How Malware Works and How Much Hackers Earn 
Hello! My name is Dean Chester and I research security issues on the Internet. For this article, I contacted someone who until recently worked on the "dark side." He described how hackers infiltrate victims' computers and smartphones and how they earn hundreds of millions of dollars.
In the past three to five years, the activities of hackers and attackers using malicious software have changed dramatically. The main methods of infection have changed, the professionalism of the performers has increased, and private companies, government agencies, hospitals, and even airplanes have come under attack.
But for many, malware is still associated with viruses which only "slow down" the computer. It is enough to clean it and you can work on it. Perhaps this was the case 5-10 years ago, but today a real problem has arisen, the scale of which goes beyond all conceivable boundaries.
We are talking about at least several billion dollars’ worth of damage in 2020.
My contact, who calls himself Irbis, worked on the “dark side” for more than 10 years, after which he was arrested by the special services, and forced to cooperate with them, after which he changed his place of residence, but retained the experience and connections with his colleagues. I managed to find out from him details of the most dangerous malware today. I also expanded my knowledge of the activities of organized criminal groups on the Internet and learned hacker life hacks for finding malware and protecting against it.
Most dangerous malware in 2021.
How computers are hacked in the words of a hacker.
How it is created and how much software costs on which hackers earn hundreds of millions a year.
With these topics, I open a new series of articles dedicated to security and privacy on the Internet. All the above facts are written based on the words of my insider Irbis or supported by facts available in open sources.
Read on and you will find out what Cobalt Strike, Felix83000 / Watcher, reg_hunter, Anubis, AzorULT are, who maza_in is, and why Chameleon is indispensable for corporate networks.
?Table of contents:
3 malware actively used by hackers.
Today, there are several dozen actively used programs and systems for hacking, data collection, encryption, and data destruction. I have chosen the most interesting in my opinion, which affect different components of a system.
Using this malware as an example, I will tell you about the technologies used in 2021 for smartphones, computers, and networks of companies and financial institutions.
I won’t pay much attention to the already known information that can be found in open sources, but I will focus on the information I received from Irbis.
Since the end of 2017, Anubis has become one of the most massive banking malware for Android. It is interesting because it is a modular platform that combines many functions:
- Penetration into Android
- Pinning with elevated privileges
- Strong protection against detection
- Remote access to all device functions
- Collecting saved billing information
- Interception and change of payment details (Web-Inject)
- Calls to paid services
- Downloading and installing other malware
Anubis is considered to be one of the “coolest” developments available to attackers using third-party products.
The platform has two versions. The first was created by a man with the nickname maza-in. Until his arrest in 2018, Anubis was selling for $7,000. Today, the latest version starts at $1,000 and the 2018 sources can be downloaded for free.
For unknown reasons, after the arrest of its creator, the sources of this malware were made public. They were taken as the basis for the creation of Anubis II - even stronger and more dangerous banking malware.
It was taught to hide from research. For example, Anubis II cannot be run in a virtual machine that mimics a real Android device. This is achieved by a long delay before starting and protection by “steps”. Malware reads the device's accelerometer and is activated only after 300 or more real steps taken by its owner.
Also interesting is the fact that Anubis can call paid services. By itself. While you sleep. Cybercriminals register a paid number, in England, for example, and issue a command through a botnet to hundreds and thousands of infected smartphones to call these numbers at night. Anubis pre-reads the time on the device to reduce the chance of detection at night.
This is how the Anubis 2.5 control panel looks like:
As you can see, the platform has convenient functionality for mass and individual management of infected devices. It also displays all information from battery level and time to phonebook numbers and text messages.
Irbis also provided me with material confirming the relevance of Anubis. The screenshot shows the log of the infected device for January 2021.
The most dangerous ability of Anubis is Web Inject. Let me give you an example. You send money to your relative’s card. Click “Submit,” and you will receive a response about a successful transaction. But your relative gets nothing. The money goes to other details that Anubis has framed on the fly.
Like most malware, Anubis can only get onto an Android device when the .apk file is installed. In most cases, this happens to those users who ignore the security warning about the dangers of installing apps from unknown sources.
Even though computers are gradually giving way to smartphones, malware for PCs isn’t becoming less dangerous. This is because smartphones are unlikely to replace laptops and desktops in the workplace, especially in large companies and government agencies.
They are the main target of one of the strongest banking malware for PC - Cobalt Strike.
As with Anubis, Cobalt Strike is a modular platform that allows attackers to do more on the victim's computer than they could do on their own:
- Creation of a botnet.
- Penetration and work in RAM.
- Invisible anchoring in system processes.
- Gaining full access to the system.
- Gaining access to the local network.
- Activation of a keylogger, stealer, and other spy modules.
- Gaining control over transactions.
- Obtaining direct control over ATMs through the banking network.
- Support for HTTP / HTTPS and SMB protocols for penetrating other computers connected to the infected.
- Pinning to any other computer on the local network.
- Loading other malware (including ransomware).
Cobalt Strike stands out because it is a completely legal platform supported by programmers who have no relationship to hackers.
It was originally developed by the Cobalt hacker group (Carbanak, Anunak). In 2018, the alleged head of the group was detained in Spain, and the further development of the project went over to the "white" side.
Some technologies are still borrowed from "hacker" developments, but in general, the software is created primarily to search for vulnerabilities in banking and other networks related to finance.
But this doesn’t prevent cybercriminals from actively using it. It is believed that more than $1,000,000,000 was stolen with the help of this program until 2018. Today it is also actively used to attack financial institutions and private companies. BleepingComputer published an article on December 28, 2020, that new malware has learned to download Cobalt Strike through the Imgur service.
Cobalt Strike is paid. Since 2018, it has always cost about the same - about $3,000- $3,500 with a subsequent subscription of $2,000 + per year. From January 1, 2021, the price for it is $3,619 + VAT, further subscription is $2,585 per year.
Cobalt Strike is marketed as a system for finding weak points in corporate networks. You can buy it at cobaltstrike.com.
Interesting facts about Cobalt Strike.
The Cobalt Strike code never “touches” the target computer's hard drive. It runs exclusively in memory, infiltrating safe system processes. For it to work after restarting the computer, only a special downloader is saved to the disk, which each time downloads and launches malware from a special server controlled by the attackers.
Cobalt Strike can mask its traffic as Windows system processes, which makes it invisible to the usual means of protecting corporate networks based on the search for "abnormal" traffic.
To find Cobalt Strike, you need to use a specialized tool that monitors anomalous registrations in the Windows registry. Read more in the section "How to protect yourself from hackers".
Cobalt Strike is loved by hackers and other attackers for the best turnkey toolkit available legally. A botnet launched on its basis brings its owners the maximum benefit due to the ability to infect dozens and even hundreds of computers, gaining access to only one element of the local network.
The screenshot shows a panel of a real Cobalt Strike that controls a remote computer. Directly from the app, you can connect to the desktop via VNC at any time, manage files, view network activity, scan ports, get a list of active processes and manage them, take a screenshot, and, what I consider to be the distinguishing feature of this malware, use the “the Browser Pivot” attack. With this function, you can intercept authenticated user sessions.
An example of using Cobalt Strike.
A certain user, Mister X, trades cryptocurrency on an exchange. He has a complex password that he only stores in his head, two-factor authentication is enabled, and a smartphone with an authentication program is stored in a safe. Mr. X logged into the exchange on a computer infected with Cobalt Strike. Thus, it has locally generated temporary authentication data in the browser cache, which can be valid for hours, days, or even months. Malware accesses this data and transmits it to the C&C server. The operator using the victim's computer as a proxy server (to use his IP address) and using the received data, bypassing passwords and two-factor authentication, simply enters the account of the crypto-exchange and gains full control over all the coins. It is done.
AzorULT and Hidden VNC
One of the best stealers for infecting single computers or creating a botnet. Allows an attacker to remotely obtain a large list of features:
- Full access to the system, including running remote desktop control via RDP.
- Stealer of passwords from over 30 web browsers.
- Stealer of crypto wallets.
- Stealer of cookies for Telegram and Skype access.
- Built-in loader.
More detailed information about the Trojan's capabilities is available on one of the websites where AZORult is sold.
Malware AzorULT was developed by Russian hackers back in 2016. After that, the product was rebuilt twice and is available today for about $100.
The Trojan is primarily used to search for and steal crypto wallets and passwords to websites. In parallel, it allows you to get full privileged access to Windows and work through a remote desktop.
Recently, the malware has a new module for remote connections via a hidden VNC (Read about Virtual Network Computing on the Wiki). Moreover, the module costs more than the stealer itself. In October, during the promotional discount on AZORult, the main malware cost $80, and the virtual desktop module $400.
Interesting facts about AzorULT.
The first version of the malware was written in Delphi and had no built-in restrictions on regions of use. Subsequently, the stub was rewritten in C++ and received more features. But at the same time, the analysis of the victim's region was built into the code. If it was one of the Russian-speaking countries, then the bot wasn’t activated.
AzorULT's “death” was announced at least twice. This was primarily due to the global updates of Google Chrome, which introduced new protections against theft of cookies and other user information. But malware changed its architecture, adapted, and re-entered the market.
AzorULT was at one time distributed via a fake installer of ProtonVPN for Windows. This was first reported by Dmitry Bestuzhev on the Kaspersky website.
My contact shared with me the logs collected by AzorULT (now they are in the public domain). I provide screenshots of one of the hundreds of zip files of such leaked information. Even a non-specialist can see that a lot of personal information is being merged.
