New Carding Shop Owner

Wapack Labs reports that an underground forum member, who is a new carding shop owner/operator, has been selling debit and credit cards on hacker/carder forums - boasting a 90% validity rate. The actor created a thread for card dumps and has a large base of various credit cards for sale; some belonging to a Red Sky Alliance member. He is still actively posting credit card dumps and providing a link to a web shop where the cards can be purchased. Lately, he has been selling large amounts of cards from numerous banks in the United States.

Russian Keylogger Persevers: Intelligence Assessment

On 24 January 2017, Wapack Labs began collecting keylogger data associated with a threat actor's email address. All of the collected data that was associated with the threat actor indicated that the keylogging campaign has not yet become operational. Metadata contained within the keylogger output indicated the threat actor is located in Western Russia. A screenshot of the threat actor, installing a cracked copy of a popular keylogger program, indicates it was obtained from a Russian underground forum. The actor makes white-supremacist references, but it is unknown if the references are indicative of the threat actor’s motivations or intended to mislead/insult malware researchers.

WhatsApp - What’s up?

It has been demonstrated that a deliberate design decision for the WhatsApp messaging application created a vulnerable condition that could allow for entire conversations or calls to be intercepted. Exploitation of this condition would require a very highly skilled threat actor to access to WhatsApp servers in order to execute a man-in-the-middle attack.

Algerian Phishing Attempt

A Red Sky Alliance member is reporting a suspected phishing email to Wapack Labs.  Subsequent analysis reveals the campaign was initiated by an Algerian threat actor associated with a known hacking team.  This Algerian threat actor compromised a French auto dealership on 19 July 2016 and sent phishing emails to a social group in New England U.S.A from a compromised domain belonging to a pizza shop in South Carolina.  This information is offered as a caution; presented for your situational awareness.

  • Algerian threat actor associated with known hacking team.
  • Previously targeted French organizations for religious/national reasons.  Target set and motivations, for the attacks, may have evolved.
  • The hacking team's twitter went dormant on 17 Sep 2015 with the message “#Team_Closed Goodbye and Expect Us in 2016”.  On 19 December 2016 the group created a new Facebook page and appears active again.

Italian Hackers and Eye Pyramid Malware

Italian authorities have arrested a brother and sister hacking team in connection with the hacking of over 18,000 emails; to include Italian politicians, Vatican officials and the European Central Bank.  Giulio Occhionero and his sister Francesca Maria are alleged to have committed cyber-crimes which began in 2012.   G. Occhionero developed a proprietary keylogger malware named Eye Pyramid.  This information is being supplied for your situational awareness.

  • The Eye Pyramid malware operation began in 2012 via the Occhionero’s.
  • Eye Pyramid is keylogger malware which captured over 1,700 passwords.
  • This very basic malware demonstrates the ease of utilization, with high consequences. 

IP Range Blocked in Guyana

A Guyana telecommunication company, GTT, has been implicated in a large-scale spamming campaign and various cyber security related incidents.  This prompted the IP ranges of GTT to be blocked by several U.S. financial institutions and payment services.  This may cause financial challenges to citizens and business in Guyana, but once the cyber security matters are rectified the IP range could be released. This information is being supplied for your situational awareness.

  • Guyana is an English-speaking South American/Caribbean country located to the east of Venezuela.
  • Guyana Telephone and Telegraph, rebranded as GTT+ in late 2015, is controlled by Atlantic Tele-Network (ATN).  GTT+’s mobile unit Cellink competes with Digicel Guyana for market share and both operate the GSM/GPRS networks.
  • Digicel openly criticized GTT in 2016 for operating a government monopoly and hinted at corruption.  

Publications Help Identify PLA Units with Cyber Missions

Military reform efforts in China has led to Signals Intelligence (SIGINT) units being assigned cyber missions. Order of battle analysis indicates there are three Chinese military units involved in cyber operations against foreign networks.  All three are subordinated to the People’s Liberation Army (PLA) General Staff Third Department. Research into publications from officers in these units helps confirm earlier assessments as to which units have cyber missions.

Reorganization of China’s Military Cyber Forces

A significant reform of China’s People’s Liberation Army (PLA) instituted by President Xi Jinping on 31 December 2015, has resulted in a sweeping restructure of PLA command elements and combat forces. This restructure has impacted China’s military cyber forces that include identified cyber actors. The PLA General Staff Third Department, under which these military cyber actors were subordinated, was apparently disestablished. This report analyzes how China’s military cyber forces are currently structured, and where they are located in China’s military structure.
Information available from Chinese open sources, while still fragmentary, suggests that the following changes have taken place in Chinese cyber forces:

  • The former Third Department is now subordinated under an entirely new branch of service: the PLA Strategic Support Force (SSF).
  • The Third Department is now known as the SSF Network Systems Department. This was indicated by references to former Third Department elements that are now under this new entity.
  • The Third Department Eighth Bureau was one element identified as under the Network Systems Department. This suggests that cyber actors are also under the Network Systems Department.
  • The Third Department’s technical reconnaissance bureaus are probably also under the Network Systems Department.

Australian Malware Authors Release New Trojan

Wapack Labs assesses, with medium confidence, that Australian malware authors (medium confidence) have released a new banking Trojan.  This Trojan performs real time web-injections and redirection attacks on its victims.  It currently enjoys low and generic detection by intrusion prevention systems.  Analysts at IBM report to have followed the Trojan during its testing cycles3.  It now has moved out of the testing phase and is actively defrauding banks and consumers.  If it becomes as virulent (as did its' predecessors), it will likely spread to the US by the second quarter of 2017...

Olympic Vision aka Codelux

Wapack Labs assesses, with moderate confidence, that Olympic Vision products will continue to be sought after as a one-stop-shop for cyber criminals.  The remote access keylogger known as Olympic Vision (formerly Codelux) makes it an attractive option for budget minded hackers. Olympic Vision possesses a weakness that pertains to the internal licensing requiring the hacker to maintain payment on the keylogger’s subscription license.  Malware authors often use custom crypters like Olympic Crypter to prevent detection by Anti-Virus solutions. Olympic Vision's keyloggers and crypters are available for low rates in one place...

Google AdWords Phishing Campaign

Wapack Labs has discovered a new phishing campaign. While generally simplistic, it contains some elements of high sophistication. It is also fairly expensive to operate, which suggests it is a precursor to a more sophisticated and potentially harmful campaign. Wapack Labs conducted a brief tactical analysis and is providing this report for your situational awareness.

  • Search for “Facebook” in Google Chrome produced a link to a fake anti-virus malware. 
  • Facebook was notified of this activity.
  • A much more serious malware campaign targeting major social, retail, and online companies may be in the works...

Cybersecurity Christmas Wish List

It’s that time of year again, when we place our faith and trust in imaginary entities who always deliver exactly what is needed, under impossible circumstances, just in the nick of time. Why should wishes and dreams be limited to children’s toys? Don’t cyber security nerds and digital janitors deserve a little holiday magic too? As I close my eyes and think about what could be, I wish…

for more emphasis on blocking and tackling. Patch your systems in a timely manner. When reminded to upgrade a system, or update a software application, do it as soon as possible. Close unused ports. There are dozens of very unglamorous things you are not doing that would make getting pwned so much more difficult. I know people use the term “rock star” a lot in this field, but we’re all a lot more Howard than Mick.

for greater accountability at all levels. Bosses: walk the walk. Don’t say computer security is important and then force IT to make special exceptions for you. Your people do what you do more than they do what you say. Employees: Just because it’s a “cyber” policy doesn’t mean it should not be taken seriously. “Cyber” doesn’t mean “not real.” If anything it means the repercussions for not complying are likely to be disproportionate to whatever the meat-space analog would be.


Nigeria has long been a haven for highly talented and successful hackers, scammers, and their many spin off groups. Having developed this negative cyber reputation, Nigeria has in recent years enacted cyber laws to combat these groups and help protect their businesses and reputation. These laws were recently used for unfortunate political purposes, yet demonstrate a positive direction toward improved cyber security efforts.

  • Nigeria has a historical negative reputation for cyber hackers and scammers.
  • New cyber security legislation has been enacted to curb cybercrime.
  • Nigeria has recently arrested a popular blogger under the cyber laws, which was viewed as a political more than law enforcement measure.


E-Cigarettes Are Spreading Malware

Suspect Chinese e-cigarette manufacturers are hardcoding USB charging units with malware. If an infected e-cigarette USB charger is used to connect with a computer, malware can be downloaded. This information is being supplied for your situational awareness.

  • E-cigarettes were invented in 1963, but further developed in 2003.
  • E-cigarettes are charged via USB connected chargers or directly into computers.
  • USBs continue to be infected with malware through hardcoding within the manufacturing process.

Using a USB as a malware delivery system is not a new phenomenon, but illustrates how companies can be easily breached in a very innocuous way. If you have ever questioned the legitimacy of an $5.00 Ebay, made in China USB connected item, you should seriously think twice before purchasing and using it with your computer.

Was the US Presidential Election Hacked Like Montenegro’s?

Was the US presidential election hacked? There is speculation about this of late. New York Magazine reports computer scientists and election lawyers are urging a recount in Wisconsin, Michigan and Pennsylvania, key swing vote states. This wouldn’t be the first time an election was manipulated by state actors. Bloomberg’s March article cited alleged manipulation of Mexico’s presidential election of Enrique Peña Nieto. And now Wapack Labs has evidence that Russian actors manipulated the Montenegro elections in October.

Iranian Hacker Group may be Employing Remote Access Trojan against Select Targets

Wapack Labs analysts have discovered evidence that Ashiyane, one of the oldest hacker groups in Iran, may be using the Imminent Monitor remote access trojan (RAT) against a select group of targets in countries deemed hostile to the Iranian regime. Samples of the RAT have been discovered in Canada, Germany, India, Italy, Israel, Pakistan, and the US, and analysts believe it is is being used to deliver additional, destructive malware. 

A White Hat Tool, Designed to Invade Victims’ Computers Undetected, now in the Hands of Black Hats

Once again proving that no one who uses the internet is safe from hackers, a group of security engineers are developing a new remote access tool (RAT) that can externally control a computer without being caught by most anti-virus software. But Wapack Labs analysts have discovered that the sophisticated malware may have been released to sites frequented by bad guys, who may use its power for evil. 

Gaming Platforms serve up Easy Prey for Hackers, and Financial Institutions are Targeted Next

People who sit down to play video games with strangers in online gaming communities expect to be attacked – by zombies, terrorists, and enemy combatants – but most don’t realize that they are setting themselves up for real life attacks by hackers. Gaming platforms have also become proving grounds for attackers who are honing their skills before going for bigger payouts by targeting financial institutions.