Growing Awareness of the Darknet in China Following Huge Domestic Database Breaches

In recent weeks, we have identified a growing awareness on Chinese security blogs and mainstream media, to the existence of the Darknet, and the activities of Chinese users on its platforms. The focus is mostly on the sale of leaked data, mainly of Chinese citizens. One of these leaks pertained to the Huazhu hotel group, and was one of two major data breaches that occurred simultaneously in China, raising awareness to this issue. The second breach was the database of SF Express, a delivery service company based in Shenzhen, Guangdong Province. Continue reading “Growing Awareness of the Darknet in China Following Huge Domestic Database Breaches”

Shadow Brokers’ Massive Leak Spreads Quickly Across the Dark Web

Since April 14th, when the Shadow Brokers leaked a new batch of files allegedly affiliated with Equation Group – an APT threat actor suspected of being tied to the NSA – Darknet forum members have been sharing the leaked attack tools and zero-day exploits among themselves. Continue reading “Shadow Brokers’ Massive Leak Spreads Quickly Across the Dark Web”

The Healthcare Sector is Targeted by Cybercriminals More than Ever

The healthcare sector has recently become a desirable target for cyber crooks. According to Symantec ISTR report statistics, healthcare was the most breached sub-sector in 2015, comprising almost 40% of all the attacks. Hospital security systems are generally less secure than those of financial organizations, as monetary theft has always been perceived as the greatest threat for organizations, and dangers to other sectors were usually underestimated. Moreover, awareness of cyber-attacks against hospitals and medical centers is much lower than it is to financial cybercrime, and as a result, the employees are less well-trained on how to avoid falling victim to a cyber-attack.

1
Top 10 Sub-Sectors Breached by Number of Incidents According to Symantec ISTR report

Only lately, this concept has started to be challenged, revealing the potential damage that can be caused by the theft and leakage of patient data. However, the ‘bad guys’ remain one step ahead and during the last few months, we have witnessed a spate of attacks targeting the healthcare industry: ransomware attacks encrypting essential data and demanding payment of a ransom, numerous data leakages revealing confidential patient data, unauthorized access to medical networks and even the hacking of medical devices, such as pumps and X-ray equipment.

Moreover, the healthcare sector is being targeted by hackers not only directly, but also via third-party companies in the supply chain, such as equipment and drug suppliers. These companies usually store some confidential data that originates in the hospitals’ databases and may even have access to the hospital IT systems, but they are far less secure than the hospitals themselves. Thus, they serve as a preferable infiltration point for malicious actors pursuing the theft of medical data and attempting to infiltrate the hospitals’ networks.

The consequences of attacks on the healthcare industry may be extensive, including the impairment of the medical center functioning, which may result in danger to human lives in the worst case scenario. In other cases, personal data will be stolen and sold on underground markets. Cybercriminals will take advantages of these personal details for identity theft or for future cyber-attacks combining social engineering based on the stolen details.

While monitoring closed Deep-Web and Darknet sources, SenseCy analysts recently noticed a growing interest toward the healthcare sector among cyber criminals. Databases of medical institutions are traded on illicit marketplaces and closed forums, along with access to their servers. In the last few months alone, we came across several occurrences indicating extensive trade of medical records and access to servers where this data is stored.

The first case, in May 2016, was the sale of RDP access for a large clinic group with several branches in the central U.S., which was offered for sale on a Darknet closed forum. For a payment of $50,000 Bitcoins, the buyer would receive access to the compromised workstation, with access to 3 GB of data stored on four hard disks. Additionally, the workstation allows access to an aggregate electronical system (EHR) for managing medical records, where data regarding patients, suppliers, payments and more can be exploited.

Although the seller did not mention the origin of the credentials he was selling, he claimed that local administrator privileges could be received on the compromised system. He also specified that 45 users from the medical personnel were logged into the system from the workstation he hacked.

The relatively high price for this offer indicates the high demand for medical information. With RDP access, the potential attackers can perform any action on the compromised workstation: install malware, encrypt the files or erase them, infect other machines in the network and access any data stored in the network. The consequences can be tremendous.

2
An excerpt of the sale thread posted on a Darknet forum

 

3
Screenshot allegedly taken on the hacked workstation

Just a few weeks later, in June 2016, our analysts detected another cyber-accident related to healthcare. This time, three databases allegedly stolen via an RDP access to a medical organization were offered for sale for more than $500,000 on a dedicated Darknet marketplace. In one of his posts, the seller claimed that one of the databases belongs to a large American health insurer.

4
One of the sales posts on a Darknet marketplace
5
Screenshot posted by the seller as a proof of hacking into a medical organization

Before long, we again discovered evidence of hacking into a medical-related organization, this time by Russian-speaking hackers. On one of the forums we monitor, a member tried to sell an SSH access to the server of an American company supplying equipment to 130 medical center in the U.S. He uploaded screenshots proving that he accessed the server where personal data of patients is stored.

The conclusions following these findings are concerning. An extensive trade in medical information and compromised workstations and servers is a common sight on underground illegal markets. This business generates hundreds of thousands, if not millions of dollars annually, ensuring its continuation as long as there are such high profits to those involved. Since the ramifications can be grave, the healthcare sector must take all necessary measures to protect their systems and data:

  1. Implement a strong password policy, because many hacks are a result of brute-force attack. Strong passwords and two-factor authentications to log into organizational systems should be the number one rule for medical organizations.
  2. Deploy suitable security systems.
  3. Instruct the employees to follow cyber security rules – choosing strong and unique passwords, spotting phishing email messages, avoiding clicking on links and downloading files from unknown sources, etc. Consider periodic training for employees on these issues to maintain high awareness and compliance with the rules.
  4. Use Cyber Threat Intelligence (CTI) – to keep up with the times regarding the current most prominent threats to your organization and industry.
  5. Keep all software updated.

Handling a Ransomware Attack

A recent wave of ransomware attacks has hit countries around the world, with a large number of infections reported in the United States, the United Kingdom, Germany and Israel. It appears that the attackers have no specific target, since the attacks have struck hospitals, financial institutions and private institutions, indicating that no specific industry has been targeted.

In Israel, two types of ransomware were identified in the most recent attacks: the familiar TeslaCrypt and the new ransomware, Locky.

The Evolution of Ransomware

The vigorous usage of ransomware tools by cybercriminals and their success in this area has led to the development of new ransomware and the constant upgrading of known models. During the past several months, researchers have reported on the development of ransomware that is capable of file encryption without Internet connection, i.e., they do not communicate with their C&C servers for the encryption process.

New ransomware tools that were reported are Locky ransomware, whose modus operandi resembles the Dridex banking Trojan, and a new version of CTB-Locker that attacks web servers.

Additionally, RaaS (Ransom-as-a-Service) offers are becoming popular on closed DeepWeb and Darknet forums. These services allow potential attackers to easily create ransomware stubs, paying with profits from future successful infections. Recently, we identified a new RaaS dubbed Cerber ransomware, which is offered on a Russian underground forum. Previously it was ORX-Locker, offered as a service via a platform hosted on an .onion server.

1
The ransom message presented by the Cerber ransomware

Ransomware Distribution

The majority of the distribution vectors of ransomware stubs involve some kind of social engineering trap, for example, email messages including malicious Office files, spam messages with nasty links or malvertising campaigns exploiting vulnerable WordPress or Joomla websites with an embedded malevolent code. The distribution also takes advantage of Macro commands and exploit kits, such as Nuclear or Angler. Sometimes browser vulnerabilities are exploited, as well as stolen digital certificates.

In November 2015, attempts to deliver ransomware to Israeli clients were identified. In this case, the attackers spoofed a corporate email address and tried to make recipients believe the email was sent from a company worker.

2
RaaS offered on a Darknet forum

Handling a Ransomware Attack

Please find below our suggestions for recommended action to avoid ransomware attacks on an organization, and how to deal with an attack after infection:

