Recent Trends from the Russian Underground

Being a successful hacker can be a very demanding profession. Maybe the most important trait required for this job is being innovative and keeping updated of recent trends. Just like in physical fitness – a couple of weeks away from of the gym, and you feel left out of the loop – such is the case with hacking. You take sick leave from the cybercrime scene for a brief period of time and when you return, you feel like a lot has changed. This scene is very dynamic: new threats and vulnerabilities are constantly being discovered and then patches and security updates released; new Trojans are sold on the underground and then the source code is leaked, rendering them of no interest anymore. Something is always going on.

This time, we want to draw your attention to recent trends identified on the Russian underground, from leading forums and other web-platforms.


A Wider Variety of Crypt (Obfuscation) Services for sale on Trading Platforms

We have observed a sharp increase in threads offering crypt services for malware files lately. In the last month alone, we traced at least 20 active threads advertising crypt services for .exe or .dll files on different forums. There is a wide assortment and the prices are competitive. You can choose between a one-time service for $15 – $50 per file or a monthly subscription for a service starting at $150 for a new vendor and $500 for a well-known, time-honored service.

The main purpose of the crypt is to bypass AV, firewalls, browsers and malware detection, etc. and it is valid for 24-72 hours on average. Increased offerings of this service indicate a growing demand, which may be motivated by two main reasons: increased volume of activity linked to botnets and difficulty in bypassing security mechanisms that are becoming more sophisticated. Actually, we think it is a combination of the two – more and more cyber criminals are attracted to easy profits from running a botnet, while security firms try to fight back and refine their defense mechanisms. The crypt services happened to be in the right place at the right time to rake in the money.

More Malware Using Tor Browser

In recent months, new Tor-based malware has appeared on underground trading platforms. The newest is a TOR Android bot named “Slempo” and a TorLocker Ransomware (the first one rented for $500 per month after a connection cost of $1000 and the second one is sold for $200). Before that, we saw Atrax HTTP Tor Bot, whose admin panel is located on a TOR browser.

Using Tor hidden services provides anonymity to the botnet operator, as it is almost impossible to reveal the identities of TOR users. The disadvantage of this method is the large size of the malware files and the significant resources needed to manage such a botnet, owing to the integration of TOR.

As we see it, this may turn out to be quite an alarming trend, making the detection of botnets and their initiators that much more difficult.

Greater Focus Granted to Firmware Attacks

As previously mentioned, cyber-criminals wage a constant battle against evolving defense mechanisms. While more and more obstacles are placed in the path of the hacker seeking to access your PC, his path to firmware devices such as ATM and POS remains almost clear. The operating system of these devices is usually the common Windows XP, and due to their physical aspects (the possibility of inserting physical malware into an ATM, for instance), it is much harder to protect them.

Hackers have also discovered this vector – we were recently privy to numerous discussions about ways to attack ATMs, as well as an increasing number of POS malware for sale and download.

In our opinion, we may be witnessing a gradual shift in the main targets of cyber-criminals – from the personal PC to large-scale devices of organizations. Recent attacks executed via POS devices on Target, Neiman Marcus and other retailers merely corroborate this claim.

SenseCy is coming to town! Come meet us at the RSA USA 2014 conference, February 24-28, in San Francisco.

Bad Habits can be Contagious

Written by Hila Marudi and Tanya Koyfman

As the saying goes, bad habits can be contagious… Our experience shows that expertise in illegal fields and sophisticated methods developed to break the law are traits shared among criminals that sometimes find their way across the globe, between places located thousands of miles apart from each other.

Many instances of this phenomenon can be seen in the sphere of physical threats. Weapons and techniques that evolve in one conflict zone and are proven efficient are quickly transmitted to other battlefields and adopted by other terror organizations with totally different agendas to the original one. For instance, our colleagues that trace developments in the physical world recently noticed that explosive “suicide” belts (PBIEDs) that were first deployed in the Caucasus region have found their way into the Syrian conflict, and further afield, into Iraq. These devices are likely intended for use by militants who may choose to initiate the device as a last resort when cornered, thus taking out their adversaries with them.

The cyber battlefield is no exception. Web platforms are used to share information and knowledge, often overcoming language obstacles. Once a hacker manages to code an efficient malware or to reveal a crucial vulnerability, we should not be surprised to find it has soon spread on forums associated with groups that totally differ in agenda and motive. This time we wish to focus on the exchange of capabilities between Russian cyber-criminalists and Arab hackers and hacktivists.

We recently identified discussions on Arab hacker forums about tools developed by their colleagues around the world. For example, on Dev-Point, an Arab forum that deals with programming and penetration testing, one member published a thread about a DDoS tool with a Russian interface named Dirt Jumper. We continued to follow the research into this tool in Arabic and found another message on a hacking forum named v4-team, asking for links to Dirt Jumper.

A thread in Arabic about Dirt Jumper
A thread in Arabic about Dirt Jumper

This malware was already recognized on the Russian underground in 2011, where it was sold for $600 on closed Russian forums. Later, its files were leaked on one of these forums, and today it can be downloaded at no charge. We can only guess at how it “travelled” from a closed Russian forum to an Arabic one, but obviously it took a while.

Post about Dirt Jumper on a Russian underground forum
Post about Dirt Jumper on a Russian underground forum

This exchange of abilities has also been witnessed in the opposite direction. The LostDoor RAT is a popular malware found on Russian forums. Links for downloading versions of the malware are periodically posted on several platforms and discussions about its abilities are held. A deeper investigation of this malware revealed its origins to be Tunisian, owing to the fact that it is displayed on different platforms as the first Tunisian RAT tool.

LostDoor is a product by a company named Hackers®Insides Inc. and its developer is a Tunisian computer specialist nicknamed Unique Oussamio. He often uploads links to new versions of his tool via Twitter, Facebook and a dedicated blog.

Apparently, Oussamio has ties to hacktivism, as he uploaded pictures of himself wearing an Anonymous mask. This may indicate a trend, when malware developed by hacktivists spreads into the cyber-crime world.

LostDoor and its Tunisian developer
LostDoor and its Tunisian developer

To conclude, in the hacker world it does not matter where the malware originates. Northern Africa or Eastern Europe – the only thing that matters is its efficiency. If it can cause enough damage, it will find a way to reach the “right hands” (and shortly afterwards your computer).

SenseCy is coming to town! Come meet us at the RSA USA 2014 conference, February 24-28, in San Francisco. 

Hackers Use Cyber Security Bloggers for PR

Written by Tanya Koyfman

As in any illegal activity, those who break the law are much more familiar with those that try to enforce it than vice versa. The Russian underground is no exception, and members of different forums know much more about security sources and researchers that the latter know about them. Links to a wide variety of sites and blogs dealing with cyber security issues are frequently posted on forum discussions – sometimes in order to get advice or find out about a new malware that was reported; sometimes to promote sales of a tool or a service; and sometimes just to express feelings of frustration or to make a joke.

Taking into account the fact that Russian hackers often have difficulties with English, we found the phenomenon of referring English sources quite unexpected. Of course references to Russian sources dealing with security are seen as well, but far less than English ones.

Indisputably, the most famous “good guy” on Russian forums is Brian Krebs, a journalist who reports about the cyber-crime world. Links to his posts regarding different types of malware are very common on the forums, and catching his attention is considered a sales promotion act among malware vendors. For example, on one of the forum discussions regarding the sale of malware called “PowerLoader“, one of the repliers advices the seller to leak the malware files to Brian Krebs, “and this will be bring him a lot of clients, after Krebs will write a post about the powerful Russian hackers.” Another less delightful mention of Krebs’ name pertains to hackers’ concerns about infiltration of foreign impostors trying to obtain information or incriminate the forum members. Thus, every post written in English and not in Russian tends to be suspicious and the writer is contemptuously called “Krebsenish“.

The blog “Malware don’t need Coffee” dealing mostly with malware undoubtedly originates in the Russian underground as the author is embedded on some forums, is also well known to Russian forum members. The author is called Caffeine, and links to his malware/vulnerability reviews are frequently posted on them. The funny part of this is that sometimes a forum member uploads a post and instead of describing details or uploading images, he just gives a link to a post in the above-mentioned blog (that quotes another Russian source in more details).

One more Western celebrity among Russian hackers is the French blogger Xylibox, whose blog is dedicated to malware technical analysis. It should be mentioned that the blog is treated with respect and seriousness among the forums members, and is often cited in professional discussions and the sale of malware.

As we can see, the Russian underground is interested in the opposite side at least as much as the opposite side is interested in it. The forum members follow security sites and blogs, try to stay updated with the latest news and trends, and refer to them in their illegal malware sale business. Perhaps their life becomes even easier when someone else does all the marketing for them?!

References to the Brian Krebs and Xylitol blogs on the Russian underground
References to the Brian Krebs and Xylibox blogs on the Russian underground

Slang Used in the Russian Underground

Written by Tanya Koyfman

The language used by native Russian hackers to communicate over the Web is a unique mixture of modern Russian slang, technical English terms from the hacking world and abbreviations commonly used in Web discussions. In addition, non-Russian words are frequently affected by Russian grammar, thus creating new words decipherable only by native Russian speakers with a computer background.

Another noticeable characteristic of this interesting language evolution is the prevalent use of curses, utilized to express a specific idea and not just to swear at other forum members. Moreover, many Russian words are used in new, computer-related contexts with a meaning totally different from that defined in the dictionary. From our experience, these are the hardest to understand if you do not possess a profound understanding of the different hacking fields.

There are plenty of examples of the mechanism of forming words with an English stem and Russian grammatical additions: check, test, crypt, traffic, accounts, information, subject and hide become “chekanut” (чекануть), “testit” (тестить), “kryptanut” (криптануть), traf (траф), “aki” (акки), “infa” (инфа) “subj” (сабж) and “khaid” (хайд). These words have become such an integral part of forum communication that sometimes a Russian speaker will have difficulty separating the non-Russian part of the word.

Abbreviations from English Internet slang also make an appearance, although usually with minimal changes: ТС (originated from the English Topic Starter), FUD (used in English versions, meaning fear, uncertainty and doubt) and ИМХО (from the English IMHO, meaning “in my humble opinion”).

As regards adopting words from other semantic fields, sometimes a lot of imagination is required to figure out the new meaning of the words. For instance: the word “zaliv” (залив) usually means spill. But on Russian forums, it describes a method for stealing financial data.

The following is a good example of the unique, rich language used on Russian forums: