Research

xDedic – the shady world of hacked servers for sale

 Download PDF version

Over the last two years, deep in the slums of the Internet, a different kind of underground market has flourished.

The short, cryptic name perhaps doesn’t say much about it: xDedic. However, on this obscure marketplace anyone can purchase more than 70,000 hacked servers from all around the Internet.

dedicblog_eng_1

xDedic forum login

From government networks to corporations, from web servers to databases, xDedic provides a marketplace for buyers to find anything. And the best thing about it – it’s cheap! Purchasing access to a server located in a European Union country government network can cost as little as $6.

The one-time cost gives a malicious buyer access to all the data on the server and the possibility to use this access to launch further attacks. It is a hacker’s dream, simplifying access to victims, making it cheaper and faster, and opening up new possibilities for both cybercriminals and advanced threat actors.

xDedic - the shady world of hacked servers for sale

Server purchase forum

To investigate xDedic, Kaspersky Lab teamed up with a European ISP. The research allowed us to collect data about the victims and the way the marketplace operates.

In May 2016, we counted 70,624 servers available for purchase, from 416 unique sellers in 173 affected countries. In March 2016, the number was about 55,000, a clear indication that the database of users and servers is carefully maintained and updated.

xDedic - the shady world of hacked servers for sale

Top countries with servers on sale

Interestingly, the developers of xDedic are not selling anything themselves – instead, they have created a marketplace where a network of affiliates can sell access to compromised servers. If the truth be told, the people behind xDedic have created what appears to be a “quality” service – the forum even includes live technical support, special tools to patch hacked servers to allow multiple RDP sessions and profiling tools that upload information about the hacked servers into the xDedic database.

xDedic - the shady world of hacked servers for sale

Top 10 sellers – May 2016

So who are the xDedic sellers listed above? We have been able to identify a very specific piece of malware (SCCLIENT) which is used by one of them, and to sinkhole its C&Cs. This provided a glimpse into the operations of one of these entities, which, based on the number of victims, we suspect is either Narko, xLeon or sirr.

xDedic - the shady world of hacked servers for sale

SCCLIENT Trojan: victims’ information from sinkholing (first 12 hours)

The profiling software created by the xDedic developers also collects information about the software installed on the server, such as online gambling, trading and payments.

Apparently, there is strong interest in accounting, tax reporting and point-of -sale (PoS) software which open up many opportunities for fraudsters:

Spam and Attacking Tools Gambling and Financial Software POS Software

Advanced Mass Sender
Bitvise Tunnelier
DU Brute
LexisNexis Spam Soft
LexisNexis Proxifier
Proxifier
Spam Soft

Full Tilt Poker
iPoker Network
UltraTax 2010 (2011,..,2015)
Abacus Tax Software
CCH tax14 (tax15)
CCH Small Firm Services
ChoicePoint
ProSeries TAX (2014,2015)
ProSystem fx Tax
TAX Software
2015 Tax Praparation
Tax Management Inc.
Lacerte Tax

PosWindows
BrasilPOS
POS AccuPOS
POS Active-Charge
POS Amigo
POS Catapult
POS Firefly
POS ePOS
POS EasiPos
POS Revel
POS Software (Generic)
POS Toast
POS QBPOS
PosTerminal
POS kiosk.exe
POS roi.exe
POS PTService.exe
POS pxpp.exe
POS w3wp.exe
POS DpsEftX.ocx
POS AxUpdatePortal.exe
POS callerIdserver.exe
POS PURCHASE.exe
POS XPS.exe
POS XChgrSrv.exe

During our research, we counted 453 servers from 67 countries with PoS software installed:

xDedic - the shady world of hacked servers for sale

Servers for sale with Point-of-Sale software – May 2016

For instance, a malicious user could go to the xDedic forum, register an account, top it up with Bitcoins and then purchase a number of servers which have PoS software installed. Then, they can install PoS malware, such as Backoff to harvest credit card numbers. The possibilities are truly endless.

Kaspersky Lab has reported this issue with the appropriate law enforcement agencies and is cooperating in an ongoing investigation.

To read our full report on xDedic which includes IOCs, download the xDedic Marketplace Analysis PDF here.

* For more information about Kaspersky Lab Intelligence Services, Threat Reports and custom threat analysis contact intelreports@kaspersky.com

xDedic – the shady world of hacked servers for sale

Your email address will not be published. Required fields are marked *

 

  1. SW

    This is why ip reputation services such as GetIPIntel need to be a part of your security implementation. You have to take action to prevent these bad ips from connecting to your network.

    1. Jhoy Cristian

      You talk too much

    2. anonymous

      I tested some random IPs from the pastebin list for Feb 2016, it seems to work well. It looks like most residential IPs score lower but regular hosting networks score high.

  2. Martin

    Excuse me if the question is trivial or stupid but I’m not well versed in terms of server security so: Is there an easy way to verify whether or not my company’s server has been affected (and/or access to it is available is for sale) without actually searching for the domain on their website?

    1. S

      AngryBirds you are an idiot. You sent IPs in public, and now all will try to hack it. Remove the comments better. If you have some info to send for Kaspersky, do this privately.

  3. CHR

    @AngryBirds Can you share how you find true IP without 2 octets hidden? Another RDP/socks shop [redacted]shop.ru have very similar interface. Please mail tlp.ex.chr at gmail

    1. Darlene Delgado

      I was hacked. I have screen shots of the, “codes” that were used. You have no idea what I have been through with these guys. Many of the POS.exe and other Linux commands were used on my Android, Galaxy 6, and I sent an email not sure if it got through. Can you help me? (1st comment email address is wrong)

      Darlene-

  4. Clarinda Cadet

    Informative discussion – I loved the analysis , Does someone know where my company could possibly grab a blank Bankruptcy B6G copy to work with ?

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox