Topics

Spy vs Spy: strange story of cybercrime underworld

September 6th, 2016
In the cyber-world, not only are everyday users at risk of having their personal details stolen, but so too are new cybercriminals as was evident on the underground site leakforums, writes PAUL DUCKLIN, Senior Security Advisor, Sophos.
20141222164239-franchisees-cybercriminals-radar

Not all malware is ransomware, even though ransomware hogs the spotlight these days.

Keyloggers are still popular in the cybe runderworld, because they help crooks to steal  passwords. Armed with  email passwords, for example, crooks can pull off much more audacious crimes than ransomware, such as business email attacks, also known a CEO fraud or wire-wire scams (that’s where a crook logs in with a stolen password to send an email that doesn’t just look as though it came from your CEO’s account, it really did come from her account.)

The fraudulent email in a wire-wire scam won’t be a demand for $300 in bitcoins, which is a typical price-point in ransomware, but an official-sounding corporate instruction to put through a massive funds transfer. The amount may be $100,000 or even more, and the email will typically claim that that the funds are part of time-critical business venture such as an acquisition, to justify both the large sum and the urgency.

In other words, there’s still big money in Keyloggers, and one of the most popular keyloggers these days is KeyBase, a product that was originally sold as a legitimate application before being abandoned in apparent disgust by its author.But KeyBase lives on, with cyber crooks giving it a new home all over the cybercriminal underground.

Dishonour among thieves

Sometimes crooks turn on their own kind, as happened in this story. A user on the popular underground site leakforums, going by the name pahan12, popped up offering a PHP Remote Access Trojan called SLICK RAT.But newbie crooks who ran the installer didn’t get what they paid for. Instead, they ended up infected with the KeyBase data stealer instead, and their stolen passwords were sent off to a data-collection website. (The “Pahan” connection continued here, because the URL contained the text pahan123.)

My guess is that Pahan was after his victims’ logins for leakforums and other hacker sites, in order to build up his rank in the underground, and  went after users on other crime forums, too.,

(Interestingly, Pahan has a history of this sort of double-cross, promoting one cybercrime tool but infecting it with another. In  November 2015, Pahan was offering a malware scrambling tool called Aegis Crypter).

Cryptors take an existing malware program as input, and churn out a modified, scrambled, compressed and obfuscated program file as output, in the hope that this will bypass basic virus-blocking tools. But Pahan’s version of Aegis included its own “secret sauce”: a zombie Trojan called Troj/RxBot than hooks up infected computers to an IRC server from which remote command-and-control instructions can be sent to the network of zombies. The IRC channels on the server that were used by Pahan’s zombie were pahan12 and pahan123.

And in March 2016, a user going by pahann was promoting a version of the KeyBase toolkit, which can be used to generate keylogger files to order.

This KeyBase malware generation toolkit was itself infected, in a weird sort of “malware triangle”.

By this time, things were getting quite complicated for Pahan, who had samples of SLICK RAT for sale that were infected with KeyBase; of Aegis Crypter infected with Troj/RxBot; and of KeyBase infected with COM Surrogate, which delivered Troj/RxBot and Cyborg.

What next?

Things didn’t go so well for the duplicitous Pahan, a.k.a. Pahan12, a.k.a. Pahan123, a.k.a. Pahann, after that… Just last week, when our team of experts  were looking around to see what Pahan had been up to recently, we found a number of  intriguing data and postings relating to him. Amusingly, (if cyber criminality can ever be truly funny), it seems as if Pahan/12/123/n has managed to infect himself with one or more of the malware samples he’s been juggling recently.

So, if you’ve ever wondered what a cybercrook keeps up his sleeve, this might give you some ideas: we can see a ransomware sample, various pre-prepared malware binaries, scanners, a sniffer, remote access tools and more. Maybe his next step will be to scramble his own files with the ransomware we can see stashed there in his Google Drive account?

So, if you had to write the story “What Pahan did next?”…

…what would you say? (And if you could choose, what would you wish for?)

(This article first appeared on Sophos Naked Security, August 16, 2016: https://nakedsecurity.sophos.com/2016/08/16/you-dirty-rat-spy-versus-spy-in-the-cybercrime-underworld/?utm_source=Naked+Security+-+Sophos+List&utm_campaign=a54b497abf-naked%252Bsecurity&utm_medium=email&utm_term=0_31623bb782-a54b497abf-455162573 )

Leave a Reply

Your email address will not be published. Required fields are marked *


− 2 = 4