Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    January 2015
    S M T W T F S
    « Dec    
  • Email Subscription

  • About Us

    In the middle of my research on the remote access Trojan (RAT) known as “njrat” or “Njw0rm”, I stumbled upon, a site that disguises itself as a site for “IT enthusiasts” but actually hosts various downloaders, different types of spyware, and RATs. I explored the site and found that they host malware under the “Protection Devices” section in their website. Under this section was a forum written in Arabic, which may suggest that an Arabic-speaking country is behind it.

    Figure 1. Screenshot of the “Protection Devices” section under (Click the image above to enlarge)

    Malware from Njw0rm Source Code

    One of the notable topics in the forum talked about new malware “kjw0rm” (or HKTL_KJWORM) and a worm named “Sir DoOom,” (or HKTL_DOOMWORM) which both came about after the release of the Njw0rm malware source code in the same forum. The leaking of Njw0rm’s source code last May 2013 in known hacking websites like and led me to the conclusion that cybercriminals found a way to leverage the worm and backdoor capabilities in Njw0rm to create new malware with added functionalities.

    We discovered two versions of Kjw0rm (V2.0 and 0.5X) being shared in in January 2014 and December 2014 respectively. The Sir DoOoM worm was also discovered in the same site last December 2014.

    The new malware are coded in Visual Basic Script, unlike its earlier version, Njw0rm, which was compiled with AutoIt.

    Checking the Malware Builder

    Similar to Njw0rm, the new malware we found asks the attacker to assign a port to open for incoming traffic, with the default values being Port 1991, Port 1010 for kjw0rm, and Port 4000 for the Sir DoOom w0rm. The Sir DoOom worm requires the builder to ‘Run as Administrator’ for it to work.

    Figure 2. Top: Ports for kjw0rm V2.0 and Kjw0rm 0.5x, respectively, Bottom: port for Sir DoOom w0rm

    Looking at Control Panels

    The new malware added a lot more information in the Control Panel view of the malware builder, compared to that of the Njw0rm version in May 2013.


    Figure 3. New fields for Kjw0rm and the Sir DoOom worm

    We’re also seeing new functions for both Kjw0rm versions and the Sir DoOom worm.


    Figure 4. New functions for Kjw0rm and the Sir DoOom worm

    Propagation Routines

    The new malware based their propagation routines on njw0rm. Njw0rm propagates via removable devices by getting a list of ten folders in the root directory, setting them to ‘Hidden’ and making shortcut links using the folder names pointing to the malware executable.

    Over a period a time, the malware tweak their propagation methods to make the attack successful and employ social engineering tactics such as creating legitimate looking folder to deceive the user.

    Kjw0rm V2.0

    This worm propagates in removable devices. The worm first drops a copy of itself (Hidden, System File Attribute) in the root directory of the removable drive. It hides all foldersand creates shortcut files with folder icons with the same folder names – all pointing to the malware executable.

    Kjw0rm V0.5X

    This malware has the same routines as Kjw0rm V2.0. However, it gets a list of 20 folders on the removable drive, hides the 20 folders, and creates shortcut files with folder icons with the same folder names—all pointing to the malware executable. The malware then creates a folder named Videos. After creating the folder, the malware redoes the propagation routine to get a list of 20 folders, but now includes the subfolders.

    Sir DoOom worm

    The Sir DoOom worm has the same propagation method as Kjw0rm V0.5x. The only difference is that the malware creates five folders namely: Videos, Pictures, Movies, Games, and DCIM in the removable drive’s root directory.

    Payload/Unique Features

    Kjw0rm V2.0

    The propagation method of this malware targets all folders in the root directory of the removable drive.

    Kjw0rm V0.5X

    This worm obfuscated some portions of the malware code. The malware author utilizes an obfuscator tool that converts characters to hex values, adds filler functions, and performs computations that make analysis more difficult and time-consuming.

    Figure 5. Sample code snippet

    This malware also has an anti-VM (virtual machine) routine. It first searches for a list of the installed programs in the affected computer. If this variant found itself to be in a computer where a VM program is installed, it will uninstall and terminate itself from the affected system. This prevents analyst to do testing to determine malware behavior.

    Sir DoOom worm

    This malware incorporates new functionalities that are unique to this malware.

    • Parsing of OS product key
    • Termination of antivirus-related processes (terminates Tiger-Firewall.exe and bavtray.exe)
    • Anti-VM routines (looks for the string ‘Virtual’ in the list of installed programs; if found, it uninstalls and terminates itself)
    • Bitcoin mining
    • Launching of DDOS attacks

    Kjw0rm evolution from njRAT

    The first version of Kjw0rm was released on January 2014 (V2.0X) followed by the second version (v0.5x) by the end of the year. The Sir DoOom worm was released in December 21, 2014. This evolution shows that the malware authors are becoming more active in developing new malware and using njw0rm as a template. Because of this pattern, we can expect to see more variants of this malware in the future.


    Figure 6. Malware evolution of njRAT

    Solutions and best practices

    To stay protected against these new threats, we advise users to refrain from plugging removable drives that came from unknown computers or computers that aren’t protected by security solutions. Avoid opening and installing programs from unknown web sources.

    Paying attention to small details also helps. For example, finding shortcut files in “folder” icons with your folder names is a strong indicator that the removable drive is infected.

    Stay vigilant by keeping abreast of the latest cybercriminals tricks and techniques. Finally, make sure your security software is always updated in order to detect and remove similar threats.

    Related hashes:

    • 5408477d7491d883251fa0fcbe7f6b4e6a9d4493 – HKTL_DOOMWORM
    • b579ac4af93cc0212ed00c6468e948810bce0d27 – HKTL_KJWORM
    • 4fd150b489673ea089320811a533944416a4fd66 – HKTL_KJWORM


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    3:16 am (UTC-7)   |    by

    Since January 20, we have obtained copies of malicious SWF files used by the Angler exploit kit via feedback provided by the Smart Protection Network. These samples were obtained from users in the United States; we believe that one of the samples we obtained is the same zero-day Flash exploit reported by the security researcher Kafeine, but from an infection chain different from the one reported by Kafeine.

    The Angler exploit kit is believed to have been responsible for distributing this exploit. The past day has seen a significant uptick in the activity of the Angler exploit kit server related to the zero-day, as can be seen in the chart below:

    Figure 1. Number of hits to the Angler exploit kit server landing page related to the zero-day

    The graph clearly shows a significant increase in Angler activity in the past day, which is roughly the same time since the existence of this vulnerability was first revealed. Most of these users are in the United States, as the chart below shows:

    Figure 2. Geographic distribution of users affected by Angler

    Figure 2. Geographic distribution of users affected by Angler

    Infection Chain

    Analysis of the feedback provided by our products suggests that malvertisements are being used to deliver these exploits to end users. While we have not completed our analysis of the exploit itself, it is clear that a current version of Adobe Flash Player is affected:

    Figures 3 and 4. Infection chain of Flash exploit

    Exploit Method and Obfuscation

    Until a patch is issued by Adobe, we will refrain from discussing the details of the exploit. However, we do note that the overall method is similar to earlier Flash zero-days like CVE-2014-0515.

    We also note that the samples we’ve seen are heavily obfuscated. Firstly, it uses the loadByte() function to load and execute an embedded Flash file. The function name loadByte is obfuscated using string operations, and the parameter (i.e., the content of the embedded Flash file) is also obfuscated using byte array obfuscation.

    The embedded Flash file itself uses multiple control flow obfuscation techniques.

    The Shell Code

    The shell code in the sample enumerates the needed API function address first. It then creates a new thread to download the payload from exploit kit server.

    The payload is encrypted, which the shell code will decrypt in memory. From the obtained API, we can see there is no CreateProcess and WriteFile. Thus, it will not drop the final PE file onto the disk like other exploit kits do. This is the typical behavior of Angler exploit kit.

    Figure 5. Screenshot of function addresses saved in memory by the shellchode

    Recommendations and Best Practices

    In the absence of an Adobe bulletin, users may consider disabling Flash Player until a fixed version is released. We also note that Chrome’s version of the Flash Player plugin is sandboxed, mitigating potential effects to end users. Firefox is also immune to this threat.

    The Browser Exploit Prevention feature in our endpoint products (Trend Micro Security, OfficeScan, and Worry-Free Business Security) blocks the exploit upon accessing the URL it is hosted in. Browser Exploit Prevention also protects against exploits that target browsers or related plugins. The existing Sandbox and Script Analyzer engine that is part of Deep Discovery can also be used to detect this threat, without any engine or pattern update.

    We will update this post with further updates as necessary.

    Additional thanks to Joseph C. Chen for providing the sample and additional data, as well as Brooks Li, Jack Tang, Moony Li, Michael Du, Peter Pi for further analysis.

    Update as of January 22, 2015, 11:00 AM PST

    Trend Micro™ Deep Security and Vulnerability Protection (formerly the Defense Firewall plug-in for OfficeScan) protects user systems from threats that may leverage this zero-day vulnerability following the DPI rule:

    • 1006460 – Adobe Flash Player Buffer Overflow Vulnerability

    Update as of January 22, 2015, 9:30 PM PST

    Since we published this post, there have been several developments surrounding this exploit. First, this exploit is now being targeted at Firefox as well. Currently, users of Internet Explorer and Firefox are being affected by this exploit kit.

    Secondly, Adobe released an update to Flash, bringing the latest version to However, this does not patch the vulnerability described in this post. Instead, it fixes a separate vulnerability (CVE-2015-0310). A patch for the vulnerability described here (now designated as CVE-2015-0311) will be released sometime next week.

    In the mean time, we note that Chrome is still unaffected by this vulnerability. Users of other browsers who are unable to disable Flash Player (due to usability issues) can consider downloading ad blocking software or extensions, which would held in reducing the exposure to this threat.

    Trend Micro products continue to detect these threats as described above. We detect the malicious Flash files used in these attacks as SWF_ANGZIA.A.

     Update as of January 24, 2015, 7:30 PM PST

    Products with the ATSE (Advanced Threats Scan Engine), such as Deep Discovery,  have heuristic rules which detect attacks using this vulnerability. These attacks are detected as HEUR_SWFMSTR.A with ATSE pattern 9.755.1253 since January 24.

     Update as of January 25, 2015, 8:00 PM PST

    Adobe has started rolling out updates to Flash Player that fixes this vulnerability. Currently, only users with automatic updates turned on will receive the newest version ( Others will have to wait for a manually downloadable version, or for updates to be released by their browser vendor (for Chrome and some Internet Explorer users).

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Last July we came across a crypto-ransomware variant known as Critroni or Curve-Tor-Bitcoin (CTB) Locker. We observed recent improvements to the CTB malware, which now offer a “free decryption” service, extended deadline to decrypt the files, and an option to change the language of the ransom message. These new variants also demand payment of 3 BTC (around $USD 630), while older ones seen in July only charged 0.2 BTC, or $USD 24.

    Along with these improvements, we are also seeing a spike in these attacks in several regions, mainly in Europe-Middle East-Africa (EMEA), China, Latin America and in India.

    CTB-Locker Infection

    We have previously reported about CTB Locker’s use of Tor to hide its activities but this new variant comes with notable, new differences.

    This CTB-Locker variant arrives via spammed emails. These spammed messages were sent in different languages and often pretend to contain important notices so that the recipient is tricked into opening the attachment, which we noticed was archived twice.

    Some of the spam samples used in these attack were sent by systems that are part of the long-running CUTWAIL botnet. CUTWAIL is known for reusing available resources (including bots); it should not be a surprise that some of the IP addresses identified as part of this spam run have been part of our spam blacklists for years, with some addresses being blacklisted as early as 2004.

    Figure 1. Sample spam emails with malicious .ZIP attachment that contain the downloader malware, TROJ_CRYPCTB.SMD

    The attachment is actually a downloader malware, detected as TROJ_CRYPCTB.SMD. This malware connects to several URLs, leading to the download of the CTB-Locker malware onto the computer. This ranswomware is detected as TROJ_CRYPCTB.SME. Checking these URLs, we determined that they are all compromised and based in France. The malware goes through a round-robin type of method to select which URL to download the malware from.

    Here’s a diagram explaining the attack, whose infection chain begins with the spammed message accompanies with a malicious .ZIP attachment as show in the sample spam in Figure 1.

    Figure 2. Sample CTB-Locker infection chain

    New Developments

    The older TROJ_CRYPCTB.A variant seen in July gave users only 72 hours, while this new one allots users 96 hours for payment. The extension of the deadline might be for practical reasons: a longer deadline could mean more victims will be able to pay the fee.

    Pressing “next” leads to a page that displays a “Test Decryption” portion, in which the malware entices users with this freebie. The “Test Decryption” portion allows decrypt for five random files, seemingly to convince users that the decryption actually works. There are additional instructions that inform the user not to rename or delete files, and only chosen files will be decrypted. The malware also displays the ransom message in other languages like German, Dutch, and Italian.

    Pressing ‘Next’ leads to the payment page, where the malware instructs victims to pay the amount of 3 BTC or $USD 630 in order to proceed with the file decryption; otherwise, all the files will permanently remain encrypted. The message also includes instructions on paying the ransom via Tor browser. Below is a comparison between the older CBT-Locker variant we saw in July 2014 and its latest version.

    Figure 3. New CBT-Locker variant demands up to $USD 630 or 3 BTC in order for users to decrypt their files

    The message states that victims must pay the ransom by the deadline. Otherwise, all the files will permanently remain encrypted.

    Analysis of the variant revealed a feature previously unseen in CTB Locker variants—the chance to decrypt files for free. This freemium model was seen in the malware CoinVault, but this CTB Locker variant upped the ante by allowing the victim to choose five files, rather than just one, to be decrypted.

    The free decryption can be seen as a way to convince users to pay the ransom. Decrypting the files show the victim that their other files can actually be recovered—if they pay the fee.

    Figure 4. “Free decryption” service

    Another unique function or feature found in this variant is that the ransom message gives the user the option to select the language, apart from English. So far, three more languages were spotted:, Italian, German, and Dutch.

    Figure 5. Random messages in three more languages. Top left: Italian; Top right: German; Bottom: Dutch

    Protection Against Crypto-Ransomware

    The first line of defense in staying protected against this new type of ransomware is knowing how to properly discern spammed emails from legitimate ones. Though some emails may look legitimate in nature, it’s always best to check the sender’s address, subject line, and of course email contents for anything that appears suspicious.

    Always remain cautious when dealing with unfamiliar files, emails, URLs, and most especially, email attachments. While it might be tempting to take the “free decryption” bait and pay the ransom, there is no guarantee that the cybercriminals will actually decrypt your files and have everything back to normal.

    Users should also remember to routinely back up their data. The 3-2-1 principle should be in play: three copies, two different media, one separate location.

    Related hashes for the downloader of CRYPCTB ransomware:


    Related hashes for CRYPCTB:

    With additional analysis by Homer Pacag, Lala Manly, Merianne Polintan, Michael Casayuran, Paul Pajares, Rika Gregorio and Ruby Santos

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    2014 became the year that placed PoS (point-of-sale) threats in the spotlight. Make no mistake—PoS threats have existed for years. However, the Target data breach last January was the first incident that made the general public notice this threat.

    2014: the Year of PoS Malware

    While the Target breach may have been the first PoS-related incident of 2014, it soon became clear that it wouldn’t be the last. By the end of the third quarter of the year, six new variants of PoS RAM scraper malware were found—the same number of variants found between 2011 to 2013.

    What makes this development more interesting is that these new variants either borrowed the functionality of their predecessors or are direct evolutions of older PoS RAM scraper families.  For example, Backoff is a predecessor of Alina. Backoff was reported to have been used in attacks aimed at Dairy Queen and United Parcel Service (UPS).

    This is not to say that these were the only variants that were active in 2014. The much publicized breach experienced by Home Depot was linked to a known PoS family called BlackPoS—the same malware family used in the Target data breach. PoS malware was also spotted right before Thanksgiving weekend in the US—the weekend known for holiday shopping. Another PoS malware, called LusyPoS, was seen in Russian underground forums.

    PoS-related Activities in the Underground

    Due to the growing popularity of PoS RAM scrapers as a tool for quick monetary gain, development kits promptly started surfacing in the cybercriminal underground. One such tool is VSkimmer, a builder tool for PoS RAM scrapers that emerged in 2013.

    After stealing credit card data via RAM scrapers, most scammer then proceed to sell the stolen credit cards in batches in forums. Transactions are completed using Bitcoins, Western Union, MoneyGram, Ukash, and WebMoney, among others, as these offer convenience and anonymity to both buyers and sellers.

    Much like legitimate businesses, supply and demand affects the underground heavily. Different card brands have different unit prices in the underground carder marketplace based on availability and demand. Buying credit card data in bulk reduces the unit price, in some cases by up to 66%.

    One curious discovery is that the unit price of Discover and American Express (AMEX) cards is higher than the unit price of Visa and MasterCard cards. This is because AMEX and Discover card data are harder to come by compared to the commonly found Visa and MasterCard card data; rarer data costs more. Unfortunately, there is no definite reason why AMEX and Discover card data is seen as more lucrative than Visa and MasterCard card data.

    Expanded Targets

    The expansion of PoS-related activities in 2014 also saw the expansion of targets. Scammers have already ventured outside the shopping mall to hit newer targets like airports, metro stations, and parking lots.

