A black hat loses control

Malware writers today always try to conceal their identities, right? Wrong – even some of today’s profit driven cyber criminals reveal their identities. We are a bit surprised, but here is the story of how a blackhat has revealed his identity and is trying to ‘get compensation’ from Kaspersky for conducting research.

Recently we have been looking into a new service for malware writers: [avtracker dot info]. This is an online service designed to track AV vendors. The home page of [avtracker dot info] describes the service which includes protection for malicious programs against analysis by malware researchers and also calls for a DDoS attacks against security companies:

Moreover, some of our fellow researchers shared a network request with us that was used to report back to [avtracker dot info]. This request was used in a special spy program which was distributed to various antivirus labs by the owner of [avtracker dot info]. If executed, this spyware would contact the owner and describe the environment of the infected machine. We played around with this request, and substituted various random strings instead of the user name and system parameters.

The WHOIS listing was of no use – [avtracker dot info] was registered anonymously. This was no surprise – cyber criminals usually do register domains anonymously to hinder identification.

So far, nothing out of the ordinary – a normal day in the life of an antivirus company. And then…surprise – the owner of the malware writers’ service contacted us and revealed his identity. Moreover, he even demanded a ransom of 2000 euro to compensate his purported losses when we attempt to ‘break’ his new toy.

At the time of writing, we have received the spy program, which had the following message in its code pointing to the same person who contacted us:

Naturally, we have gathered all relevant data and forwarded it to our lawyer who will now take the next steps. If all cyber criminals were as cooperative as this one, life would be much easier for AV companies.

A black hat loses control

Your email address will not be published.



Kimsuky’s GoldDragon cluster and its C2 operations

Kimsuky (also known as Thallium, Black Banshee and Velvet Chollima) is a prolific and active threat actor primarily targeting Korea-related entities. In early 2022, we observed this group was attacking the media and a think-tank in South Korea.

Andariel deploys DTrack and Maui ransomware

Earlier, the CISA published an alert related to a Stairwell report, “Maui Ransomware.” Our data should openly help solidify the attribution of the Maui ransomware incident to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly.

Subscribe to our weekly e-mails

The hottest research right in your inbox