Looking at all the variants of commercial AAA malware titles like Trickbot or Emotet, I wonder what it was like a decade ago. Cracked software keys, modded premium applications, pirated movies and games were yielding high payouts while the Banking Trojans / Ransomwares were at their infancy.
Now we have loaders that are outsourced from Malware as a Service providers to stage your customized payloads provided by a different associate, They also provides good customer support and patching cycles for the toolset provided. The huge rise in underground markets and enterprise ecosystems targeting banking industries is primarily due to the high payouts.
Being an independent researcher one can lack the resources to setup infrastructure to detect these micro-changes to malware codes - we are talking about Honeypots, Mail Relay servers and Domains. It is hard to get your hands on in-the-wild samples that has never been documented by others and one can loose their soul in that search.
With my recent interest in fraud, account cracking and credit card crimes - I came across some crackers and brute-forcer tools in the dark markets. Yes, I got scammed a couple of times but the dump was worth it at the end.
I call them low-tier cyber crimes because unlike the credit card or other banking crimes these ones are overlooked. I don't want to get into the contrasting process of how customer data is valued in a FINTECH industry vs a Social Media company but would like to add that in financial sectors you can monetarily be settled or at the least tag a value to it; But in media companies the damages are just variable and complex.
So, I have a persona that closely work with Krollie’s. Krollie Team is very interesting as they update themselves with the latest technology and find new avenues for better payouts. They have been taken down in multiple platforms and now have found a foothold in the one and infamous - Telegram. Even on Telegram they have just migrated to and operating from their third channel with the username - @CrackersTeamOfficial
I found an old dog in their dump that was very interesting and had broader use cases and can be equipped with new tricks. Without doubt most of the tools, knowledge base or How-to articles were stolen from or purchased from other channels or cyber crime groups.
Any analyst following the cracking market should know that the best tool for the job is often a modular framework that supports custom scripts and contents as it gets created over time (One classic example is Metasploit - you have to love the tool for it's modularity)
Frozen's FREEZE v1.27 - At first I thought this is just another off-the-shelf tool with it's network connections cut-off, but boy this was fun! It’s a basic framework and with proper configurations it's a Pandora's box for skids.
The scope of this tool is to brute-force websites or logins primarily targeting social media and other online services like Hulu or Valve's Steam. Then the credentials are exported into a text file, combined as what they call a combo list and sold in the dark markets.
Remember we are talking about low level crimes so it's always about lazy tools and payouts (eg: Instagram auto-liker). These tools are generally referred as CRACKERS.
While there are other well evolved tools on the markets these days like BlackBullet or Storm, this particular tool could have been a precursor to most of them.
I want to believe that the tool was probably built by a computer engineer with a strong base in dotNet programming language for 'educational purposes' but you never know; some Russian would've paid a coder with their requirements as well ( the problem with attribution )
Freeze is an executable that comes with a configs folder and a text file titled 'scan'. The scan text file has a VirusTotal link that points to the scan results for the executable.
For those new to the dark market scene VT is a valuable asset to us and also for the adversaries - an important marketing platform to showcase, test and advertise products.
From VirusTotal - The first submission time is 2010-11-30 12:51:36 and the file has a compiler stamp of Mon Nov 29 07:03:46 2010. Explains that the executable was uploaded just after this version and likely by the author. Which again nails down to the problem of high dependency on VT within the security community.
Looking at community scores, as usual the authors have anonymously posted good reviews about this executable over this timeline - this could mean that the tool is still being used.
But also observed multiple (50+) positive votes from @opexxx.
Note that the domain and the IP is also associated with a similar variant of Freeze which has a whooping 68/73 detection score and attributed as Neshta. Neshta is a virus that spreads by adding the virus code to other executable files and uses them to collect system information.
If you are wondering how that file was attributed : a string extraction shows mutex value - \shell\open\command "%1" %*
The debug path points to path:"c:\users\blue\desktop\computer science\visual basic\freeze\freeze\obj\x86\release\freeze.pdb" - the username of the machine from which the executable was compiled is 'blue'. Props to the coder for following good OpSec.
Extracting the strings we find the below notice message:
ascii,53,.text:00002C99,-,-,-, may be protected by copyright. Redistributing Freeze
ascii,50,.text:00002CD0,-,-,-, without permission is strictly prohibited. Freeze
ascii,52,.text:00002D04,-,-,-, is made for legal purposes. You must not use Freeze
ascii,109,.text:00002D3A,-,-,-, to commit any illegal offence. If you disagree to any of these terms and conditions, immediately exit Freeze
Now I'm not sure if this is either just for fun and profit or for real. In any case nobody likes their products pirated.
Performing a dynamic analysis we see something very interesting - an outbound connection to 103.224.182.248 (AU) and 185.53.179.29 (DE)
unicode,36,.text:00036F66,x,x,-,http://www.text-upload[.]com/login.php
unicode,42,.text:00037004,x,x,-,http://www.text-upload[.]com/edit.php?t=1697
While the website is parked at the time of this blog - the IP addresses are still actively hosting multiple malicious websites and payloads. We can assume that this is probably a shared hosting that is being exploited. ( hosted by: Trellian Pty. Ltd based out of Australia )
To get a better understanding of the use of this domain I decompiled the code using dnSpy to record two notable events:
(1) Below we can see a httpWebRequest before the form (Freeze main page) is displayed. The Interesting observation is the hard-coded credentials used to log into /login.php
This was probably necessary so the server is not listening for all public traffics and can only respond or service requests with these credentials.
(2) The second webrequest is to post the cookies collected by the application on load.
Pivoting into the cookies we observe standard IPs, FQDN and domain data collection.
As the domains are not active we did not get any response back for the queries and provided that the results from the WayBackMachine was not useful so we'll have to move on...
Once on the splash screen we get a popup window alerting that the update failed. By looking at the time frames in ProcDot we can determine that this is when the executable communicated to text-upload[.]com. Then the executable creates some custom registry keys for the operations it supports.
The application comes up with multiple tabs:
The main tab is where the start/stop buttons is located and the cracked accounts will appear.
The Wordlist tab has separate buttons to load usernames and passwords list or combo lists. Combo lists are usually usernames and passwords put together with a delimiter like usr:pwd
Proxy tab allows you setup or load multiple proxy configs and rotate them at a time of your choosing
Settings tab allows us to select a site profile that we will create in config and input the timeouts between attempts
Config tab is where we create a site profile. We would need to understand how the site accepts post-data from browsers and can add it into the fields to create a config file
Then there is a Checker tab which is just a place holder for upcoming features. A checker is a tool or basically a script that verifies if a list of usr:pwd combo is valid by attempting to authenticate
The HELP tab is for documentation and provides a summary of what each button does and the functionalities of each tab
In recent years these container software are available in plenty but the value for config files for up and coming sites like Netflix have increased in value.
It requires continuously testing and updating the config files with any changes to authentication the target site is implementing.
Most of these cracking tools fail on implementing MFA, But your Amazon (not AWS), Netflix or Ebay accounts doesn't mandate MFA at the moment. The reason why Google or Steam pushes you for adding 2FAs.
EndNote: The tool is very simple and definitely requires a manual touch to work but once articulated for a particular site - just works like a charm.
SAM is a good friend of my persona from one of the escrow groups. He taught me the inner workings and the art of doing business in the shady markets. Having friends is a good thing even if they come at a $$$ in these underground markets. He did some digging and found that there are folks selling latest customized config files for a price but I decided not to pursue further and end my journey with Freeze at this point.
Comments