Here are just some examples of AzorULT logs.
All information is divided into files and folders. This makes it possible to automate their analysis on an industrial scale.
Part of the content of the PasswordsList.txt file:
All URLs and logins and passwords saved by the browser in clear text!
Part of the Google Chrome history log:
All addresses visited by the victim are visible. An attacker can see all the interests and secrets of a user on an infected computer and build a strategy for his actions based on this.
AzorULT is used for hundreds and thousands of computers at once. The amount of information that it gets is simply amazing.
What drives hackers in 2021? 6 main targets of the attack.
- Tracking user actions
- Extraction of logins and passwords
- Web Inject
- Theft of cryptocurrency
- Gaining access to trade secrets
In the previous chapter, I gave an example of tools that allow you to operate a smartphone, computer, and devices connected to them over a local network. But the penetration of a hacker isn’t destructive in itself and can go unnoticed for weeks or even months.
Perhaps some of you remember the first massive virus infections in the early 90s, when, for no reason at all, an unexpected picture could appear on the screen or the hard drive formatted. At the time, the malware was more likely to interfere with the operation of computers than to cause any significant harm.
Everything changed when, in 1994, the system of electronic payments via the Internet was launched in the United States, and then in 1996, computer banking appeared. By 2001, Bank of America's online banking operations had reached 20%.
Money appeared on the Internet.
This determined the main goal of the cybercriminals, who at that time knew the field of developing viruses and spyware. This goal has remained dominant to this day.
But we won’t talk about the obvious global driving force of hackers, but about the intermediate goals of infection, with the help of which they achieve their main goal - enrichment.
1. Tracking user actions
The collection of information is carried out using spyware (or malware platform modules) that monitor all user actions and transmit them to the hacker.
The most common types of spyware are:
VNC Hide, Rat VNC, Cobalt Strike are now actively used. Moreover, Cobalt Strike can even bypass SEIM, designed specifically to search for anomalous activity in corporate networks.
- Keyloggers. Software that reads user actions on the keyboard, mouse, or touch screen.
- Screen scanners (VNC). Monitoring user actions based on the principle of remote desktop operation.
2. Extraction of logins and passwords
While the hacker is watching the victim, nothing prevents him from running another type of software that collects information – a stealer. This beast pulls all useful information from the browser. These are logins, passwords, certificates, and cookies containing time stamps, which you can log with into the accounts of the sites in which the victim is logged in.
I gave an example of one of the common stealers in the section “AzorULT and Hidden VNC”.
3. Interception of transactions (Web-Inject)
The most aggressive way of making money on the fly. The victim makes a payment and transfers to the card through the website's web page or an insufficiently protected app and malware changes the input form and the details of the recipient of the money. Also, a “correct” answer may be generated, thanks to which the sender may not know for a long time that the money went to the wrong place.
There are several public types of web injections, which are used en masse, and more complex ones, applied by top-level specialists point-by-point.
The most sensational banking Trojans to date are:
- Dridex (Read more at us-cert.cisa.gov)
- ZeuS (Later Gameover_ZeuS)
Dridex (Bugat, Cridex) – perhaps the most dangerous banking Trojan to date. This is indirectly confirmed by the record amount of remuneration for the issuance of its creator, a Russian citizen, of $5,000,000 in 2019. Before that, the largest award was for the issuance of the creator of ZeuS - $3,000,000.
Zeus – a real legend of banking Trojans. It was with it that massive infections and theft of payment data began in 2007. Many other similar Trojans for PC are built on its basis.
Anubis is specially designed for Android devices. I talked about it above.
Tiny is a later and stronger development than Zeus. The malware has two modes: intercepting keystrokes on banking sites and requesting additional information for the subsequent reset of the user's password.
4. Theft of cryptocurrency
In connection with the record rise in the price of Bitcoin at the end of 2019, I would also like to analyze an interesting class of malware that steals cryptocurrency.
The most common variant of such stealers are cryptocurrency grabbers.
These are simple Trojans in functionality that change the recipient's wallet when making a transaction. Most of these grabbers are based on user carelessness.
I will give an example of the work of one of the real-life cryptocurrency malware.
The screenshot shows the stage of setting up the grabber. The attacker first of all prescribes wallets to which the coins will be transferred. For clarity, he drives in zeros.
It then creates a malicious .exe file and runs it on the test computer.
The following shows the victim's actions. Since wallet numbers are long, unrecognizable sequences of random characters and numbers, the only quick way to use them is to copy them through the buffer.
The screenshot shows how a potential victim copies his Bitcoin wallet number from a text file to the clipboard.
The grabber monitors the buffer and when the crypto wallet number gets into it (it is easily determined by the template), it changes it to a pre-written one.
As a result, a person inserts text from the buffer and, with a high probability, can send coins directly to the attacker if he doesn’t verify the inserted data.
In the screenshot, the arrows show the data received from the buffer. Instead of the copied correct wallet number, zeros are inserted from the buffer that was written during the building of the malware.
The zeros shown in the example are very different visually from the real wallet number. But in practice, when using a cryptocurrency grabber in real life, it is quite difficult to define a spoofing.
Such malware can be created based on rather strong banking Trojans and be safely hidden in the system.
There are also more advanced varieties that replace the wallet input field using Web Inject. In this case, it is impossible to visually determine the substitution. Such malware, as a rule, works with virtual cryptocurrency wallets and crypto exchange sites, where the structure of the input form is known in advance.
5. Downloading all data for information
If a hacker is hunting for a trade secret, then the entire disk or files of certain types are merged. These can be local databases, photo and video materials, documents, and in general everything that is of value to the customer.
Looking through the logs that Irbis showed me, I have repeatedly come across many Microsoft Office documents - DOCX and XLS files
Finally, I left the most dangerous and fatal type of attack - extortion using encryption. For ransom, the victim's key valuable data is encrypted right on his computer. Malware that accomplishes this task is called ransomware.
Today, this is a major problem, gaining momentum along with the spread of Bitcoin and other cryptocurrencies used to obtain a ransom.
To convey the scale of the problem, I will give numbers.
In 2020, a study was conducted on the losses of state-owned companies, including medical facilities in the US for 2019. The sum of $7.5 billion was announced. This isn’t counting commercial companies, which are the main target of the ransomware. Data for 2020 promises to be even more impressive.
Irbis said that it is impossible to assess the true scale of the problem, since in practice most of the attacked companies pay the ransom and hide the attack in order to preserve their reputation.
We can be talking about tens of billions of dollars a year.
Here is just one of the thousands of such cases: in the summer of 2020, ransomware completely paralyzed the work of Garmin, which deals with navigation devices from handheld devices to missile control systems. The attackers encrypted key data and all backups. The company had to pay a ransom of $2.300,000 in Bitcoin (The amount of $10,000,000 is often mentioned on the Internet, but this isn’t the case. Thanks to negotiations with the attackers, it was possible to reduce the amount of damage).
On the Internet, you can also find many other special cases of extortion that have already happened. I'll tell you about how it works “from the inside”:
- how the victim is selected,
- how the implementation takes place,
- how operators are hired to attack companies,
- what % of the profits the hired hackers receive,
- how a ransomware attack can end.
All stages of ransomware attacks are subject to one general principle: the income from the operation must significantly exceed the costs of the organization and its execution. It is for this reason that computers of ordinary casual users haven’t been encrypted recently.
The practice has shown that the best results for ransomware are obtained when they attack private companies. In second place are government agencies.
The first stage is the development and collection of emails belonging to employees and company management. It is through mailing emails with the ransomware downloader that the initial implementation takes place. To improve efficiency, attackers most often send emails on behalf of superiors or other companies that weigh the recipients. To do this, a mail server is launched on pre-purchased domains similar to the desired email addresses, systems that replace the sender (email spoofing) are purchased, preliminary correspondence is carried out to find weaknesses.
At the second stage, the selected employees receive a letter that contains an attachment of some “important” document. This letter contains an exploit that subtly injects a downloader onto your computer. It waits for a specified time, downloads and launches ransomware.
According to CIS estimates, Slayer became the most massive downloader at the end of 2020.
The infected computer becomes part of the ransomware botnet.
Here I want to highlight one important detail.
Whereas previously, an infected computer was immediately attacked, all files of a certain type were encrypted, and a message appeared about the need to pay a ransom, now the attackers are acting more professionally.
Hackers understand that they are being hunted by law enforcement agencies, but they need working hands. Hired specialists to deploy through infected computers. They call this "lateral movement". The essence of this method is to penetrate the local network of the company and infect the maximum number of computers.
Irbis provided an interesting detail. Just a year ago, the criminal groups organizing the attacks offered the hired specialists (operators) 70% of the profits. At the beginning of 2021, there are already so many such criminal groups that they offer work, leaving themselves 20% or less. At the same time, the level of specialists is falling, since there are simply not enough of them. This is indirectly evidenced by manuals with rules for those wishing to participate in "projects", but who don’t have sufficient qualifications.
Hackers, as a rule, send offers to verified people. Irbis says it has to blacklist such applicants, as offers of cooperation come in about once a week.
The task of the implementer is to get through the infected computer to the most vulnerable spots of the company, collect everything that can be sold and block the work of the entire company.
At the same time, all information is analyzed along the way. If trade secrets come across, the attackers go out to competitors and try to sell them the stolen information.
All accounts, passwords, anything that can be of benefit is collected.
