Security researchers from Kaspersky Lab’s Secure List described the accidental discovery of a “one-stop-shop” for hacking tools. The Kaspersky Lab team intercepted traffic from machines infected with the Hawkeye RAT and “stumbled upon an interesting domain.” They found a command and control server that saved the keylog data provided by the HawEye RAT. The server additionally sold hacking software, tools, and site-specific logins.
The researchers scanned the running services on the command and control server and found the “interesting” aspect. The server functioned as both a backend for storing the stolen credentials from the HawkEye RAT, but also a front-end for selling them. Later scans revealed that the site was new yet operational. The front-end already allowed Individuals, presumably just buyers, to create accounts. After a user created an account, the server gave the accounts an interface to browse the available goods, as well as purchase them when ready.
Upon creation of a new account and a subsequent successful login, a forum-type interface appears. No sign of the harvested credentials—at least the behind-the-scenes part—made itself apparent to the buyer (or researcher). The server’s operators ended new-user registration as of this post, although the login screen still allows attempted account registration. The “one-stop-shop” frontend, though, showed just how recently the project manifested itself. The server’s administrators intended the “goods” and data to be securely stored on the server. But, “[the server] contained a crucial vulnerability which allowed researchers to download the stolen data,” Ido Naor wrote.
Additionally, the admin(s) added six new shell scripts in late November, one week prior to the Kaspersky Lab investigation into the HawEye RAT.
The forum’s storefront, for lack of valid terminology, offered insight into the scope of the operation. In one set of scampages, valued at $13 each, the site in question are up-to-date. The Scam Page category listed several scam pages for popular sites, each appended with “2016.” The category contained scam page listings for Amazon, Apple, Netflix, Paypal, Barclays Bank, and Halifax Bank, among others. Naor wrote that the dates likely showed how “up-to-date the scam pages are in terms of the bank’s website updates.”
The admins set the forum up to, for semi-standard reasons, only accept digital or cryptocurrencies such as Perfect Money or Bitcoin. The admins, or listing owners, offer clear and precise instructions for what to do after purchasing. In a similar vein, they explained—very explicitly—what not to do before “creating a ticket.”
One rule, for instance, stated that buyers must not use insulting words in their complaint. Similarly, a word like “scam” would result in a permanent ban.
The researchers described HawkEye as a “robust keylogger,” given the abilities the malware totes. It records keystrokes on a victim’s machine—in any application. It identifies login and password combinations, as well as the associated login event and landing page. The logs on the command and control server showed a massive diversity in types of breached accounts. Possibly the most extreme of the compromised accounts belonged to the Pakistani government, the article explained.