In the past few months, an alleged group of transparency advocates, headed by activist Emma Best (@NatSecGeek), created an online repository of leaked data similar to WikiLeaks, named “Distributed Denial of Secrets” (@DDoSecrets).
Our initial examination revealed that the repository includes a great volume of data aggregated from past leaks, but also several new ones. The data is extremely diverse and consists of documents, hacked emails, leaked credentials, and other data, which has been leaked over the years, by a variety of actors (hacktivists, APTs, etc).
On July 6, 2018, a post claiming to contain the source code of Carbanak group malware was published on a Russian-speaking underground forum. Soon after the sharing of the code on the Russian underground, it was uploaded by an unknown actor to the text-sharing platform Pastebin, making it accessible to all. At the same time, malware researchers analyzing the shared code discovered the malware is not one used by the Carbanak group, but rather, it is the Ratopak/Pegasus spyware, used in attacks against Russian banks in 2016. Continue reading “Source Code of Ratopak/Pegasus Spyware Targeting the Financial Sector Recently Leaked”
It is summer in Russia, and the time of the year when people head to the seaside on vacation for a couple of weeks’ break. The decline in activity can be clearly seen on the Russian-speaking forums and marketplaces dealing with cybercrime. Apparently, cybercriminals also take a rest from their online activities, just as they would from a regular full-time job. For us, it is the best time to perform a deep analysis of the main trends in the Russian underground boards during the first half of 2015. When preparing the insights from this analysis, our goal was to identify the main scope of interest on closed, Russian-speaking forums these days, as well as to pinpoint the shifts that have occurred in the last six months.
In order to draw conclusions, we analyzed the threads from the last six months from the four leading Russian forums. These forums mainly serve as a marketplace for attack tools and platforms, in addition to being a source of information and consultation for the forum members. Hereinafter, we tried to summarize the main topics of conversation on Russian marketplaces dedicated to cybercrime during the past six months:
Exploit Kits: In recent months, we have witnessed numerous attacks involving EK as the intrusion vector, including Angler, Neutrino, Nuclear, Magnitude and RIG. These EKs are constantly updated with new exploits.
While some EKs are offered for sale on trading boards, others are available exclusively to selected buyers via private sales, using the Jabber instant messaging system for example. For one case in point, RIG EK 3.0 is offered for a monthly rental fee of $700 on a closed Russian forum (this is considered an extremely low price). In comparison, Angler EK, AKA XXX is not advertised at all among Russian forum members on any of the closed forums.
Banking Trojans: During the last few months, we did not spot any new banking Trojans for sale on the Russian underground. The majority of recent attacks against the financial industry clients were perpetrated using DYRE or Dridex banking Trojans. Even though there is evidence that both were developed by Russian coders and are distributed among Russian-speaking criminals, we did not witness any commercial trading of these Trojans.
The two Trojans currently selling on Russian forums are Kronos, whose sales started back in the middle of 2014, and the new version of Tinba, which is based on source code leaked in the 2014 version.
Ransomware: Despite the fact that new campaigns distributing ransomware are uncovered on a regular basis, culminating in an FBI alert at the beginning of 2015, we did not see an elevated interest in this kind of malware on the Russian forums. The sales of CTB-Locker were ceased, at least publicly, probably because of the extensive media coverage. None of the ransomware tools that are widely used in the wild (TorrentLocker, Tesla Crypt, Cryptowall), are offered for sale on Russian marketplaces. The only two new ransomware tools offered during H1 2015 were GM Cryptolocker for Android-based devices and Azazel locker, for just $200. Both are relatively new and there has been no comprehensive feedback from buyers as yet.
RAT malware based on legitimate software – a clear new trend on the Russian underground is the development of malicious tools based on the source code of legitimate software for remote access (such as TeamViewer, AmmyAdmin, etc.). These tools are disguised as an update for the software or as a setup file. Additional tools traded on the forums exploit services and programs for remote control, such as RDS (Remote Desktop Services, RMS (Remote Manipulator System) and RDP (Remote Desktop Protocol).
To date, we have identified five different malicious tools of this kind for sale during the last six months. According to the sellers’ description, they are capable of bypassing defense mechanisms installed on the machine and gaining full access to it.