Such work can last from several days to several months. All this time the company operates as usual.
On day X, when all the data is collected and the maximum number of computers is infected, the botnet issues an encryption command. According to Irbis, if everything is done professionally and high-quality thought-out software is used, then it is impossible to decrypt encrypted files and disk partitions.
The screenshot below shows the screen of a locked computer. It contains brief instructions on visiting a special site using the Tor browser.
The site where the victim can receive payment instructions for decryption looks like this:
Anti-ransomware companies can only offer an attempt at decryption in such cases. There are two methods for this:
- Search for common signs of encryption, temporary files, decryption keys on the attacked computer.
- Reversing malware code to find algorithms.
Both of these methods are effective only if the ransomware isn’t created by professionals, and if it is physically found on the computer.
In reality, if the encryption key isn’t saved on disk and isn’t stored in the memory, and the executable code itself also existed only while the ransomware was encrypting data (being only in the memory), then there is no way to bypass modern encryption standards such as. Even on existing supercomputers, the key selection will take several thousand years.
The last step is getting the ransom.
According to Irbis, the most common way to reduce the ransom is by negotiating with the extortionists. Perhaps this is the only thing that an attacked company can do to reduce the damage done.
It is also important to understand that encrypted computers not only block valuable files but also hide the traces of the activities of those who have infected the network and obtained information for a long time. These people don't want to be discovered. And if they feel that the risk of being calculated is too great, they will receive a ransom and simply disappear. At the same time, they will either completely destroy all data on the hard disks of the attacked computers or simply won’t decrypt anything.
Unfortunately, such cases aren’t uncommon.
In general, if we talk about the ethical side of the activities of criminal groups of cryptographers, then among hackers such people aren’t respected. According to Irbis, few cybercriminals welcome attacks on medical institutions, schools, and other social facilities.
The main methods of infection
Until 2015, exploit bundles distributed through web pages were the main method of penetrating the system. This method was actively used for attacks on Windows, the share of which in traffic reached 80% or more.
This method made it possible to infect computers that visited a specially created page with an efficiency of 20-50%. Moreover, this page was most often loaded imperceptibly through the HTML IFRAME tag.
The most widespread exploits are in the adult sphere. Such traffic in almost unlimited amounts (tens of millions of hits per day) was relatively easy to "get" on thematic sites.
Now, this method is much less common. This is due to four main reasons:
- Distribution of Google Chrome, under which one of the first acts began to use auto-update and quickly patch vulnerabilities and applied a good built-in antivirus.
- Reducing the share of traffic from Windows.
- Improvement of built-in anti-virus apps and distribution of third-party anti-virus systems.
- Exploits left the mass market and became more expensive.
More time-consuming but effective infection methods have come to the fore today:
- Landing pages
- Installs from the shell
- Targeting attacks
1. Landing pages
The most common way to infect any device. It is based on gullibility, carelessness, or skillful deception of the user.
Take a look at the screenshot:
This is a screenshot of a landing page found in 2021 and issued by one of the existing affiliate programs for distributing malicious software.
An unsuspecting site visitor clicks on a link or button relevant to his needs and is prompted to install a program or app. According to my data, on average, about 5-30% of those who click on the landing page button end up installing the software. This indicator is highly dependent on the type of traffic.
Entertainment traffic has the worst "conversion" rate, and targeted business traffic that matches the landing page as much as possible has a higher infection rate.
Landing options are endless. Most of them are indistinguishable from the usual "white" pages that are used, for example, in direct sales.
2. Installs from the shell
The oldest method of infection. The user's device is infected through the files that it searches for and installs.
In reality, any executable file that isn’t specifically scanned for malicious code can be infected.
Here are just a few of them:
Hundreds of different topics. From time to time, malware is found even in apps from the Google Play Store.
The user finds and installs such files, ignoring system warnings.
- Any third-party .APK files
- Resources for Minecraft
- Cheats for PUBG Mobile
- Windows activators
- Driver packages
- Free games and more
3. Targeting attacks
Any .doc, .xsls, .pdf (Microsoft Office, PDF) and some other file types may contain executable code with an exploit. Exploits are introduced through vulnerabilities in a web browser or other apps and infect the system.
For example, Irbis saw exploits that were nearly 100% effective with outdated versions of Acrobat Reader. At the same time, obsolete versions reached about 40% of traffic. Those 40% of the computers of users who visited a site were infected.
If earlier, such attacks were widespread, today hackers use them more precisely. This is due to the high cost of effective exploits. For example, to enter the system via PDF, you need to pay $1,000 for a private code that isn’t blocked by antivirus software.
There are special sites that publish current vulnerabilities of programs and systems. The largest of these, CVE, publishes an average of 5 or more vulnerabilities per day. An experienced programmer can use this free information to create their private exploit.
Experts look for and publish "holes" in the software in order not to help, but to resist hackers. Due to this, “patches” are released on time to eliminate the vulnerability. But, according to Irbis, there are cases when 2-3 new “holes” are found in the patch. As a rule, this is typical of free services (Apache, WordPress, PostgreSQL, and others).
There is also an interesting resource called Sploitus. It is a search engine that hackers often use to target specific devices or servers.
For example, they ordered your server, I scan it with a scanner, it generates a detailed report on your ports and services, I go to Sploitus and enter the versions and programs that run on your server. I apply all this and gain access to the server.
Example: https://sploitus.com/exploit?id=EDB-ID:49231. This is a vulnerable WordPress plugin. I just need to find a site with such a plugin and that's it.”
The more programs and apps installed on a device, the more likely it is that an attacker will find a vulnerability and use and exploit it. This is especially true of web browsers and programs that can be run from them. They are most often the target of hackers.
With the development of social networks, craftsmen appeared who buy or otherwise extract traffic in social networks for further infection using landing pages.
I made this type of attack a separate item due to the complexity of the so-called cloaking device. This is a site or page on the Internet, where users of social networks can absolutely legally get through ads or links in posts and comments. But there is no malicious code on these pages.
They are equipped with sophisticated traffic analysis systems that can separate ordinary users from social network administrators or bots of anti-virus systems, Google, and other undesirable transitions for attackers.
To them, the cesspool will look like a "clean", legal page. And authenticated users are redirected to a special temporary URL on the Internet for infection or to try to persuade them to install an app. Remarkably, such a URL can only exist for a few seconds. This is done to complicate its tracking by anti-viruses and, most importantly, by Google Chrome bots.
For credibility, cloakers even buy cheaper traffic or sacrifice a significant proportion of potentially infectious visitors for more credible clean work. A competent cloaker can “drain traffic” for years.
How malware gangs work
- Geography of hacker groups
- Economic criminal groups
- Government hacker groups
- Mixed criminal groups
In this section, we won’t talk about classic hacker groups like Anonymous, which promote certain ideas, but about those who pose a real danger to the life of private and public companies, as well as individuals.
Today there are several hundred active cybercrime groups. There is no point in listing them all. Even security companies often group dozens of groups into a common cluster and give them the name of the parent group.
Geography of criminal groups
There are groups of hackers all over the world: known North and South American groupings, African communities, European, Chinese, North Korean, and Eastern European.
I would like to note that, generally, it is Russian, Belarusian, and Ukrainian hacker groups that are considered the most active, numerous, and professional.
So, at the beginning of 2021, while the whole world was celebrating, it seems that the largest attack on the US government structures was carried out. The infiltration of 250 federal agencies and enterprises was allegedly carried out by a group controlled by the Russian special services.
In fact, the Internet is bursting at the seams from the attacks carried out for the sake of enrichment and cyberwarfare. Today, there are 3 types of hacker groups. The most massive of them is economic, aimed at enrichment. The second is government special organizations and recruited hackers. The third is a mixed type (read below).
Economic crime groups
Most often, hacker groups are created for enrichment.
In 2021, the most common way to make money from hacker attacks is extortion. In 2020 alone, the number of such communities doubled.
The boom in ransomware is primarily related to the spread of cryptocurrencies. The groupings have an established scheme of work:
- Finding a victim company or preparing an attack on random individuals.
- Hacking or penetration using social engineering or software tools.
- Extortion using Bitcoin.
- Transfer of Bitcoin to Monero (it is impossible to track transactions of some "anonymous" cryptocurrencies).
- Withdrawal of funds.
If hackers are engaged in theft and sale of important data, cryptocurrency, or interception of bank transactions, then only points 4 and 5 change. Instead, there can be either a leak and sale of data to an interested party or other operations necessary to monetize the attack.
The bottom line remains the same - for effective work, hackers need to create communities and distribute powers. One person either isn’t able to perform all the listed actions on his own, or it will take too much time.
Here are just some of the cybercriminal groups that have thundered around the world:
- Cobalt is a strong cybercrime group that has stolen over a billion dollars from bank accounts.
- Molerats is an Arabic-speaking criminal group that specializes in Facebook accounts.
- REvil is an extortion gang. I was able to find a job ad for this group:
Here is the ad text (translated from Russian using Google Translate):
We are glad to welcome you to our group. After a year of successful and fruitful work in private, we decided to resume public recruitment.
We recruit 2 categories of persons:
1. Teams that already have experience and skills in penetration testing, working with msf / cs / koadic, nas / tape, hyper-v, and analogs of the listed software and devices;
2. People who have the experience, but don’t have access to work;
Working with us, you get the maximum level of anonymity and security: we use a multi-level security and access control system, as well as P2P communication tools. Besides, we use the Monero cryptocurrency.
