Malicious Forums Turn Amateur Hackers Into Cybercriminals

Security researchers are aware of forums that offer downloads of malicious software such as keyloggers and remote access tools. Some inexperienced hackers may visit these forums and decide to chase the money and create a malicious agenda.

The following is a snippet from a popular hacking forum.

blog_1702_od007

We recently received a submission with the filename 17_02_16~_HKL_Purchase_Order.ace. This file contained another file with a .scr (screen saver) extension. The extracted file was a keylogger/password stealer known as KeyBase.

KeyBase comes in a kit:

blog_1702_od005

The KeyBase kit offers various configuration options. The password option allows the user to steal passwords from various mail clients/browsers and other popular applications. These kits make it very easy for anyone with little to no skill to create malicious programs.

We replicated the sample and navigated to the control server:

blog_1702_od002

We noticed that it had a very specific welcome message, so we decided to do some searching.

We found the username shown on the control server had been registered on several malicious forums. Upon further investigation we found this actor had downloaded several malicious kits and probably got the builder for KeyBase from one of these sites. The activity on some sites dated to 2013.

blog_1702_od008

We next tried to find out if this actor was involved in any past malicious activities. We looked at how the actor tried to spread the malware and whether the filename of the .ace file was unique. We found only one other instance of a similar filename.

blog_1702_od010

The file we found dated back January. Upon analyzing the file, we found it to be the keylogger HawkEye. This keylogger is very easy to find on these malicious sites.

Here is a screen shot of Version 3 of the malicious builder:

blog_1702_od009

We dived deeper and found the email address associated with the hacking forum accounts. We found five domains that were registered using this email address:

blog_1702_od011

As we wrote this post, all of these domains were down. However, it is more than likely that these domains were or will be used for malicious purposes.

We found a username associated with the email address on the popular file-sharing website 4shared.

blog_1702_od014

This user had uploaded 12 files, including a text file with nearly a half-million email addresses. This would have no doubt been used as part of a spam campaign to spread the malware.

blog_1702_od012

With all the information that we have collected, we can see that malicious forums make it easy for someone with little skill to create malware. An experienced actor would work in a much more covert way. However, both types can be dangerous.

Intel Security detects this keylogger threat as Trojan-FHWM since DAT Version 8079.

Leave a Comment

4 + nine =