Satan RaaS Becomes Attractive Plan-B

Satan Ransomware-as-a-Service (RaaS) is similar to previous RaaS platforms but employs far superior default obfuscation and evasion techniques. Most RaaS payloads are highly detectable and require the use of a “crypter,” while Satan provides XoR functions to encode and other means of delivering/proxying fully undetectable (FUD) payloads.

With Petya, Mischa, and Shark RaaS platforms no longer in underground operation, Satan is the most popular and free RaaS platform; making it very attractive to black hat hackers. Several members are utilizing Satan RaaS and reporting pending victim payments.

Sanctioned ANO PO KSI: Surveillance and Ballot Reading

The Autonomous Noncommercial Organization Professional Association of Designers of Data Processing Systems (ANO PO KSI) was sanctioned by the U.S. in response to Russian interference in the 2016 U.S. Presidential election. The company works with the Russian Defense Ministry, FSB, and other government organizations. They produce election ballot and census form scanners, and aero-surveillance cameras.

Russian Cyber-Influence in the 2017 European Elections

Wapack Labs assess with high confidence that Russia is behind influence campaigns to support right-wing nationalist candidates in Dutch, French, and German national elections who are campaigning on anti-immigration platforms, reducing participation in the European Union (EU) and NATO. The nationalist parties likely have little chance of winning a majority (medium confidence) in parliamentary elections or the second round of the French presidency; however, gaining seats provides them the opportunity to influence policy in a coalition government.


We assess, with medium confidence, that Russian cyber actors will conduct espionage and media manipulation operations to influence the outcome of each country’s election, but will modify the previous Tactics, Techniques, and Procedures (TTPs) used against the U.S. in 2016. Russian threat actors will dedicate additional resources to improving operational security to avoid discovery or blowback, and will avoid mimicking the tactics used in Ukraine and Montenegro.

The Amateur from Algeria

On March, 1, 2017 Wapack Labs Researcher observed a hacker providing malicious tools on various Arabic, Russian, and English hack-forums. He was observed selling gift cards for Bitcoin (BTC), promoting phishing scams, and posting website defacements. The hacker has the necessary skills to create basic exploits. The fact that his malicious software is free, may speak to its quality - or people’s trust in a novice.

The Reemergence of a Threat Actor: Six More Weeks of DDoS

Wapack Labs research is observing the reemergence of a known threat actor. After a year-long hiatus, he is displaying habitual activity online. The threat actor is one of the leaders of an established Russian based hacking group who sells their DDoS-as-a-service. In the past, he advertised DDoS services in a number of English, Spanish, and Russian forums. Increased DDoS activity from this group is likely in the near future.

When dealing with high-end threat actors, it is usually safe to take them at their word. This allows us to assess, with medium to high confidence, that this group will resume offering DDoS services, and that this activity will likely result in an increase in DDoS attacks against a wide range of organizations worldwide. We have seen no indications that any Red Sky Alliance members are being targeted at this time, but any organization that has not already done so should verify their ability to mitigate the effects of a DDoS attack either with their own capabilities or those of a third party.

For Sale: W-2s and the GozNym Botnet

On February 17, 2017 Wapack Analysts observed a deep web market vendor advertising 2016 U.S. W-2’s with dates of birth (DOB) and U.S./EU bank accounts for sale. Additionally, the vendor is also selling the GozNym botnet. The vendor maintains good feedback in deep web markets. GozNym, though underground, received media attention in late September 2016 when CISCO’s Talos team cracked the Domain Generation Algorithm (DGA) of GozNym. This exposure may be the reason for the vendor's current public sale - utilizing dark web market escrow systems. Though the vendor sells on these sites, business is conducted over Jabber/E-Mail using PGP encryption.

A (Fruit) Fly on the Wall: Surveillance Malware

The Fruit Fly malware is designed to exploit web cams that are used for surveillance. There are both Windows and Mac versions. Attribution is currently unknown; however, Fruit Fly has been installed in numerous university research centers, which have long been of particular interest to Chinese state actors looking to obtain intellectual property in order to accelerate their own research and development efforts.

The Economical RAT: Luminosity.Link

The Luminosity.Link Remote Administration Tool (RAT) has been observed by a number of companies over the past year being spread through phishing emails. The Luminosity.Link RAT is sold openly online and contains numerous features that make it popular among cyber criminals. Luminosity.Link is designed using the .NET framework for use on Windows Operating systems.

The Key Findings of our analysis revealed:

  • Recent samples leverage the AutoIt scripting tool
  • Luminosity.Link uses the SundownEK (Exploit Kit) for delivery
  • Luminosity.Link samples contain encrypted configurations

Luminosity.Link is an economical RAT for cyber criminals. Coupling it with Exploit Kits targeting Windows systems further increases infection success rates. We assess with high confidence that the development and use of the Luminosity.Link RAT will continue.

New Carding Shop Owner

Wapack Labs reports that an underground forum member, who is a new carding shop owner/operator, has been selling debit and credit cards on hacker/carder forums - boasting a 90% validity rate. The actor created a thread for card dumps and has a large base of various credit cards for sale; some belonging to a Red Sky Alliance member. He is still actively posting credit card dumps and providing a link to a web shop where the cards can be purchased. Lately, he has been selling large amounts of cards from numerous banks in the United States.

Russian Keylogger Persevers: Intelligence Assessment

On 24 January 2017, Wapack Labs began collecting keylogger data associated with a threat actor's email address. All of the collected data that was associated with the threat actor indicated that the keylogging campaign has not yet become operational. Metadata contained within the keylogger output indicated the threat actor is located in Western Russia. A screenshot of the threat actor, installing a cracked copy of a popular keylogger program, indicates it was obtained from a Russian underground forum. The actor makes white-supremacist references, but it is unknown if the references are indicative of the threat actor’s motivations or intended to mislead/insult malware researchers.

WhatsApp - What’s up?

It has been demonstrated that a deliberate design decision for the WhatsApp messaging application created a vulnerable condition that could allow for entire conversations or calls to be intercepted. Exploitation of this condition would require a very highly skilled threat actor to access to WhatsApp servers in order to execute a man-in-the-middle attack.

Algerian Phishing Attempt

A Red Sky Alliance member is reporting a suspected phishing email to Wapack Labs.  Subsequent analysis reveals the campaign was initiated by an Algerian threat actor associated with a known hacking team.  This Algerian threat actor compromised a French auto dealership on 19 July 2016 and sent phishing emails to a social group in New England U.S.A from a compromised domain belonging to a pizza shop in South Carolina.  This information is offered as a caution; presented for your situational awareness.

  • Algerian threat actor associated with known hacking team.
  • Previously targeted French organizations for religious/national reasons.  Target set and motivations, for the attacks, may have evolved.
  • The hacking team's twitter went dormant on 17 Sep 2015 with the message “#Team_Closed Goodbye and Expect Us in 2016”.  On 19 December 2016 the group created a new Facebook page and appears active again.

Italian Hackers and Eye Pyramid Malware

Italian authorities have arrested a brother and sister hacking team in connection with the hacking of over 18,000 emails; to include Italian politicians, Vatican officials and the European Central Bank.  Giulio Occhionero and his sister Francesca Maria are alleged to have committed cyber-crimes which began in 2012.   G. Occhionero developed a proprietary keylogger malware named Eye Pyramid.  This information is being supplied for your situational awareness.

  • The Eye Pyramid malware operation began in 2012 via the Occhionero’s.
  • Eye Pyramid is keylogger malware which captured over 1,700 passwords.
  • This very basic malware demonstrates the ease of utilization, with high consequences. 

IP Range Blocked in Guyana

A Guyana telecommunication company, GTT, has been implicated in a large-scale spamming campaign and various cyber security related incidents.  This prompted the IP ranges of GTT to be blocked by several U.S. financial institutions and payment services.  This may cause financial challenges to citizens and business in Guyana, but once the cyber security matters are rectified the IP range could be released. This information is being supplied for your situational awareness.

  • Guyana is an English-speaking South American/Caribbean country located to the east of Venezuela.
  • Guyana Telephone and Telegraph, rebranded as GTT+ in late 2015, is controlled by Atlantic Tele-Network (ATN).  GTT+’s mobile unit Cellink competes with Digicel Guyana for market share and both operate the GSM/GPRS networks.
  • Digicel openly criticized GTT in 2016 for operating a government monopoly and hinted at corruption.  

Publications Help Identify PLA Units with Cyber Missions

Military reform efforts in China has led to Signals Intelligence (SIGINT) units being assigned cyber missions. Order of battle analysis indicates there are three Chinese military units involved in cyber operations against foreign networks.  All three are subordinated to the People’s Liberation Army (PLA) General Staff Third Department. Research into publications from officers in these units helps confirm earlier assessments as to which units have cyber missions.

Reorganization of China’s Military Cyber Forces

A significant reform of China’s People’s Liberation Army (PLA) instituted by President Xi Jinping on 31 December 2015, has resulted in a sweeping restructure of PLA command elements and combat forces. This restructure has impacted China’s military cyber forces that include identified cyber actors. The PLA General Staff Third Department, under which these military cyber actors were subordinated, was apparently disestablished. This report analyzes how China’s military cyber forces are currently structured, and where they are located in China’s military structure.
Information available from Chinese open sources, while still fragmentary, suggests that the following changes have taken place in Chinese cyber forces:

  • The former Third Department is now subordinated under an entirely new branch of service: the PLA Strategic Support Force (SSF).
  • The Third Department is now known as the SSF Network Systems Department. This was indicated by references to former Third Department elements that are now under this new entity.
  • The Third Department Eighth Bureau was one element identified as under the Network Systems Department. This suggests that cyber actors are also under the Network Systems Department.
  • The Third Department’s technical reconnaissance bureaus are probably also under the Network Systems Department.

Australian Malware Authors Release New Trojan

Wapack Labs assesses, with medium confidence, that Australian malware authors (medium confidence) have released a new banking Trojan.  This Trojan performs real time web-injections and redirection attacks on its victims.  It currently enjoys low and generic detection by intrusion prevention systems.  Analysts at IBM report to have followed the Trojan during its testing cycles3.  It now has moved out of the testing phase and is actively defrauding banks and consumers.  If it becomes as virulent (as did its' predecessors), it will likely spread to the US by the second quarter of 2017...