Working conditions for teams that have their access, a constant source of access, and skills for their development:
- start - 70/30
- after the first 3 payments - 75/25
- with a profit of more than $1 million per week - 80/20”
Government hacker groups
As I said above, the purpose of this article isn’t to repeat the well-known facts about hackers, but to reveal the current nuances of using malware. Therefore, let us examine all the work of specialists infecting devices using malware.
Irbis mentioned the main method of recruiting hackers and cybercriminals by intelligence agencies. According to him, any hacker will be caught sooner or later. This can happen quickly, or years later, or even years after the end of the criminal activity. This can be a used old e-mail (often found), a nickname, or a social media account. All available data of hackers is “charged” from special monitoring systems and sooner or later something pops up and a logical relationship with a specific person is found.
After that, special services can observe the object for some time and determine the degree of her or her competence. If he or she fits their tasks, then they are recruited.
After that, the hacker has no choice but to work independently or in a team for the government.
There are also "white" hackers hired to work in the shadows, but they usually don’t have the experience of invisible and massive malware infection. Therefore, governments are actively hunting for experienced professionals.
- Cozy Bear – a Russian hacker group.
Mixed criminal groups
Irbis said there are also active cybercrime groups working with the government. Presumably, they share the information they have received with the special services and work within a certain framework. For example, don’t operate on the territory of certain countries.
Most of the large cybercriminal groups that aren’t afraid to “shine” in public may be under the control of the special services.
How to check devices for infection (expert advice)
How to trust your computer or smartphone?
Should you trust off-the-shelf apps to find and remove malware?
What is the weak point of all Trojans?
I asked Irbis to help answer these questions. The result is a small universal guide that can help identify malware, even if it hasn't shown itself before.
This is such a common myth - if your computer starts to slow down, then a virus has infected it. This isn’t how it works in most cases.
There is a joke among hackers - if your computer works better, then a hacker is working on it.
Its essence is that professional hackers are people with out-of-the-box thinking, and they know how to improve the performance of the systems with which they come into contact. They can detect and remove interfering malware and system problems to make their task easier.
Reliable ways to detect malware
I'll make an educated guess right away that if you aren’t an advanced user and don’t know what background processes and services are, then go directly to step 3.
1. Analysis of active processes and services (desktops only).
Do you know the key combination Ctrl-Shift-Esc? It opens active processes in the system. We will talk about them now. But we won’t watch them with the built-in Windows app, but with the free Process Hacker utility. On Mac, I recommend using Atmonitor.
The screenshot shows only a small part of all active Windows processes. To analyze the information received, you need to have experience and knowledge about what processes are usually present in the system.
But there is one life hack. Run Process Hacker on another Windows computer. The system version must be the same. For example, both computers must be running Windows 10 with the latest updates.
I also advise you to close all open programs, including those in the tray.
Now you can compare the list of active processes (Processes tab) and services (Services tab).
There are almost certainly processes that aren’t on the other computer. Look up the information about them.
One of the most important entries is the publisher. If the process wasn’t specially signed with a trusted certificate, then malware can be identified by it. The screenshot below shows a “good” process. Its publisher is "Microsoft Corporation".
However, professionals always sign malware with trusted certificates.
Pay special attention to the presence of the ncat.exe process.
Sometimes professionals use this open-source tool to execute commands remotely. But this process can be called differently.
The process analysis method gives only a superficial result. You can isolate several suspicious processes and check them against VirusTotal.
Important: If you haven’t found suspicious processes, this doesn’t mean that the system is clean. Professionals use malware to track the call to Process Hacker or the standard Task Manager. In this case, they terminate all processes and “hide”.
2. Analysis of network activity
A sophisticated but the only effective method for finding malware.
Its essence is that the observer monitors all the network activity of the device. For Windows, this can be done by the same Process Hacker, but the best way is to use Wireshark. It is available for PC, Mac, and Linux. Wireshark is a strong tool for analyzing and logging network activity. If you haven't used it before, then you will need a guide on how to use it.
Any malware used in 2021 has network activity. At least sometimes, it needs to communicate with the C&C server to transfer data or receive commands.
The analysis of network activity is carried out in two stages:
Analysis of current activity (Process Hacker will do, Network tab). You need to investigate everything - connections - check IP addresses and hosts. For example, a Windows update service will connect to a Microsoft server.
Logging of network activity over some time and subsequent analysis. This stage gives an almost 100% result, but it takes time and a lot of effort to analyze. For example, the Cobalt Strike bot "pushes" to the control server once a month. But this is rather an exception. Most malware downloaders “air” every 1-3 days or more. Adware or Spyware transfer data more often or non-stop.