Defend Your Organization from Potential Threats

  • Train your employees – since the human link is the weakest link in the organizational cybersecurity and the majority of the cases involve social engineering on one of the employees, periodical employee briefing is extremely important. Specify the rules regarding using the company systems, and describe what phishing messages look like.
  • Raise awareness regarding accepting files that arrive via email messages – instruct your employees not to open suspicious files or files sent from unfamiliar senders. Consider implementing an organizational policy addressing such files. We recommend blocking or isolating files with the following extensions: js (JavaScript), jar (Java), bat (Batch file), exe (executable file), cpl (Control Panel), scr (Screensaver), com (COM file) and pif (Program Information file).
  • Disable running of Macro scripts on Office files sent via email – in recent months, many cases of ransomware attacks employing this vector were reported. Usually, Macro commands are disabled by default and we do not recommend enabling them. In addition, we suggest using Office Viewer software to open Word and Excel files.
  • Limit user privileges and constantly monitor the workstations – careful management of user privileges and limited administrator’s privileges may help in avoiding the spread of the ransomware in the organizational network. Moreover, monitoring the activity on workstations will be useful for early detection of any infection and blocking it from propagating to other systems and network resources.
  • Create rules that block programs from executing from AppData/LocalAppData folders. Many variants of the analyzed ransomware are executed from these directories, including CryptoLocker. Therefore, the creation of such rules may reduce the encryption risk significantly.
  • Install a Russian keyboard – while monitoring closed Russian forums where several ransomware families originated, we discovered that many of them will check if the infected computer is located in a post-Soviet country. Usually, this check is performed by detecting which keyboard layout is installed on the machine. If a Russian (or other post-Soviet language) keyboard layout is detected, the ransomware will not initiate the encryption process.
  • Keep your systems updated – in many cases, hackers take advantage of outdated systems to infiltrate the network. Therefore, frequent updates of the organizational systems and implementing the published security patch will significantly reduce the chances of infection.
  • Use third-party dedicated software to deal with the threat – many programs aimed at addressing specific ransomware threats are constantly being released. One is Windows AppLocker, which is included in the OS and assists in dealing with malware. We recommend contacting the organizational security vendor and considering the offered solutions.
  • Implement technical indicator and YARA rules in the company organizations. We provide our clients with intelligence items accompanied by technical indicators. Additionally, a dedicated repository that includes ransomware indicators was launched.
    3
    A closed forum member looks to blackmail companies using ransomware

    What if I am Already Infected?

  • Restore your files – some ransomware tools create a copy of the file, encrypt it and then erase the original file. If the deletion is performed via the OS erase feature, there is a chance to restore the files, since in majority of the cases, the OS does not immediately overwrite the deleted filed.
  • Decryption of the encrypted files – the decryption will be possible if you were infected by one of these three ransomware types: Bitcryptor, CoinVault or Linux.Encoder.1. Therefore, detecting the exact kind of ransomware that attacked the PC is crucial.
  • Back-up files on a separate storage device regularly – the best practice to avoid damage from a ransomware attack is to backup all your important files on a storage disconnected from the organizational network, since some ransomware variants are capable of encrypting files stored on connected devices. For example, researchers recently reported a ransomware that encrypted files stored on the Cloud Sync folder.
  • If ransomware is detected in the organization, immediately disconnect the infected machine from the network. Do not try to remove the malware or to reboot the system before identifying the ransomware. In some cases, performing one of these actions will make the decryption impossible, even after paying the ransom.

SenseCy 2015 Annual Cyber Threat Intelligence Report

Written and prepared by SenseCy’s Cyber Intelligence analysts.

SenseCy’s 2015 Annual CTI Report spans the main trends and activities monitored by us in the different cyber arenas including the world of Arab hacktivism, the Russian underground, the English-speaking underground, the Darknet and the Iranian underground. In addition, we have listed the major cyber incidents that occurred in 2015, and the most prominent attacks against Israeli organizations.

The following is an excerpt from the report. To receive a copy, please send a request to: info@sensecy.com

Executive Summary

2015 was a prolific year for cyber threats, so before elaborating on our main insights from the different arenas covered here at SenseCy, we would like to first summarize three of the main trends we observed in 2015.

Firstly, when reviewing 2015, we recommend paying special attention to the evolving world of ransomware and new applications of this type of malware, such as Ransomware-as-a-Service (RaaS), and ransomware targeting cloud services, as opposed to local networks and more.

Secondly, throughout 2015, we witnessed cyber-attacks against high-profile targets attributed to ISIS-affiliated hackers and groups. One such incident was the January 2015 allegedly attack against the YouTube channel and Twitter account of the U.S. Central Command (CENTCOM).

Thirdly, 2015 revealed a continuing interest in the field of critical infrastructure among hackers. Throughout the year, we witnessed multiple incidents of critical infrastructure firms allegedly targeted by hackers, prompting periodic analyses addressing the potential vulnerabilities of critical sectors such as energy, water, and more. Taking into consideration the advanced capabilities and high-level of understanding of such systems required to execute such attacks, many security firms and experts are confident that these attacks are supported by nation-state actors.

Insights

The following are several of our insights regarding activities in different cyber arenas this past year:

Islamic Hacktivism

During 2015, we detected several indications of anti-Israel cybercrime activity on closed platforms frequented by Arabic-speaking hackers. It will be interesting to see if these anti-Israel hacktivists that usually call to deface Israeli websites or carry out DDoS attacks will attempt to incorporate phishing attacks, spamming methods and tools into their arsenals. Notwithstanding, Islamic hacktivism activity continues unabated, but without any significant success.

Trade on Russian Underground Forums

The prominent products currently traded during 2015 on Russian underground forums are ransomware programs and exploits targeting Microsoft Office. With regard to banking Trojans, we did not notice any major developments or the appearance of new Trojans for sale. The PoS malware field has not yielded any new threats either, in contrast to the impression given by its intensive media coverage.

Mobile malware for Android devices is on the rise as well, with the majority of tools offered being Trojans, but we have also detected ransomware and loaders.

Prices on the Russian Underground have remained unchanged during the past two years, due to the vigorous competition between sellers on these platforms.

Different kinds of services, such as digital signing for malicious files, injections development for MitM attacks and crypting malware to avoid detection were also extremely popular on Russian forums.

Exploits and exploit kits on the Russian underground
Exploits and exploit kits on the Russian underground

The English-Language Underground

Our analysis of password-protected forums revealed that exploits were the best-selling products of 2015. This comes as no surprise, since exploits are a vital part of almost every attack.

The Darknet made the headlines on multiple occasions this year, mostly owing to databases that were leaked on it and media reports recounting FBI activities against Darknet users. Furthermore, this year saw increased activity by the hacking community on the Darknet, manifested in dedicated markets for the sale of 0-day exploits and the establishment of several new hacking forums.

Sales of hacking tools in the English-language underground
Sales of hacking tools in the English-language underground

The Iranian Underground

With regard to Iranian threat actors, 2015 was a highly prolific year, with attack groups making headlines around the world. Delving deeper into the Iranian underground, we uncovered several interesting trends, some more clear than others.

One main development in 2015 was the persistent interest in critical infrastructure, with underground forum members sharing and requesting information related to industrial control systems and other related components. With Iranian actors becoming increasingly drawn to this field, we assess that this trend will remain relevant in 2016 as well.

Another growing phenomenon is the stunted life cycles of Iranian cyber groups, many with a life-span of just several months. This trend makes it difficult to monitor the different entities active in the Iranian cyber arena and their activities. To understand the constant changes in this realm, this short life cycle trend must be taken into consideration and the Iranian cyber arena continuously monitored.

That said, we must not overlook one of the most prominent characteristics of Iranian attack groups – confidentiality. With attacks attributed to Iranian actors becoming more sophisticated and high-profile, we believe that the divide between medium-level practices of malicious activity and alleged state-sponsored activity by attack groups will remain pronounced.

Screenshot from the IDC-Team forum showing, among other things, the list of “Hottest Threads” and “Most Viewed Threads” on the forum
Screenshot from the IDC-Team forum showing, among other things, the list of “Hottest Threads” and “Most Viewed Threads” on the forum

ISIS – Cyber-Jihad

On the other side of the Arab-speaking cyber world, we can find ISIS and its evolving cyber activities. There is disagreement between intelligence firms and cyber experts about the cyber offensive capabilities of the Islamic State. In addition, there is a high motivation among hackers that identify with the group’s fundamentalist agenda to carry out cyber-attacks against Western targets, especially against those countries actively involved in the war against the group in Iraq and Syria.

Ashley Madison Hack – Review and Implications

On July 12, 2015, the IT-systems of Ashley Madison (owned by Avid Life Media), a Canada-based online dating service for married people, were hacked. The attackers, who call themselves Impact Team, released a message claiming they had taken control over all of the company’s systems and extracted databases containing client details, source codes, email correspondence and more.According to the message, the attack occurred in response to Ashley Madison‘s exposure of its clients – although the company offered and charged clients for a full profile deletion, this, in fact, was never carried out. Impact Team demanded that Ashley Madison and another website owned by Avid Life Media (ALM) cease their activity and shut down in 30 days, otherwise all stolen data would be published.

One month later, on August 16, 2015, Impact Team realized its threats – a link for downloading the data was posted on a password-protected hacking forum on the Darknet. The leaked data contained details of 37 million Ashley Madison users. Additionally, the attackers released data, containing mostly internal company information, in two additional stages.

