Kaspersky discovered a One-stop-shop for hacking goods

Security experts from Kaspersky Lab discovered an interesting one-stop-shop for purchasing hacking goods while investigating activity of a popular RAT.

Security experts from Kaspersky Lab discovered an interesting one-stop-shop for purchasing hacking goods. The malware researchers were analyzing traffic from a number of infected machines that appear to be generated by the HawkEye RAT.

HawkEye is a popular RAT that can be used as a keylogger, it is also able to identify login events and record the destination, username, and password.

The domain was used as a C&C server of the HawkEye RAT and at the same time was also being used as a one-stop-shop for purchasing hacking goods.

Kaspersky discovered a group of WhiteHat hackers who call themselves Group Demóstenes who scans the Internet and looking to exfiltrate stolen data from Command and Control servers.

When the hackers find a server containing the stolen data they look for a backdoor that would give them access to the filesystem. In this way they monitor incoming stolen data, then they would collect the stolen credentials and send emails to the victims’ accounts, both manually or automatically.

The email send to the victims includes an attachment with proof that their machine has been hacked and the suggestion to change passwords and offer to help.

Back to the one-stop-shop discovered by Kaspersky, the experts discovered it is composed of a back-end for storing stolen credentials and a front-end for selling some of them, alongside many other hacking “goods”.

“To purchase goods in the private shop you must deposit money into your account on the website. The attackers accept Bitcoins, PerfectMoney and WebMoney.” states the analysis published by Kaspersky.

The shop allows users to register an account in order to make purchases. Kaspersky discovered the C&C was affected by a crucial vulnerability which allowed researchers to download the stolen data.

 

Among the items offered for sale, there are scam pages specifically designed to target Amazon, Apple, Netflix and even National Bank of Australia and Barclays.

The shop also includes information regarding the support to receive while using scam services.

The researchers discovered stolen credentials for sensitive applications across multiple industries, including government, healthcare, banking and payment web applications.

“Among them is the following web server which belongs to the Pakistani government.” states the report. “As mentioned, hundreds of machines were found to be compromised by just one C2.” 

Researchers from Kaspersky obtained the attackers’ credentials from one very small file that was discovered on the server.

The analysis of affected users revealed they are mostly located in APAC (i.e. Japan, Thailand, and India) and Eastern Europe (i.e. Russia and Ukraine).

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – one-stop-shop, hacking)