![]() The IRC channels on the server that were used by Pahan’s zombie were pahan12 and pahan123.Īnd in March 2016, a user going by pahann was promoting a version of the KeyBase toolkit, which can be used to generate keylogger files to order: Here’s an example from November 2015, when pahan was offering a malware scrambling tool called Aegis Crypter:Ĭryptors take an existing malware program as input, and churn out a modified, scrambled, compressed and obfuscated program file as output, in the hope that this will bypass basic virus-blocking tools.īut Pahan’s version of Aegis included its own “secret sauce”: a zombie Trojan called Troj/RxBot than hooks up infected computers to an IRC server from which remote command-and-control instructions can be sent to the network of zombies. Interestingly, Pahan has a history of this sort of double-cross, promoting one cybercrime tool but infecting it with another. ![]() IF anyone need this email me its cost 20$ Those having problem to port forwarding or those are in restricted network firewall try this… He went after users on other crime forums, too, like this offensivecommunity post offering the same RAT with the same screenshot:Īs it is a php rat it doesnot required any port forward. Our guess is that Pahan was after his victims’ logins for leakforums and other hacker sites, in order to build up his rank in the underground. (The “Pahan” connection continued here, because the URL contained the text pahan123.) They ended up infected with the KeyBase data stealer instead, and their stolen passwords were sent off to a data-collection website. The SLICK RAT download contained an installer:īut newbie crooks who ran the installer didn’t get what they paid for. Sometimes crooks turn on their own kind, as happened here.Ī user on the popular underground site leakforums, going by the name pahan12, popped up offering a PHP Remote Access Trojan called SLICK RAT: One of the most popular keyloggers these days is KeyBase, a product that was originally sold as a legitimate application before being abandoned in apparent disgust by its author:īut KeyBase lives on, with cybercrooks giving it a new home all over the cybercriminal underground. In other words, there’s still big money in keyloggers. The amount may be $100,000 or even more, and the email will typically claim that that the funds are part of time-critical business venture such as an acquisition, to justify both the large sum and the urgency. The fraudulent email in a wire-wire scam won’t be a demand for $300 in bitcoins, which is a typical price-point in ransomware, but an official-sounding corporate instruction to put through a massive funds transfer. That’s where a crook logs in with a stolen password to send an email that doesn’t just look as though it came from your CEO’s account, it really did come from her account. Keyloggers are still popular in the cyberunderworld, because they help crooks to steal your passwords.Īrmed with your email password, for example, crooks can pull off much more audacious crimes than ransomware, such as business email attacks, also known a CEO fraud or wire-wire scams. ![]() Not all malware is ransomware, even though ransomware hogs the spotlight these days. ![]() Thanks to Gabor Szapannos of SophosLabs, who did the hard work behind this article.
0 Comments
Leave a Reply. |