Today, Cobalt Strike is the most serious and most prevalent threat to corporate networks and government organizations. Typically, the victim doesn’t have a month to look for signs of activity. Therefore, tools have already been created for automatic detection. CobaltStrikeScan is considered one of the best in 2021.
3. Scanning the system
The fastest and simplest method, but not as effective as Network Activity Analysis, is to check the system using ready-made antimalware programs or apps.
All major antivirus software publishers offer these free tools.
Irbis recommends using Dr.Web CureIt. It is the most effective malware search tool in 2021.
There are three main ways to remove malware:
- Manual removal. Using data from active processes, you can calculate the location of suspicious processes, stop their execution, and delete them from the disk.
- Automatic deletion. The same Dr.Web CureIt or other anti-virus software can help with this.
- Reinstall the system. You need to save all important data, reinstall the system, check the saved data for exploits and payloads (on VirusTotal or antivirus) and return it to the disk with the reinstalled system.
Verification of documents and other data should be carried out with a ny malware removal method.
How to protect yourself from hackers
If you ask a professional hacker what can protect you from hacking, the answer will be something like this: Nothing.
There is no 100% guaranteed method of protection if you are connected to the Internet, but there are effective ways to minimize the risk.
Protection of computers and smartphones
Irbis shared his experience with me and gave me tips on how best to defend against malware and avoid trouble.
- NEVER run programs and apps created by unknown publishers or downloaded from non-official sites. This is especially true for smartphones and tablets on Android since in the vast majority of cases they are infected through .APK files.
- Don’t open any email attachments, even from trusted individuals and companies. If you received an update notification with a link, then carefully check the domain and contact the sender in an alternative way for confirmation. Attackers can send any notifications from sites that are similar to trusted ones but are phishing.
- Don’t visit sites whose addresses don’t contain https.
- If your computer has important information, don’t visit any unfamiliar sites from it.
- Always use complex passwords. Many are lazy to enter complex combinations of numbers and letters, but this is good protection against brute force (password guessing). Where possible, enable two-factor authentication. You can store passwords in the notebook of your smartphone, which has a locked screen and on which .apk files from unknown sources have never been installed. It is enough to keep one password in your head from the main email to which you register your accounts. In case of loss or breakdown of the smartphone, passwords can be restored via this email.
- Install antivirus. It's better to use the paid version of Kaspersky. Irbis singled out this particular antivirus as the most difficult for hackers.
- Don’t use other people's flash drives.
- Don’t disable auto-update of installed software, including the OS itself.
- Carefully check the details when sending cryptocurrency. If possible, when transferring a significant amount, transfer a smaller part of it and wait for the receipt. Then send the rest.
- Use VPN software on all your devices if you work remotely.
- Try to share files with colleagues via Telegram, WhatsApp, or Facebook Messenger, and not via e-mail.
- Pay attention to suspicious messages from users in social networks and instant messengers. Their accounts can be hacked.
For corporate networks, it will be wise to use the tool that monitors the current vulnerabilities: Felix83000-Watcher. It is a fully-fledged automated defense that detects network weaknesses.
I would also like to mention reg_hunter's tool. It is one of the few utilities that monitors abnormal registry entries and prevents infection by the most dangerous and most widespread hacker "combine" Cobalt Strike, based on which the loudest hacks are made.
Chameleon is considered very effective. This is an active defense tool. The system simulates open unprotected ports and takes on attempts to find vulnerabilities:
I would like to share my vision of the development of events.
The information to locate malware is easier than ever to find today. Buying ready-made malware is also not difficult. This means that the existing "programs" will be improved and new Trojans, ransomware, and spyware will appear.
The next wave of cryptocurrency growth will only contribute to the spread of malware, as it will become even easier to cash out revenues and buy fresh developments.
What does this mean for ordinary users, companies, and government organizations?
We need to take more seriously the protection of networks, computers, smartphones, and all other devices connected to the Internet.
No one can be 100% protected from hacking, but no matter if you are an individual or a company, all actions aimed at protecting against intrusion will make it difficult for hackers to work. And at a certain moment, the “threshold of expediency” will come. It will be more expensive to hack you than the possible benefit that can be obtained from it.
Data encryption is the most dangerous and widespread attack today. For this, dozens of ransomware flavours have been created.
Large and medium-sized companies are under attack today. But tomorrow the situation may change. There are more and more funs of easy money. The focus can at any time shift to home Wi-Fi networks and mobile devices of ordinary users. Therefore, it is important to know the weaknesses of malware and how to protect against them.
If it isn’t possible to follow all the security recommendations, then make copies of your data and store them on computers that are disconnected from the network or on external media.
This won’t protect you against hacking but will eliminate the need to pay the ransom.
If you have your opinion on the topic of the article or you have questions for me or Irbis, then leave them in the comments under the article.
✔️ Advanced information to protect your Internet connection
Your email address will not be published. Required fields are marked