Assessing the Multiple Personalities of an APT Actor

Wapack Labs assesses with medium confidence that an identified Advanced Persistent Threat (APT) "group" is actually a lone, nefarious actor using numerous personas. The "group's" forum was rumored to be operated by a foreign military unit and used as a place to re-sell data no longer needed to conduct operations. During the months of March and April 2017, Wapack Analysts observed the lone actor's activities across multiple underground forums and were able to tie said activities to aliases used by other group members...READ MORE

Wapack Labs has cataloged and reported extensively on APT's in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Darknet Private Market Selling Hacked Accounts

Wapack Labs is researching an active, darknet actor in a private market. The private market is a multisignature, escrow shopping system based in Europe. The darknet actor is currently advertising breached accounts on their site to include: Paypal, Amazon, Ebay, and Venmo, and has a 97.3% positive feedback rating. Banking information from several U.S. banks having accounts with balances of $10,000+ and $20,000+ are offered. The actor is also selling hacked social media accounts like Instagram and Snapchat. Hacked social media accounts are dangerous as they can be used to hide nefarious activity ranging from pranking to obtaining passwords to compromise banks and online retailers.

Wapack Labs has cataloged and reported extensively on carders in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Uptick in the Wild: CVE2017-0911

As early as January 2017, cyber threat actors began using a then zero-day MS Office remote code execution exploit for CVE-2017-0199 in targeted attacks. Large scale Dridex campaigns occurred shortly following the vulnerability disclosure in April. Like many other Office vulnerabilities, CVE-2017-0199 has been exploited by multiple actors including cyber criminals and nation-state actors alike. Recent activity indicates the continued exploitation of this vulnerability...READ MORE

Wapack Labs has cataloged and reported extensively on zero-day exploits in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Shamoon2 Overwrites and Attacks Saudi Targets

Wapack Labs's research has uncovered Iranian actors using Shamoon2 against Saudi infrastructure and industry targets. Shamoon2 renders infected systems inoperable by overwriting the Master Boot Records (MBR). The actors responsible are using commercially available kernel drivers, which may indicate a lack of experience with Windows kernel development. Though, there is evidence indicating the malware was designed by reverse engineering malware attributed to a nation-state, suggesting that their skills are improving. Further attacks against Saudi-related targets using the Shamoon-family of malware are highly likely...READ MORE

Wapack Labs has cataloged and reported extensively on malware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

New Kids on the Block

Wapack Labs is researching a new card vendor in the underground going by the name “18th Street Gang Shop” (18SGS). The actual 18th Street Gang is one of the largest youth gangs in the western hemisphere, and has close ties to the Mexican Mafia. It is unclear if the actual street gang is operating this site or if someone is co-opting their name. Users may visit the 18SGS shop, create a free account, and access their stolen credit card database. Wapack Labs filtered records and discovered thousands of credit cards belonging to numerous U.S. banks and one major home improvement store.

Wapack Labs has cataloged and reported extensively on hackers and carders in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Steal from the Rich, to Give to the Poor: A Cyber Brotherhood's Tale

Wapack Labs is researching a self-proclaimed cyber brotherhood that has pledged to halt the unjust distribution of money. For the past year, this brotherhood has been hosting a dark web domain where they provide stolen financial information. They offer stolen PayPal accounts, money-back guarantee, and a discount if more than one account is purchased. Before being granted access, prospective users are required to submit an application via TorBox email.

Wapack Labs has cataloged and reported extensively on carders in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

The Future of Cyber Threat Management has Arrived!

Introducing the Cyber Threat Analysis Center  (CTAC 1.0) — cyber intelligence, easy analytics, no new infrastructure and affordable.

• The SaaS model, gets you up and running fast. 
• Monitor threats and cyber risk to you, your partners and suppliers.
• No additional staff required.
• Known tools = fast learning curve (if any).
• Bring your own data.

Jerome Fath, CISO, Alion Science stated - “CTAC has amplified our cyber intelligence capability by allowing us to monitor threats to our own infrastructure, as well as our supply chain. This service enhances our intelligence program by removing the need for additional people watching screens,”

Jeff Stutzman, CEO Wapack Labs stated -

“Wapack Labs has made great strides in identifying threat intelligence sources not readily available to other companies and has been analyzing the resulting data since August 2011.  We are developing innovative tools that will allow incident responders to react more quickly to threats,”

Interested? We would love to show you how CTAC can efficiently and effectively make sense of incoming data and produce real intelligence quickly and conveniently. Sign up now! Request a Demonstration.

www.wapacklabs.com

Shopping Spree with Stolen Credit Cards

While researching a clear web hacker/carder forum, Wapack Labs analysts found a unique domain. Users register for a 15-minute “shopping spree” and are issued a password to their database. The domain has many international cards and boasts over 1 million cards from the U.S.. Once users choose their stolen cards, they add them to a shopping cart, just like a legitimate e-commerce site. The domain filters their database by BIN, Brand, Type, Level, Bank, Country, State, City, ZIP Code, Address, Seller, Base, Load, Expiration Date, Valid, or Sort. All purchases are made via BitCoin.