Loaders and Droppers – In recent months, we have identified a rise in this type of malware for sale on Russian underground forums. Generally, they it is spread via spam emails, and once installed on the system, serves as a tunnel for later installations of malicious programs. In this manner, defense mechanisms can be bypassed. One instance involving this malware was the infamous Andromeda, sold since 2011 to date for only $500. Andromeda was employed by the Carbanak group against financial targets. Aside from Andromeda, we also identified six new loaders and droppers offered for sale during the past six months.
Digital Certificates Trade – This phenomenon started as a sporadic sales thread, appearing occasionally on several forums during the last year. As demand expanded, trade in digital certificates evolved into a successful sub-category on Russian underground marketplaces. Recently, a dedicated online shop for trade in digital certificates was launched. The average price for one certificate is about 1.4 BTC.
The vigorous trade in these certificates demonstrates that they are quite useful for the purchasers, who use them to sign the malicious code they distribute and evade detection.
For obvious reasons, the sellers do not disclose the origin of the certificates, but claim they are authentic and were issued by a Certificate Authority (CA).
Russian underground forums often serve as a marketplace for talented coders of sophisticated malware who develop attack tools to target the financial industry.
During routine monitoring of these forums, we came across a new type of malware loader called H1N1. Loaders are used as an initial intrusion vector, enabling an attacker to install malware on a workstation at a later time of his own choosing. They provide the attacker with both an initial foothold in the victim’s system and a future channel for delivering malicious programs at any time.
The new loader, which is named after the swine flu virus, was offered for sale in late April for $500 by a member of a Russian password-protected forum.
According to the sales thread, H1N1 is a non-resident loader. This means that it is executed in the system, installs the programs from its task list, and deletes itself after the computer is rebooted. (A resident loader, on the other hand, writes itself into the operating system and is not deleted after reboot. Since it receives commands from the C&C server, it can keep installing malicious software on the infected computer.)
Bypasses User Account Control (UAC) through a UAC whitelist, which allows it to run files with elevated privileges. This bypass does not require use of additional .dll libraries or Windows Sysprep. If the loader is unable to receive elevated privileges, it will run programs with user privileges.
Traffic in both directions is encrypted.
Installs .exe files on the infected computer using Windows Instrumentation Management (WMI). The .dll files are installed from memory.
Has an embedded security mechanism that recognizes when it is being executed in a virtual machine.
Can be injected into the address space of legitimate system processes (of the default browsers).
Bypasses AV and HIPS programs. With AV programs, it does this by identifying their running processes and paths, creating copies of the processes, injecting into the copied processes, and finally, disabling all threads of the AV software’s legitimate processes.
Elevates privileges from a low integrity level by using WMI and exploiting the CVE-2014-4113 vulnerability.
Identifies and neutralizes certain AV programs.
A number of forum members who claimed to have used the tool gave generally positive feedback but stated that it does not bypass all AV programs. According to the technical analysis (below), Kaspersky Internet Security identified the presence of the loader, while ESET NOD32 and Outpost Security Suite did not. Avira only identified the activity as malicious in some cases (depending on the crypt of the loader).
In a VirusTotal analysis of the loader’s files, the detection ratio was 41/57 for the dropper file (as of May 21, 2015) and 22/57 for the memory file (as of May 14, 2015).
It is common practice on closed Russian forums for veteran, trusted members to analyze and validate malware sold by newbies to prevent them from cheating and selling a low-quality product. It is harder to find buyers for non-validated malware, especially if the seller is new to the forum (for a review of different types of sellers, see our previous post on this subject). Since a major part of the underground ecosystem is based on reputation and the hierarchy on different underground forums, an impartial entity whose role is to validate new goods is extremely important.
Ares, the administrator of a well-known Russian forum, conducted a validation analysis to check whether H1N1 really possesses the capabilities claimed by the seller, including the ability to bypass security measures. He published an extensive review on his forum.
According to Ares, the code is written in Assembly language and was obfuscated (for security purposes). Once all the initial procedures are loaded (the code utilizes kernel32 and advapi32 during loading), the loader launches the Explorer process from syswow64 on x64 systems and system32 on x86 systems. The process is mapped with a rewritten shellcode entrypoint.