The message containing the link for downloading the data stolen in the Ashley Madison hack
The message containing the link for downloading the data stolen in the Ashley Madison hack

The Attack

The infiltration vector used by the attackers is not known. According to ex-Ashley Madison CEO, the attack was performed by a provider or a former employee who possessed legitimate login credentials. Apparently, as in an APT attack, Impact Team had access to the company systems for a long period of time. They stated that they had collected information for years and that the attack started long before the data was exposed.

In an email interview with members of Impact Team, they said “they worked hard to make a fully undetectable attack, then got in and found nothing to bypass – Nobody was watching. No security. The only thing was a segmented network. You could use Pass1234 from the internet to VPN to root on all servers.

The Leaked Data

Despite the fact that Ashley Madison maintained a low security level on its systems, the clients data was stored with many more precautions – full credit card data was not stored, but instead only the last four digits, in accordance with the company’s declared policy. Nevertheless, information about payments that contained names and addresses of the clients were stored and later used by cybercriminals.

The passwords of Ashley Madison‘s clients were encrypted using a bcrypt algorithm, which is considered to be extremely strong. Another security measure taken by the company was the separation of databases for email addresses and passwords. However, an error in one of the exposed source codes enabled the decryption of 11 million passwords in only 10 days. A security researcher decrypted another 4,000 “strongly encrypted” passwords, due to the fact that they were widely used passwords.

The ten most common Ashley Madison cracked passwords encrypted in a bcrypt algorithm
The ten most common Ashley Madison cracked passwords encrypted in a bcrypt algorithm

Moreover, Ashley Madison saved IP addresses of its users for as long as five years. Thus, almost every user behind each profile can be identified.

The Consequences

The release of the data led to numerous discussions on hacking forums regarding ways to exploit the data. Some hackers focused on extortion schemes, while others offered to initiate spear-phishing attacks based on the leaked data.

Darknet forum member explains how to look for users by their corporate email address
Darknet forum member explains how to look for users by their corporate email address

In other attack reported by TrendMicro, hackers distributed email messages allegedly from Impact Team or law firms. They asked for money in exchange for removing the recipient’s name from the leak or for initiating a class action lawsuit against Ashley Madison.

A fraud email message allegedly sent by Impact Team
A fraud email message allegedly sent by Impact Team

Besides financial damage, according to press publications, three people committed suicide after the leaked data was released.

Moreover, not only its clients, but the company itself suffered damage because of the exposure of confidential information. Exposure of internal correspondence of Ashley Madison‘s executives revealed the company’s improper business activity, such as hacking into its competitors systems, creating fake profiles on its website and more. Finally, Ashley Madison’s financial losses are estimated at more than 200 million dollars, since the company was about to launch an initial public offering later this year.

Conclusions

Analysis of the leaked email correspondence of Ashley Madison‘s executives demonstrates that they were fully aware of the importance of cyber security measures. In the beginning of 2012, following the cyber-attack on the Grinder mobile application, the company’s then-CTO expressed his concerns regarding passwords that were stored fully unencrypted. Later in 2012, an encryption for passwords was initiated. On another occasion, after the email correspondence leak of General Petraeus, an employee suggested implementing an encrypted email service for Ashley Madison users. Despite the severity of the hack, several measures taken by the company, such as the encryption of the users’ passwords, reduced the damage caused by the leak. Nevertheless, the encryption, even a strong one such as bcrypt, is not enough and a password complexity policy should be implemented in the organization. Using strong passwords, maintaining different and complex passwords for the high-privileged accounts of the IT systems and restricting the access to these accounts will limit the attackers’ ability to move laterally in the organization’s network and take control of it.

ORX-Locker – A Darknet Ransomware That Even Your Grandmother Can Use

Written by Ran L. and Mickael S.

The bar for becoming a cyber-criminal has never been so low. Whether buying off-the-shelf malware or writing your own, with a small investment, anyone can make a profit. Now it seems that the bar has been lowered even further with the creation of a new Darknet site that offers Ransomware-as-a-Service (RaaS), titled ORX-Locker.

Ransomware-as-a-Service enables a user with no knowledge or cash to create his own stubs and use them to infect systems. If the victim decides to pay, the ransom goes to the service provider, who takes a percent of the payment and forwards the rest to the user. For cyber-criminals, this is a win-win situation. The user who cannot afford to buy the ransomware or does not have the requisite knowledge can acquire it for free, and the creator gets his ransomware spread without any effort from his side.

This is not the first time we have seen this kind of service. McAfee previously (May, 2015) reported on Tox. While Tox was the first ransomware-as-a-service, it seems that ORX has taken the idea one step further, with AV evasion methods and complex communication techniques, and apparently also using universities and other platforms as its infrastructure.

In the “August 2015 IBM Security IBM X-Force Threat Intelligence Quarterly, 3Q 2015,” published on Monday (August 24, 2015), IBM mentioned TOX while predicting: “This simplicity may spread rapidly to more sophisticated but less common ransomware attack paradigms and lead to off-the-shelf offerings in the cloud.” Just one day later, a post was published on a closed Darknet forum regarding the new ORX-Locker service.

ORX – First Appearance

On August 25, 2015, a user dubbed orxteam published a post regarding the new ransomware service. The message, which was part of his introduction post – a mandatory post every new user has to make to be accepted to the forum – described the new ORX-Locker ransomware as a service platform. In the introduction, the user presented himself as Team ORX, a group that provides private locker software (their name for ransomware) and also ransomware-as-a-service platform.

ORX team introduction post in a closed Darknet hacking forum.
ORX Team introduction post in a closed Darknet hacking forum.

ORX Locker Online Platform

Team ORX has built a Darknet website dedicated to the new public service. To enter the site, new users just need to register. No email or other identification details are required. Upon registration, users have the option to enter a referral username, which will earn them three percent from every payment made to the new user. After logging in, the user can move between five sections:

Home – the welcome screen where you users can see statistics on how much system has been locked by their ransom, how many victims decided to pay, how much they earned and their current balance.

Build EXE – Team ORX has made the process of creating a stub so simple that the only thing a user needs to do is to enter an ID number for his stub (5 digits max) and the ransom price (ORX put a minimum of $75). After that, the user clicks on the Build EXE button and the stub is created and presented in a table with all other stubs previously created by the user.

ORX-Locker Darknet platform, which enables every registered user to build his own ransomware stub.
ORX-Locker Darknet platform, which enables every registered user to build his own ransomware stub.

Stats – This section presents the user with information on systems infected with his stub, including the system OS, how many files have been encrypted, time and date of infection, how much profit has been generated by each system, etc.

Wallet – following a successful infection, the user can withdraw his earnings and transfer them to a Bitcoin address of his choosing.

Support – This section provides general information on the service, including more information on how to build the stub and a mail address (orxsupport@safe-mail[.]net) that users can contact if they require support.

Ransomware

When a user downloads the created stub, he gets a zip file containing the stub, in the form of an “.exe” file. Both the zip and the stub names consist of a random string, 20-characters long. Each file has a different name.

Once executed, the ransomware starts communicating with various IP addresses. The following is a sample from our analysis:

  1. 130[.]75[.]81[.]251 – Leibniz University of Hanover
  2. 130[.]149[.]200[.]12 – Technical University of Berlin
  3. 171[.]25[.]193[.]9 – DFRI (Swedish non-profit and non-party organization working for digital rights)
  4. 199[.]254[.]238[.]52 – Riseup (Riseup provides online communication tools for people and groups working on liberatory social change)

As you can see, some of the addresses are related to universities and others to organizations with various agendas.

Upon activation, the ransomware connects to the official TOR project website and downloads the TOR client. The malware then transmits data over this channel. Using hidden services for communication is a trend that has been adopted by most known ransomware tools in the last year, as was the case of Cryptowall 3.0. In our analysis, the communication was over the standard 9050 port and over 49201.

The final piece would be the encryption of files on the victim’s machine. Unlike other, more “target oriented” ransomware, this particular one locks all files, changing the file ending to .LOCKED and deletes the originals.

When the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted, and a payment instruction file will be created on the desktop.

After the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted
After the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted

In the payment instruction file (.html), the victim receives a unique payment ID and a link to the payment website, located on the onion network (rkcgwcsfwhvuvgli[.]onion). After entering the site using the payment ID, the victim receives another set of instructions in order to complete the payment.

ORX-Locker payment platform which has a dedicated site located on the onion network.
ORX-Locker payment platform, which has a dedicated site located on the onion network.

Finally, although some basic persistence and anti-AV mechanisms are present, the malware still has room to “grow.” We are certain that as its popularity grows, more developments and enhancements will follow.

YARA rule:

rule ORXLocker
{
meta:
author = “SenseCy”
date = “30/08/15”
description = “ORXLocker_yara_rule”

strings:
$string0 = {43 61 6e 27 74 20 63 6f 6d 70 6c 65 74 65 20 53 4f 43 4b 53 34 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 74 6f 20 25 64 2e 25 64 2e 25 64 2e 25 64 3a 25 64 2e 20 28 25 64 29 2c 20 72 65 71 75 65 73 74 20 72 65 6a 65 63 74 65 64 20 62 65 63 61 75 73 65 20 74 68 65 20 63 6c 69 65 6e 74 20 70 72 6f 67 72 61 6d 20 61 6e 64 20 69 64 65 6e 74 64 20 72 65 70 6f 72 74 20 64 69 66 66 65 72 65 6e 74 20 75 73 65 72 2d 69 64 73 2e}
$string1 = {43 61 6e 27 74 20 63 6f 6d 70 6c 65 74 65 20 53 4f 43 4b 53 35 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 74 6f 20 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 64 2e 20 28 25 64 29}
$string2 = {53 4f 43 4b 53 35 3a 20 73 65 72 76 65 72 20 72 65 73 6f 6c 76 69 6e 67 20 64 69 73 61 62 6c 65 64 20 66 6f 72 20 68 6f 73 74 6e 61 6d 65 73 20 6f 66 20 6c 65 6e 67 74 68 20 3e 20 32 35 35 20 5b 61 63 74 75 61 6c 20 6c 65 6e 3d 25 7a 75 5d}
$string3 = {50 72 6f 78 79 20 43 4f 4e 4e 45 43 54 20 66 6f 6c 6c 6f 77 65 64 20 62 79 20 25 7a 64 20 62 79 74 65 73 20 6f 66 20 6f 70 61 71 75 65 20 64 61 74 61 2e 20 44 61 74 61 20 69 67 6e 6f 72 65 64 20 28 6b 6e 6f 77 6e 20 62 75 67 20 23 33 39 29}
$string4 = {3c 61 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 72 6b 63 67 77 63 73 66 77 68 76 75 76 67 6c 69 2e 74 6f 72 32 77 65 62 2e 6f 72 67 3e 68 74 74 70 73 3a 2f 2f 72 6b 63 67 77 63 73 66 77 68 76 75 76 67 6c 69 2e 74 6f 72 32 77 65 62 2e 6f 72 67 3c 2f 61 3e 3c 62 72 3e}
$string5 = {43 3a 5c 44 65 76 5c 46 69 6e 61 6c 5c 52 65 6c 65 61 73 65 5c 6d 61 69 6e 2e 70 64 62}
$string6 = {2e 3f 41 56 3f 24 62 61 73 69 63 5f 6f 66 73 74 72 65 61 6d 40 44 55 3f 24 63 68 61 72 5f 74 72 61 69 74 73 40 44 40 73 74 64 40 40 40 73 74 64 40 40}
$string7 = {2e 3f 41 56 3f 24 62 61 73 69 63 5f 69 6f 73 40 5f 57 55 3f 24 63 68 61 72 5f 74 72 61 69 74 73 40 5f 57 40 73 74 64 40 40 40 73 74 64 40 40}
$string8 = “ttp://4rhfxsrzmzilheyj.onion/get.php?a=” wide
$string9 = “\\Payment-Instructions.htm” wide

condition:
all of them
}

Intelligence Review of #OpIsrael Cyber Campaign (April 7, 2015)

Starting at the end of last week, hacktivist groups from around the Muslim world tried to attack Israeli websites, particularly those of government institutions, as part of the #OpIsrael cyber campaign. In the past twenty-four hours they stepped up their activity, but we have seen no signs of major attacks. Despite all the publicity prior to the campaign, the hackers’ successes were limited to defacing several hundred private websites and leaking the email addresses of tens of thousands of Israelis, many of them recycled from previous campaigns. Several dozen credit card numbers were also leaked on information-sharing websites, but our examination shows that some were recycled from past leaks.

AnonGhost, which initiated the campaign, was the main actor behind it. However, other groups of hackers, such as Fallaga, MECA (Middle East Cyber Army), Anon.Official.org, and Indonesian and Algerian groups also participated in the attacks. As the campaign progressed, we saw an increasing number of posts and tweets about it (over 3,000), but this is still significantly less than last year, when there were tens of thousands.

As we noted in previous updates, the campaign was conducted primarily on social networks, especially Facebook and Twitter. IRC channels opened for the campaign were barely active, partly because hackers feared spying by “intelligence agents.” On closed forums and Darknet platforms, we saw no activity related to #OpIsrael.

Participants discuss why the campaign is smaller than in 2013
Participants discuss why the campaign is smaller than in 2013

Following is a summary of the main results of the attacks that we have identified so far:

  • Defacing of hundreds of websites. Victims included Meretz (an Israeli political party), various Israeli companies, sub-domains of institutions of higher education, municipalities, Israeli artists, and more.
  • Leaking of tens of thousands of email addresses and personal information of Israelis. A significant portion of the information was recycled from previous campaigns. Databases from third-party websites were also leaked. In addition, two files were leaked and according to the hackers, one had 30,000 email addresses and the other 150,000 records.
  • Publication of details from dozens of credit cards, some of them recycled.

School Is Now in Session – The Spread of Hacking Tutorials in the Deep and Dark Web

One of the most common posts seen on hacker forums is “Hello, I’m new and I want to be a hacker.” Any aspiring hacker must learn coding, networking, system security, and the like, and increasingly, hacking forums are responding to this demand and providing tutorials for those who wish to learn the basics quickly.

Hacking forums have two main kinds of tutorial sections, one open to any forum member and the other exclusively for VIP members. In this post we will review two case studies from closed forums, one from the onion network and the other from the Deep Web.

Case Studies

The first tutorial, taken from a closed forum in the onion network, is actually four tutorials wrapped together to teach POS (point-of-sale) hacking. It includes a list of essential malware and software for POS hacking. While it starts with a basic overview of POS and of RAM (random-access memory) scraping, it very quickly dives into explanations that require an advanced understanding of hacking.

POS tutorial in the onion network
POS tutorial in the onion network

The second tutorial is a basic PayPal hacking tutorial, taken from a closed forum on the Deep Web and oriented toward noobs (beginners). It is actually more about scamming than hacking. It notes that one way to get user details is to hack vulnerable shopping sites using SQL injections and explains how to check whether the stolen user details are associated with a PayPal account. It also mentions that user details can simply be acquired from posts on the forum.

PayPal tutorial on closed forum
PayPal tutorial on closed forum

What is really interesting is that this practical forum has many tutorial sections and sub-sections (we counted six), which raises an interesting question: Why do hackers share?

Motives

There is no one answer to this question, but we can divide hackers’ motivations into four categories:

  • Self-promotion – One of the differences between regular hackers and good hackers is reputation. The most obvious way for hackers to improve their reputation is of course to perform a good hack, but they can also enhance their reputation by being part of a well-known hacking team or displaying vast knowledge, such as by publishing tutorials. It appears that Red, a junior member of the onion network forum who is not known and has a small number of posts, is increasing his value in the eyes of other forum members and site administrators by publishing tutorials, including the POS tutorial. This improved reputation can give him new privileges, such as access to the forum’s VIP sections. In most cases, tutorials shared for this reason range from beginner to intermediate level and can be understand by almost any beginner.
  • Site promotion – Commerce in hacking forums hiding deep in the Internet works like any other free market: if you have the right goods, people will come and your business will boom, but if your shop does not look successful, customers will stay away. Hacking forums, like other businesses, compete for the attention of their target audience. The PayPal tutorial was published by BigBoss, a site administrator, who was probably seeking publicity for the site. To ensure that there is a large number of tutorials on the site, the administrators publish their own from time to time. These can be very simple (as in this case) or very specialized and technical (such as those offered in closed forum sections).
  • Financial gain – As we noted, these forums are businesses, and like any business, they need to sell products in order to make a profit. They can do this by creating VIP sections with unique content (such as special tutorials) open to paying members only, as opposed to VIP sections based on reputation or Individual members also use the forums for financial gain and sell more concrete items—malware, credit cards, and the like—or more abstract items, like knowledge in the form of tutorials or lessons. In most cases the tutorials are very advanced, with extensive details, so that their creators can charge for them.
A forum member selling his knowledge
A forum member selling his knowledge
  • Knowledge sharing — Sometimes, people share their knowledge without any ulterior motive. This is usually done in a closed section of a forum and only with prime members or a group of friends. In this case, the knowledge shared varies according to the group and can be state-of-the-art or very simple.

Conclusions

In a society based heavily on information, we cannot escape the frequently rehashed concept that “knowledge is power.” As the technology world continues to evolve and the hacker community along with it, the need for “how to” knowledge is growing. Tutorials provide beginners with an effective gateway into the world of hacking and expose advanced users to new methods of operation. For us, the observers, they provide a small glimpse into developing trends, attack methods, methods of assessing hacker knowledge, and much more.