigns. In general, the response on social networks to the #OpIsrael campaign over the years since 2013 is constantly declining. Continue reading “Updates about the Upcoming #OpIsrael Campaign”

Initial Preparations for #OpIsrael 2017

During the past week, we detected indications for initial preparations for the upcoming #OpIsrael campaign scheduled for April 7, 2017. SenseCy identified several event pages on Facebook that were opened explicitly to organize cyber-attacks. The number of participants in all the event pages that we found is relatively low (approximately 160 Facebook users). Continue reading “Initial Preparations for #OpIsrael 2017”