The shellcode receives all of the necessary APIs and reads a packed binary file (which it extracts).
The binary is a .dll file that scans for various important API elements and then checks the hash signature of the filename through which the process was started. If the file name is Explorer, it tries to elevate its privileges.
Initially the malicious .dll file copies itself and patches with the shellcode. Later it moves the copied file into the system32/setup folder. After that, H1N1 runs several checks (such as OS version) and tries to elevate its privileges from medium to high.
The loader uses various methods to inject malicious content into legitimate processes. For example, if injection into a default browser fails, it tries to inject the malicious content through svchost.
Lastly, the execution module kicks in where the loader will be executed. The malware conducts fake network tests (for example, pinging various websites), collects information about the infected machine, and then requests content from the C&C server. The HTTP requests are encrypted with RC4 and the data length is transferred in the HTTP header.
Following publication of the analysis by Ares and in response to critical feedback from forum members, the seller has been updating and improving H1N1. For example, he responded to criticism of the UAC bypass by announcing that he had changed the bypass method and that it was now similar to the method used by the Carberp Trojan.
In later tests performed by several authoritative forum members, privilege escalation and the UAC bypass had a relatively low success rate. However, since then, the author claims to have fixed the problems with the loader.
An Important Recommendation
H1N1 uses bthudtask.exe for its purposes. This executable is part of Microsoft Windows and is usually located under C:\Windows\system32. The file description is “Bluetooth Uninstall Device Task.” If you do not require Bluetooth devices, we would strongly recommend removing the file from your end-points.
H1N1 is a new type of malware loader and is not yet very sophisticated. However, it has attracted the attention of many high-ranking Russian underground forum members, who have analyzed it and written about its weak points. This seems to be encouraging the seller to improve and upgrade his product and fix the bugs.
Russian underground cyber-markets are known venues for purchasing high-quality hacking tools and services. Many such tools, popular worldwide, make their first appearances on closed Russian forums. There are two main types of sellers on these platforms: well-known members with seniority and strong reputations, who have already sold tools and received positive buyer feedback, and an emerging “shell profile” type of user. According to our recent analysis, such users typically register to a forum a few days before posting an advertisement for the tool. These new users often enlist the aid of forum administrators and more senior members, by providing them with a copy of the tool for their review, and thus gain the trust of potential buyers.
For example, CTB-Locker, a malware program, was first advertised on a Russian underground forum on June 10, 2014 by a user called Tapkin. This ransomware scans the computer for data files, encrypts them with a unique algorithm, and demands a ransom to release them. Tapkin registered on this forum on June 2, 2014, several days before posting the advertisement, and posted a total of five messages to the forum, all on the subject of CTB-Locker. Around this time, a user by the same name posted identical information on other forums.
Tapkin registered to another Russian underground forum on June 13, 2014, and three days later, he advertised the tool on the forum. This was the first and only thread that Tapkin started on this platform, and all of his posts were about this topic.
Tapkin stopped selling CTB-Locker on June 27, but on November 19, 2014, he posted another advertisement, this time for “serious” clients only. Tapkin last advertised the ransomware on a carding forum on December 8, 2014, after registering to this forum the same day.
Thus, in three cases, Tapkin registered to a forum a few days before posting an advertisement for the tool and did not participate in any other forum discussions. As a newly created profile, Tapkin lacked seniority and therefore had low credibility. However, our impression is that this user demonstrates knowledge regarding the tool, its capabilities and can answer questions regarding the technical component of the tool fluently. An analysis of Tapkin’s posts indicates that behind the shell profile is not one person, but rather a group of people who developed the tool together.
This username appears to have been created for the sole purpose of selling the ransomware, which was only advertised on Russian-speaking platforms. On May 19, 2015, a well-known forum user posted a message stating that his computer had been infected by CTB-Locker and asking for Tapkin. However, Tapkin had by then already disappeared.
Another example of malware advertised by a new forum member is the Loki Bot password and coin wallet stealer. Loki Bot, written in C++, can steal passwords from browsers, FTP/SSH applications, email accounts, and poker clients. It has an option to configure C&C IP addresses or domains.
This bot, which works on Windows versions XP, Vista, 7, 8, and 8.1, is relatively new and is still under development. It was first advertised on a well-known Russian underground forum in early May 2015 by a new user with no reputation. A week later, a user by the same name registered on two other well-known underground forums attempted to boost his credibility by sending the forum administrator a test version of the malware. Similar to the previous example, we assume that a group of people is behind this user as well.
We can see that new users are registering on Russian underground forums for one purpose only, to sell a particular malware program, and their entire online presence is focused on this. They register to a forum a few days before posting an advertisement for the tool and do not participate in other forum discussions. Newly created profiles lack seniority and therefore have low credibility ratings. Sometimes such users attempt to improve their credibility by sending the forum administrator a test version of the malware. In some cases we can see that behind the shell profile there is a team, and not an individual. They appear suddenly and disappear just as suddenly after their business is completed.
In a successful MitM attack, the hacker infiltrates a web session between a bank and a bank customer, intercepts the messages they are exchanging, including credentials and classified information, and injects new messages, all without arousing the suspicion of either party.
In most cases, the injections are tailored to the victim. In other words, the victim sees a website purporting to belong to the specific bank whose site the victim is attempting to access. The injections are delivered via banking Trojans such as Zeus. On closed forums, injections are sold as separate modules for banking malware.
On one of the leading Russian-language cybercrime forums, we recently discovered a new thread offering web-injection services. The author was selling a large variety of injections for banks and online services in the United States and Canada.
According to the thread, the service includes an administration panel for managing the infected machines and stolen data, the ability to change the victim’s banking account balance (after a money transfer was performed), the ability to grab answers to security questions, and many other features.
The prices are quite affordable and vary from $50 to $150, though it should be noted that anyone wishing to carry out an MitM attack should already possess a botnet of machines infected with banking Trojans. When the victim tries to access his bank account, the attacker intercepts the session and displays a fake webpage that is very similar to the real bank’s site. The victim is asked to fill in login credentials, answer security questions, provide credit card data, and more. The attacker immediately receives the information through the administration panel and can use it to transfer the money, while the victim receives a connection error and simply tries to connect to the bank’s website one more time.
Detecting such an attack can be difficult, since one failed connection to the bank website or minor differences between the design of the fake page and that of the real page do not usually arouse the victim’s suspicions. In addition, as mentioned above, the account balance that the victim sees does not change after the money has been stolen.
The seller has launched a website to promote sales of the injections he coded. The site contains samples of injections for banks in the United States and Canada and for online services such as PayPal and Ebay. The targeted banks are Wells Fargo, HSBC, Citizens Bank, Scotiabank, RBC Bank, and many more. There was a section in the site indicating that European institutions will be targeted in the future.
F-Secure recently reported on BandarChor, a new player in the field of ransomware. The SenseCy team that analyzed the so-called new malware was intrigued by some of its characteristics. Further analysis revealed that BandarChor is another variant of Ebola Virus, ransomware we reported on in October 2014.
Brief Review of BandarChor (according to F-Secure)
First documented infections – November 2014
Spreading platform/method – Malicious emails or distribution by exploit kits
Capabilities – Upon execution, the ransomware encrypts multiple files on the infected machine. Afterwards the files are renamed to [original_file_name].id-[ID]firstname.lastname@example.org.
The Link Connecting BandarChor with Ebola Virus
BandarChor’s “file name modification” attribute caught our attention, as SenseCy had already encountered ransomware with a very similar modus operandi. In a blog post in October 2014, we reported on Ebola Virus, a new ransomware whose victims were mainly in Russia. Based on our research, we believe that Ebola and BandarChor are variants of the same ransomware, although with slight differences. This is because both use the same file name modification after encryption. BandarChor renames files to [filename].id-[ID]email@example.com, while one of the previously discovered Ebola variants changes file names to firstname.lastname@example.org, indicating that the attackers were using the same domain.
BandarChor / Ebola Ransomware Evolution as Observed by SenseCy
SenseCy first encountered Ebola malware in a discussion on VKontakte, a very popular Russian social network. One of the participants uploaded a sample of the virus that had infected his computer. The sample that we examined was received by the victim in an email that contained a malicious link. Clicking the link initiated downloading of an RAR archive, and unzipping the archive encrypted all files stored on the PC that had the extensions .pdf, .doc, .docx, .xls, .xlsx, .jpg, or .dwg. After that, the filenames were changed to *email@example.com. According to an infected user, to recover the files on the PC, he had to send an email to help[at]antivirusebola.com, and he was subsequently instructed to pay one bitcoin to a certain address.
We conducted a further investigation on the Russian-speaking web that revealed many other reports of Ebola virus infections. In most of the cases, the malicious link was sent through an email, allegedly from the tax authorities or traffic police.
According to Russian security firm Dr.Web, the the Ebola virus first appeared on August 20, though a slightly different version has been distributed since August 7 that changes the file names to firstname.lastname@example.org or email@example.com. All three versions are probably variants of the same malware, identified by Dr.Web as Trojan.Encoder.741, and were coded by a Russian nicknamed Korrektor (presumably the author of other ransomware as well). The malware is written in Delphi language, packed with an Armadillo packer, and encrypted with the AES-128 algorithm.
In conclusion, this case study demonstrates the importance of near-real-time cyber intelligence. By identifying future threats and notifying our customers in advance, we can help them to protect themselves before the threat can be detected by traditional security systems.
The second half of December is a joyful and festive time in the snowy, post-Soviet arena, culminating in the magical New Year’s Eve. Most people take vacation, and an atmosphere of playfulness and celebration can be felt in the air. The Russian-speaking hacker and malware development community is no exception, and each year the forums that serve as their main platforms are colorfully decorated for the holiday, while members post Season’s Greetings to each other.
This year, we witnessed a creative new idea by this community to celebrate the most important holiday in former Communist countries – a self-sponsored, cross-platform contest. Specifically, a quiz on hacking operations, scheduled to take place simultaneously on the last day of the year on several different forums.
The idea is the brainchild of one of the administrators of a leading underground forum, who started to raise money that will serve as prizes for the winners of the contest. A dedicated Bitcoin wallet has been opened for donations. Furthermore, service providers have offered free use of their products for the lucky winners.
The concept was met with enthusiasm by forum members, who proposed question topics and formats. A survey was launched on one forum, asking members to vote for the topic they would like to see in the quiz. The suggested topics involve the following areas of cybercrime: coding, spam, crypt, traffic, brute forcing, reverse engineering and administration.
Several members have donated money, saying that such activity helps to develop the community and serves as motivation for achieving knowledge. Moreover, the administrators of numerous underground forums have expressed their support for the contest, indicating the expected high level of the quiz.
We look forward to discovering the names of the winners of the contest on December 31 and seeing what kind of questions are going to be asked. Meanwhile, we wish you all Happy Holidays and Happy Novy God!
Banks and other financial institutions often serve as key targets for malicious activity committed in cyber space. Owing to their large-scale financial operations, banks have always attracted scammers and thieves searching for easy ways to get rich quick. The rapid development of technologies used in the different industries has shifted banking operations to a much more virtual level, opening up new, sophisticated ways for criminal actions to be perpetrated. Aside from traditional, profit-motivated cybercrime, a large part of a bank’s technical infrastructure, such as online banking services, is located on the Internet. This exposes another Achilles’ heel of banking institutions, while serving as a weapon for ideologically motivated hackers trying to undermine a bank’s reputation and normal functioning. In this blog post we will focus on threats coming from the cybercrime arena, the next one describing the hacktivism world is to be followed.
Cybercriminals act from different vectors, such as developing malware for stealing login details for banking sites and applications, extracting credit card data from hacked databases, etc. The main motivation of cyber criminals is financial profit. Subsequently, they use closed web forums and online shops to support their illegal activity and develop new fraud schemes. In most of the cases, financial institutions face one of the following three threats:
Man-in-the-Middle (MitM) Attacks
Also called web injections, this attack method is very popular among cyber criminals targeting the financial sector. If the attack is successful, the hacker manages to infiltrate the web-session between the customer (while he is surfing the bank website) and the bank. He then intercepts the messages sent between the two parts of the conversation, including credentials and classified information, and injects new messages, without arousing the suspicion of either party.
In most cases, the injections are adjusted per victim, and are delivered via banking Trojans, Zeus for example. On closed forums, injections are sold as separate modules for banking malware, or they are offered as a tailored service for cyber criminals targeting a specific bank.
Client Detail Trading
One of the most popular areas of activity on underground forums is the trading of login details to bank websites and client personal data. Typically, this data originates from computers infected with malware designed to steal data inserted into form fields on websites. The operator of the botnet comprising these infected computers will not always use all the stolen data by himself, but may sell it to ‘professionals’ who specialize in cashing out money from these hacked accounts.
A term that should be mentioned in this context is the “drop” – a person who receives the stolen money into his account – sometimes without even knowing that he is supporting illegal activity, as legends and cover stories are frequently used. Drops are usually operated by the buyers of the login details – scammers who have a stabile infrastructure for cashing out stolen money. Posts on the subject of buying and selling credentials are frequently found on closed forums.
Compromised Credit Cards
Online shops offering different kinds of credit card data for sale are very popular among those cyber criminals specializing in “carding.” These shops are very convenient for their users. They include numerous filtering options, thus matching the data to the scammers needs. Prices may vary considerably, depending on the rarity of the card and the demand for the data of the issuing bank, as well as elapsed time since the data theft.
The media is in an uproar at present, reporting on one cyber incident after another. Adobe, Target, Neiman Marcus, Home Depot, JP Morgan – these breaches are just the tip of the iceberg in the cybercrime arena. The Russian underground forums serve as fertile ground for planning cybercrime-motivated breaches worldwide – programming the malicious software, distributing it and sharing knowledge about the most profitable usage, selling the stolen data (such as credentials, etc.). Let us take a deeper look at the internal structure of these forums and the norms of behavior there.
While many forums have free registration, others require payment (Cybercriminals will never miss an opportunity to profitJ). Some of the forums that ask for registration fees do not contain useful information, and the fee is merely a farce, while for others, the fee is a means to keep poor or noob hackers away from the “big guy discussions.” Some of the forums ask potential candidates to fill out a detailed registration form, clarifying exact capabilities/programming languages they know, while others go one step further and send different hacking tasks to the applicants, demanding proof of their professional level. Many forums have strict policies about filtering out the registrants and very few people are accepted.
When it comes to personal contacts between the seller and buyer, the first choice is the Jabber messenger. Sometimes, one of the sides will request an OTR (Off-the-Record, allowing private conversation using encryption and elimination of all traces of the conversation) protocol for Jabber. Besides, exchanging messages via PM (private message) – the private mailbox on each forum is another popular means of communication. Users wishing to connect via Jabber are sometimes asked to authenticate themselves via private message beforehand – indicating the high level of confidentiality and security concerns.
ICQ is also used, although it is not very common and is perceived as a communication method for less experienced hackers.
On the underground, you will never see any payment method that would somehow enable identification of the parties in the transaction. Naturally, no credit cards, PayPal accounts or money transactions are accepted – only virtual currencies are used. BTC is rather popular, as well as PM (Perfect Money), LTC (Light Coins), WM (Web Money) and other virtual currencies.
Most of the forums maintain a well-established system of escrow services provided by an official forum member appointed by the administrator. In exchange for a reward, usually a percentage of the transaction value, he mediates between the buyer and the seller, keeping the money until the goods are supplied. He also checks that the product offered matches its description.
The reputation of the members is one of the pillars of Russian underground forums. Despite the fact that each forum has its own scoring system, all have a common principle: forum members rate each other, based on the threads they post. For instance, by providing useful advice or uploading malware, the author will receive more points. Another reputation booster is the number of posts, as well as seniority on the forum that defines the status of the user: beginner, intermediate, specialist, etc. Certain threads are available only to members with a minimum numbers of posts.
Furthermore, some forums ask for monetary deposits that are displayed next to the user’s name, indicating his reliability. If monetary conflict arises, the sales thread will often be suspended until the issue is clarified. If no solution is found, the seller incurs a “ripper” status, thus losing the chance to sell anything ever again on the forum, unless he changes his nickname.