Russia May Have Tried Maritime GPS Spoofing

In a 22 June 2017 report, twenty (20) ships near the Russian Black Sea coast indicated their GPS location to be inland at Gelendzhyk Airport. Similar GPS position malfunctioning was noticed in automobiles driving near the Kremlin in Moscow, Russia. These GPS anomalies indicate the likelihood that Russia is testing security measures by utilizing GPS spoofing to test their capability in the event of a military conflict; both on land and at sea.

Wapack Labs has cataloged and reported extensively on Russia and GPS spoofing in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


Compromised Brazilian Government Account Advertising Hacker Shops

Wapack Labs' “Operation 8-ball” identified a hacker forum being advertised through a compromised government email account located in Para, Brazil. One of the advertised hacker shop domains was also tweeted by a novice, Canadian carder. Originating IPs were located in Kosovo. Kosovo is listed in the hacker forum's WHOIS data. The exact attribution for the Brazilian government compromise is absent.

Wapack Labs has cataloged and reported extensively on compromised accounts and hacker forums in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


Indian Physical Security Company Compromise


On 15 July 2017, Wapack Labs identified, with high confidence, four keylogged email accounts identified as compromised, including username and password, belonging to an Indian physical security company. These email accounts were used to harvest information from multiple internal systems and external portals. Both the sales and customer relationship management systems may have been compromised. Since many of the keylogger infections have spread through automation, there is a potential for compromise within customer, partner, and supply chain relationships.

Wapack Labs has cataloged and reported extensively on keyloggers in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


This TLP AMBER report is available only to Red Sky Alliance members.

DiamondFox in the Wild


DiamondFox is a credential stealing multi purpose botnet that is available on the black market as MaaS (Malware as a Service). Also known as Gorynych, DiamondFox is still actively leveraged in the wild with its recent version Crystal available in online marketplaces. This dangerous malware can steal information from PoS (Point of Sale) systems with campaigns targeting multi-state healthcare providers, dental clinics, manufacturers, and technology companies. To get a picture of the current state of DiamondFox botnets, Wapack Labs has collected recent samples and extracted the command and control (C2) information from their configuration files. This report provides technical details on DiamondFox, the Russian botnet infrastructure, and details regarding the domains.

Wapack Labs has cataloged and reported extensively on malware and botnets in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


This TLP AMBER report is available only to Red Sky Alliance members.

Life After AlphaBay: TradeRoute


On 04 August 2017, Wapack Labs discovered TradeRoute, a Russian and English Tor-based marketplace and forum on the dark net that focuses on the sale of illegal drugs. However, vendors also sell electronics, digital goods, forgeries, hacking services, lab equipment for narcotics, fashion counterfeits, and fraud services. With the recent takedowns by law enforcement of Hansa Market and AlphaBay (past reporting by Wapack Labs), actors are migrating to TradeRoute quickly making it a leading dark net marketplace.

Wapack Labs has cataloged and reported extensively on Tor marketplaces and forums in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


This TLP AMBER report is available only to Red Sky Alliance members.

Shadowbrokers and the Scylla Hacking Store


The ShadowBrokers (SB) have recently started a new Tor based market called Scylla Hacking Store. SB is selling several APT stolen exploits (US, Russian and Chinese exploits), crimewave exploit kits, and other crimewave hacking tools: bots, hash cracking, and Microsoft Office exploits. Analysts believe, with medium confidence, the recent Petya activity may be related to SB sales of all the payload source code for the FuzzBunch framework, which included, EternalBlue.

To Read the Full Report find out more about Red Sky Alliance Portal Intelligence, click here.

Microsoft Office Hoax Phishing Site

On 27 July 2017, Wapack Labs, using our Cyber Threat Analysis Center (CTAC), discovered a phishing site disguised as a Microsoft Office Sign-in page. The phishing site is designed to trick users into entering their Microsoft related email and passwords. When a user enters their credentials into the malicious site, they are then redirected to the real Microsoft Sign-in page. The differences in the webpages can be seen in the attached report.

Financially Motivated APT-style Actors Target Retail & Hospitality


A new wave of financially motivated, APT-style group, of cyber threat actors are targeting large restaurant chains with phishing emails containing malicious attachments. As early as April 2017, a new wave of the group's activity has been targeting the retail and hospitality sectors. The APT-style group has been active since 2015 and is known for their use of the Carbanak malware. The most recent campaigns leverage two new RTF droppers to deliver a variant of a known backdoor. Early campaigns were known for targeting financial institutions and banks; in 2015, targeting European banks through a banking application called the Internet Front End Banking System (iFOBS). This report describes TTPs leveraged in the recent campaigns. To Read the Full Report find out more about Red Sky Alliance Portal Intelligence, click here.

NotPetya: Ransomware Or Russian Wiper?

Creators of the NotPetya (also known as Petya, PetrWrap, Petya.A, Win32/Diskcoder.Petya.C, EternalPetya, Nyetya, and exPetr) continue to present NotPetya as “simple ransomware.” The developers have moved received bitcoins, sent payments to Pastebin and DeepPaste associated wallets, contacted the public, and apparently were able to decrypt one short NotPetya encrypted file. At the same time, NotPetya creators did not use the original Petya ransomware source code, and likely left no remedy for most users to recover their encrypted data, despite showing them the ransom note. These observations, together with targeting and comparative TTP data for XData and BlackEnergy3 Killdisk, allow Wapack analysts to attribute NotPetya as likely belonging to Russian APT. The Petya/NotPetya operation is likely another Russian APT targeted disruption of Ukrainian IT infrastructure and possibly an intelligence operation - yet masked as a ransomware case. At the same time, it is probable that Petya and NotPetya actors may have a master key to decrypt user files; in case the targeted disk was not destroyed and system information is available.

Petya/NotPetya and Really Not Petya - Loki Bot Credential Stealing Malware

In late June 2017, Wapack Labs identified a malicious email targeting Ukrainian Financial Institutions (FI) to deliver a credential stealing malware called Loki Bot. This incident happened at the same time as the Petya/NotPetya Ransomware outbreak, which also targeted Ukrainian banking infrastructure. Possibly due to the confusion generated during the initial Petya/NotPetya outbreak, Loki Bot samples and C2s were reported as being Petya/NotPetya ransomware. Further confusion resulted when Anti-virus (AV) detections began identifying Loki Bot as Petya/NotPetya. Loki Bot is sold in underground Tor marketplaces and can steal passwords from browsers, File Transfer Protocol (FTP) applications, email accounts, and crypto-coin wallets. This report discusses the misattribution of Loki Bot, along with technical details of analyzed Loki Bot samples.

OpIcarus2017, a Limited Risk

In June 2017, Wapack Labs Analysts observed a faction of the Anonymous collective attempting to launch OpSacred, which is the fifth phase of OpIcarus2017; a multiphase operation aimed to target central banks and other financial institutions (i.e.: International Monetary Fund and the World Bank). The campaign attracted hundreds of participants, yet failed to attract AnonOps support, create a dedicated IRC channel, attract experienced organizers, or followup after their initial start day - producing limited effects. While the operation has been badly organized, it may become a training ground for future hacker collaborations, especially since the Anonymous collective has been observed using GitHub to collect and share tools.

IBNS Malicious Infrastructure Targets Financial Institutions

In late May 2017, Wapack Labs identified a large, malicious email delivery infrastructure targeting multiple industries including finance and transportation. Wapack Labs has dubbed this network “IBNS” for future tracking. The infrastructure consists of a single name server and over 17k typo-squatted domains. The size of this recently discovered IBNS network is unprecedented. As a result, Wapack Labs believes that IBNS is a malicious provider that uses web automation and reseller services to facilitate their criminal activity. The known actors use services provided by resellers, which are popular among hackers. By using reseller services the actors create a level of separation which obscures attribution. Indicators and tactics associated with the IBNS network are consistent with Tactics Techniques and Procedures (TTPs) attributed to a known hacking group. Their activity is characterized by fraud-related malware attacks leveraging open sourced tools with a suspected nexus of Nigeria. This report provides details and trending on the IBNS network.

Russia is Considering Ethereum's Blockchain Technology

Russian president, Vladimir Putin, recently met with Ethereum Cryptocurrency founder, Vitalik Buterin. Russia, in the past, has effectively banned Bitcoin use by its companies and is now likely switching to "use and control" emerging Blockchain technologies. Bitcoin is the original blockchain-based cryptocurrency and has become very popular in black markets, including online drug sales and cybercrime. Ether (token for Ethereum), is one of the alternatives growing fast in general popularity. Besides the currency function, Ethereum provides much more functionality: it is an open-source, public, blockchain-based distributed computing platform that features smart contact (scripting) functionality, which facilitates online contractual agreements. This makes Ethereum technologies of interest for major financial institutions and IT companies. Blockchain technologies are not bad per se, and many Western financial institutions are attracted to its use, but Russia's history of protecting black-hat hackers and controlling some online black markets make this development worrisome.

NK Lazarus Threat to the Financial Sector Remains High

Newly discovered Command & Control (C2) Internet Protocols (IPs) confirm the geolocation of North Korean threat actors, Lazarus Group; despite their deliberate attempts at misdirection. They are known for their custom-tailoring and reuse of code between malware families and campaigns. Since 2009, Lazarus Group has targeted Asian-based financial institutions, European and South American financial institutions, and media companies, such as Sony Pictures. Recent financial and trading sanctions, levied on North Korea, will increase the likelihood of attacks on financial sectors; similar to the documented attacks, leveraging the Society for Worldwide Interbank Financial Telecommunications (SWIFT), to compromise central banks.

Darknet Marketplace Exposes Financial Items on Global Scale

Wapack Labs Analysts are researching a Tor-based darknet marketplace that sells stolen financial items; credit cards, gift cards, and occasionally provides free dumps that exposed Personally Identifiable Information (PII) of individuals. New accounts are available every week and the marketplace's administrators claim they are 100% verified - how-to manuals are provided with transactions. The marketplace is operating on a global basis, their stolen products are from the US, EU, Oceania, and Russia. Further research is being conducted to identity the source of the stolen credit cards.

Targeting Online Video Gaming Virtual Currency

Wapack Labs is researching a cybercriminal group who is targeting online gamers and the video gaming industry. The group commonly uses digital certificates, stolen from online game developers, to sign their malware, thereby decreasing the risk of Anti-Virus (AV) detection. Americans alone spend an estimated $25 billion dollars a year on online video games. Many online games are MMORPGs (Massive Multiplayer Online Role-Playing Games), which run on virtual currency that is bought and sold with real money. Additionally, the group aims to steal source code from games under development in order to aid in virtual currency mining. We assess with high confidence that the cybercriminal group will continue to evolve and take advantage of the increasing online gaming industry.

Cyber Espionage Targets Managed Service Providers (MSPs)

Wapack Labs Analysts assess with high confidence a growing cyber espionage campaign, with a Chinese nexus, that has been targeting Managed Service Providers (MSPs) in order to compromise multiple organizations. This campaign is responsible for intrusions in the United States, Europe, and Japan. Typical targets include construction, engineering, aerospace, telecom, and government institutions. The actors involved leverage a wide variety of tools and custom malware, allowing flexibility when it comes to the methods used for intrusion.

The LinkedIn, Dropbox, and Formspring Hacker: Yevgeniy Nikulin

Yevgeniy Nikulin is a potent Russian hacker responsible for major breaches including Linkedin, Dropbox and Formspring, as well as less known funds theft from a Bitcoin hedge fund and from individuals. After his arrest in Prague, Russia filed its own extradition request to fight the one from the US. There are unconfirmed allegations that Nikulin may have some insights on the 2016 Presidential Elections related hacking. Nikulin is a high-skilled dangerous hacker. While the true nature of his connections to the Russian government is unproven, it is possible that it prompted the legal help that he is getting.

Tor-base Site Operates Illegal Sales Under AES 256-bit Encryption

Wapack Labs discovered a Tor-based website conducting illegal financial sector activities; ranging from carding and counterfeit money to electronics and narcotics. The site, which requires no registration, claims that the forum is totally anonymous and highly secure; largely in part to encrypting all data with AES 256-bit encryption. The site provides a multi-signature escrow for all transactions; allowing safe Bitcoin (BTC) transactions between both parties.

Free Online Payment System Credentials: Contact Señor

Wapack Labs analysts exposed a threat to the financial sector, one who is actively posting in several clear web and underground forums. Within these forums, the actor creates threads of free, downloadable log-in credentials, for an online payment system. Analysts assess that it is likely that the actor is brute-forcing the accounts to obtain the passwords. A brute force attack is a trial and error method used by application programs to decode encrypted data such as passwords - highly effective if the account uses simple passwords. The language, emails, and passwords indicate that the actor is a Spanish or Portuguese speaker, likely operating in South America.