Wapack Labs has cataloged and reported extensively on carders in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Clear Web Forum Housing Thousands of Stolen Credit Cards

Wapack Labs is researching a forum that advertises thousands of stolen credit and debit cards on the clear web novice hacker/carder forum. The forum provides weekly stolen bank credit and debit card posts from victims worldwide. It also provides a free account to browse the forum's stolen card database. The forum's advanced settings can filter by: country, state, type of card, sub-type of card, and bank. When filtered using a major financial institution bank name, the results delivered hundreds of member credit and debit cards for sale.

Wapack Labs has cataloged and reported extensively on carders in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

FTC Subpoena-Themed Reconnaissance Campaign

Wapack Lab's analysts, using the Cyber Threat Analysis Center (CTAC), discovered a reconnaissance campaign that we assess with moderate confidence was conducted in preparation for a more malicious campaign. The logs contained email addresses, filenames, and IP addresses. It is believed these logs are from a phishing campaign that leveraged “FTC subpoena” (Federal Trade Commission) lures to entice targets to click a link in the email...READ MORE

Wapack Labs has cataloged and reported extensively on reconnaissance campaigns in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Russian Hacker: DDoS Services for Hire

Wapack Labs is researching an established Russian hacker who provides DDoS services for hire. The hacker offers a wide variety of DDoS attacks which can be accomplished on any specified port - guarantees 100% anonymity and a 100% refund for a failed DDoS attack. The cost for services vary. Payments may be made in Webmoney, Qiwi, and Bitcoin. All communication is over ICQ, Jabber, or Telegram.

Wapack Labs has cataloged and reported extensively on DDoS hackers in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Ransomware Developer Seeks Long-lasting Partners

Wapack Labs is analyzing a ransomware developer who is advertising on several high profile hacker forums. The developer is in-search of highly skilled and reliable partners to work on common interests; offering a synopsis of the program. The developers current ransomware runs on Windows OS x86/x64 platforms. The malware's decrypter is only available for an infected system when 100% of the payment has been made. The developer states it will generate a unique Bitcoin (BTC) address for ransom payment, for each individual infection.

Wapack Labs has cataloged and reported extensively on ransomware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

The Carder Wears Prada: Reselling Stolen Credit Cards

Wapack Labs is researching an international carder who is advertising the sale of thousands of stolen, credit/debit cards worldwide. This carder advertises on several clearweb and deepweb forums, asserting a validity rate of 80-100%, and confirms invalid cards will be refunded. A buyer can create an account to permit shopping inside their database which, contains the stolen credit/debit cards. Full encryption is provided with each card dump, which includes all pertinent banking credentials. This carder utilizes bitcoin (BTC) for payment transactions.

Wapack Labs has reported extensively on carders in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

WWW.WAPACKLABS.COM

Venmo Fraud Scam

Venmo is a mobile payment service owned by PayPal that allows users to transfer money using a mobile phone app or web interface. Threat actors have been noted purchasing reloadable gift cards online with stolen bank funds, and then transferring the money into a Venmo account. From the Venmo account, the actor will execute a wire transfer to another account, often an offshore bank in a country with lax banking rules. Venmo significantly reduces the time it takes to cash out stolen funds, which makes it harder for victim banks to stop illicit transfers. Financial sector scrutiny of the Venmo service is recommended.

Wapack Labs has cataloged and reported extensively on wire transfer scams in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Dangerous Platform: Encrypted C-based RaaS

Wapack Analysts are researching a C-based Ransomware-as-a-Service (RaaS), that uses AES256 encryption, remains undetected against any antivirus, and is a dangerous ransomware platform being distributed on several, high-profiled underground forums. Unlike other ransomware services that charge users a percentage of the ransom payment, this C-based RaaS charges an up-front fee to use the service. It provides three packages for RaaS services; all which provide access to a C-based Fully Undetectable (FUD) ransomware and a crypter with TOR based C&Cs and panel.

Wapack Labs has cataloged and reported extensively on ransomware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM