The LinkedIn, Dropbox, and Formspring Hacker: Yevgeniy Nikulin

Yevgeniy Nikulin is a potent Russian hacker responsible for major breaches including Linkedin, Dropbox and Formspring, as well as less known funds theft from a Bitcoin hedge fund and from individuals. After his arrest in Prague, Russia filed its own extradition request to fight the one from the US. There are unconfirmed allegations that Nikulin may have some insights on the 2016 Presidential Elections related hacking. Nikulin is a high-skilled dangerous hacker. While the true nature of his connections to the Russian government is unproven, it is possible that it prompted the legal help that he is getting.

Tor-base Site Operates Illegal Sales Under AES 256-bit Encryption

Wapack Labs discovered a Tor-based website conducting illegal financial sector activities; ranging from carding and counterfeit money to electronics and narcotics. The site, which requires no registration, claims that the forum is totally anonymous and highly secure; largely in part to encrypting all data with AES 256-bit encryption. The site provides a multi-signature escrow for all transactions; allowing safe Bitcoin (BTC) transactions between both parties.

Free Online Payment System Credentials: Contact Señor

Wapack Labs analysts exposed a threat to the financial sector, one who is actively posting in several clear web and underground forums. Within these forums, the actor creates threads of free, downloadable log-in credentials, for an online payment system. Analysts assess that it is likely that the actor is brute-forcing the accounts to obtain the passwords. A brute force attack is a trial and error method used by application programs to decode encrypted data such as passwords - highly effective if the account uses simple passwords. The language, emails, and passwords indicate that the actor is a Spanish or Portuguese speaker, likely operating in South America.

Nature is Bullet Proof: Dark Cloud

Wapack Labs is researching key components of the Dark Cloud network - including all associated malware to date.  “Dark Cloud” is an infrastructure that encompasses thousands of fast-flux proxy botnets in a ‘bullet proof’ hosting environment, renting thousands of botnets for use in criminal activity to underground users. Roughly 20% of the observed bots were actively leveraged by Dark Cloud. Sality file infector malware was by far the most commonly observed activity and represents a likely propagation mechanism for the botnet.

Keylogging Campaign Affecting Japanese Law Firms

Wapack Labs, Team Jaeger (TJ) analysts identified four Japanese law firms that were victimized by keylogging malware during research using the Cyber Threat Analysis Center (CTAC). All of the affected firms specialize in patent law. While the malware utilized by the threat actor is unsophisticated, their fraudulent activity is persistent, effective, and has the potential to negatively impact clients of the affected organizations.

Assessing the Multiple Personalities of an APT Actor

Wapack Labs assesses with medium confidence that an identified Advanced Persistent Threat (APT) "group" is actually a lone, nefarious actor using numerous personas. The "group's" forum was rumored to be operated by a foreign military unit and used as a place to re-sell data no longer needed to conduct operations. During the months of March and April 2017, Wapack Analysts observed the lone actor's activities across multiple underground forums and were able to tie said activities to aliases used by other group members.

Uptick in the Wild: CVE2017-0911

As early as January 2017, cyber threat actors began using a then zero-day MS Office remote code execution exploit for CVE-2017-0199 in targeted attacks. Large scale Dridex campaigns occurred shortly following the vulnerability disclosure in April. Like many other Office vulnerabilities, CVE-2017-0199 has been exploited by multiple actors including cyber criminals and nation-state actors alike. Recent activity indicates the continued exploitation of this vulnerability.

Shamoon2 Overwrites and Attacks Saudi Targets

Wapack Labs's research has uncovered Iranian actors using Shamoon2 against Saudi infrastructure and industry targets. Shamoon2 renders infected systems inoperable by overwriting the Master Boot Records (MBR). The actors responsible are using commercially available kernel drivers, which may indicate a lack of experience with Windows kernel development. Though, there is evidence indicating the malware was designed by reverse engineering malware attributed to a nation-state, suggesting that their skills are improving. Further attacks against Saudi-related targets using the Shamoon-family of malware are highly likely.

FTC Subpoena-Themed Reconnaissance Campaign

Wapack Lab's analysts, using the Cyber Threat Analysis Center (CTAC), discovered a reconnaissance campaign that we assess with moderate confidence was conducted in preparation for a more malicious campaign. The logs contained email addresses, filenames, and IP addresses. It is believed these logs are from a phishing campaign that leveraged “FTC subpoena” (Federal Trade Commission) lures to entice targets to click a link in the email.

APT's Code Used Against Global Government Financial Websites

The code, tactics, techniques, and procedures (TTP) used against government financial regulatory websites in Poland, Mexico, and Uruguay are all too similar to be coincidental. These attacks are almost certainly being carried out by a known APT Group. Security researchers in Poland are uncovering artifacts from a recent breach where attackers used that country’s financial regulatory organization’s website to spread malware. Indicators of Compromise (IOCs) that led to the discovery included abnormal network traffic and unknown encrypted executables resident on victim machines. This APT Group has targeted Asian based financial institutions and manufacturing companies since at least 2009; in addition to stealing $81M from global financial institutions. They were also attributed with cyber espionage campaigns. Technical details of the attack in Poland, and mitigations are provided herein.

Satan RaaS Becomes Attractive Plan-B

Satan Ransomware-as-a-Service (RaaS) is similar to previous RaaS platforms but employs far superior default obfuscation and evasion techniques. Most RaaS payloads are highly detectable and require the use of a “crypter,” while Satan provides XoR functions to encode and other means of delivering/proxying fully undetectable (FUD) payloads.

With Petya, Mischa, and Shark RaaS platforms no longer in underground operation, Satan is the most popular and free RaaS platform; making it very attractive to black hat hackers. Several members are utilizing Satan RaaS and reporting pending victim payments.

Sanctioned ANO PO KSI: Surveillance and Ballot Reading

The Autonomous Noncommercial Organization Professional Association of Designers of Data Processing Systems (ANO PO KSI) was sanctioned by the U.S. in response to Russian interference in the 2016 U.S. Presidential election. The company works with the Russian Defense Ministry, FSB, and other government organizations. They produce election ballot and census form scanners, and aero-surveillance cameras.

Russian Cyber-Influence in the 2017 European Elections

Wapack Labs assess with high confidence that Russia is behind influence campaigns to support right-wing nationalist candidates in Dutch, French, and German national elections who are campaigning on anti-immigration platforms, reducing participation in the European Union (EU) and NATO. The nationalist parties likely have little chance of winning a majority (medium confidence) in parliamentary elections or the second round of the French presidency; however, gaining seats provides them the opportunity to influence policy in a coalition government.


We assess, with medium confidence, that Russian cyber actors will conduct espionage and media manipulation operations to influence the outcome of each country’s election, but will modify the previous Tactics, Techniques, and Procedures (TTPs) used against the U.S. in 2016. Russian threat actors will dedicate additional resources to improving operational security to avoid discovery or blowback, and will avoid mimicking the tactics used in Ukraine and Montenegro.

The Amateur from Algeria

On March, 1, 2017 Wapack Labs Researcher observed a hacker providing malicious tools on various Arabic, Russian, and English hack-forums. He was observed selling gift cards for Bitcoin (BTC), promoting phishing scams, and posting website defacements. The hacker has the necessary skills to create basic exploits. The fact that his malicious software is free, may speak to its quality - or people’s trust in a novice.

The Reemergence of a Threat Actor: Six More Weeks of DDoS

Wapack Labs research is observing the reemergence of a known threat actor. After a year-long hiatus, he is displaying habitual activity online. The threat actor is one of the leaders of an established Russian based hacking group who sells their DDoS-as-a-service. In the past, he advertised DDoS services in a number of English, Spanish, and Russian forums. Increased DDoS activity from this group is likely in the near future.

When dealing with high-end threat actors, it is usually safe to take them at their word. This allows us to assess, with medium to high confidence, that this group will resume offering DDoS services, and that this activity will likely result in an increase in DDoS attacks against a wide range of organizations worldwide. We have seen no indications that any Red Sky Alliance members are being targeted at this time, but any organization that has not already done so should verify their ability to mitigate the effects of a DDoS attack either with their own capabilities or those of a third party.

For Sale: W-2s and the GozNym Botnet

On February 17, 2017 Wapack Analysts observed a deep web market vendor advertising 2016 U.S. W-2’s with dates of birth (DOB) and U.S./EU bank accounts for sale. Additionally, the vendor is also selling the GozNym botnet. The vendor maintains good feedback in deep web markets. GozNym, though underground, received media attention in late September 2016 when CISCO’s Talos team cracked the Domain Generation Algorithm (DGA) of GozNym. This exposure may be the reason for the vendor's current public sale - utilizing dark web market escrow systems. Though the vendor sells on these sites, business is conducted over Jabber/E-Mail using PGP encryption.

A (Fruit) Fly on the Wall: Surveillance Malware

The Fruit Fly malware is designed to exploit web cams that are used for surveillance. There are both Windows and Mac versions. Attribution is currently unknown; however, Fruit Fly has been installed in numerous university research centers, which have long been of particular interest to Chinese state actors looking to obtain intellectual property in order to accelerate their own research and development efforts.

The Economical RAT: Luminosity.Link

The Luminosity.Link Remote Administration Tool (RAT) has been observed by a number of companies over the past year being spread through phishing emails. The Luminosity.Link RAT is sold openly online and contains numerous features that make it popular among cyber criminals. Luminosity.Link is designed using the .NET framework for use on Windows Operating systems.

The Key Findings of our analysis revealed:

  • Recent samples leverage the AutoIt scripting tool
  • Luminosity.Link uses the SundownEK (Exploit Kit) for delivery
  • Luminosity.Link samples contain encrypted configurations

Luminosity.Link is an economical RAT for cyber criminals. Coupling it with Exploit Kits targeting Windows systems further increases infection success rates. We assess with high confidence that the development and use of the Luminosity.Link RAT will continue.

New Carding Shop Owner

Wapack Labs reports that an underground forum member, who is a new carding shop owner/operator, has been selling debit and credit cards on hacker/carder forums - boasting a 90% validity rate. The actor created a thread for card dumps and has a large base of various credit cards for sale; some belonging to a Red Sky Alliance member. He is still actively posting credit card dumps and providing a link to a web shop where the cards can be purchased. Lately, he has been selling large amounts of cards from numerous banks in the United States.