    Researchers from security firm Census presented data about PoS attacks targeting travelers at airports. Census extends the definition of PoS in airports to include check-in kiosks, Wi-Fi credit kiosks, luggage locator kiosks, etc. The researchers were able to craft a simple attack that allowed them to scrape passenger information from these kiosks. Security firm IntelCrawler talked about a PoS malware called “d4re|dev1|” (daredevil), which was targeting Mass Transit System (MTS) locations. The malware had remote administration, remote updating, RAM scraping, and keylogging functionalities.

    Parking lots/garages became a popular target for scammers to steal payment information. A U.S. parking facility service provider suffered from a compromise of their payment processing systems in 17 parking facilities. Another parking service, Park ‘N Fly, also suffered a data breach that saw stolen information used in schemes involving fraud. Another service,, was the victim of the cybercrime gang behind the Target and Home Depot breaches.

    The Future of PoS Attacks

    So what does the future hold for PoS attacks?

    With PoS RAM Scrapers becoming prominent threats, big businesses will be investing heavily into cybersecurity to prevent targeted attacks of this type. Cybercriminals will thus refocus on SMBs (small-medium businesses) as these may not necessarily have the cybersecurity budgets enterprises have to prevent PoS breaches. We will see a high volume of SMBs get compromised and collectively that might account for a bigger breach than compromising Enterprises.

    Implementation of new measures like the new Europay, Mastercard and Visa (EMV) standards and the PCI DSS v3.0 compliance standards will significantly change the PoS playing field for cybercriminals. These two measures will come into full effect by October 2015— expect to see a decline in PoS data breaches as the cybercriminals attempt to figure out new efficient hacks into the upgraded systems and environments. It might take them a couple of months, possibly well into mid-2016, before they can start fully breaching the PoS environments again.

    Given all of the above, cybercriminals are sure to find new methods for data breaches via third-party vendors who have access to enterprise/corporate networks. These will remain the weakest link in the chain and the ones which will be exploited the most as they will not have the same level of security as enterprises.

    There has been a lot of law enforcement agency focus on investigating these data breaches but so far, no big arrests have been made. Some of these agencies will be closing investigations and making arrests that will make headlines.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    A pro-Russian group called CyberBerkut claimed responsibility for a recent hack on certain German government websites in early January. We were able to gather some information on some of its members based on Pastebin data that had been leaked by the Ukrainian nationalist political party (Pravy Sektor).

    A Background on CyberBerkut

    CyberBerkut is an organized group of pro-Russian and anti-Ukrainian hacktivists. The group’s name was derived from Ukraine’s special police force named Berkut (or “golden eagle” in Ukrainian), which was created in 1992 under the Ministry of Interior Affairs. Not only did the CyberBerkut group use the Special Forces’ designation, they also imitated their insignia. Below the CyberBerkut name reads their slogan “We Won’t forget, We won’t forgive.”

    Figure 1. Left: Ukraine’s special police force insignia; Right: CyberBerkut insignia

    Berkut was created for high-risk interventions during riots and hostage situations, similar to the SWAT (Strategic Weapons and Tactics) team in the United States. It was rumored, however, that the former president of Ukraine, Viktor Yanukovych, had been using the Berkut for various violent intents against Ukrainian protesters. The Berkut unit is remembered for its violent intervention during the Euromaidan protest last November 2013.

    The Euromaidan protest marked the beginning of group CyberBerkut, which has since been involved in different cyber attacks toward different western government entities. They claimed responsibility for all of their attacks on their website and social network profiles.

    Taking Credit for Attacks on German Government websites

    On January 7th 2015, CyberBerkut made an announcement on their website, Twitter, and Facebook accounts that they brought down websites for Germany’s parliament and Chancellor, Angela Merkel. According to reports, the websites did not load for several hours, but the German government announced two days after the attack that “they’re in the midst of getting things back to normal.”

    Figure 2. Announcement of the German government website hack on the CyberBerkut website.

    The pro-Russian cyber hacktivism group expressed their opposition against the independence of Ukrainians and its current government, accusing them of being behind the creation of the ongoing conflict in Crimea. CyberBerkut also accused Germany and the United States for helping Ukraine in this matter.

    Other organizations have also been targeted and accused of the same counts. Take for instance, the attack on NATO websites last March 2014, Polish websites last August 2014, as well as the Ukrainian Ministry of Defense last October 2014. CyberBerkut claimed that the Ukranian Government received secret information about the MH17 investigation and posted leaked document on their website.

    The Cyrillic version of the CyberBerkut website includes a section called “BerkutLeaks” that doesn’t show up on the English version of the site. The URL is listed as the following:

    Figure 3. The ‘BerkutLeaks’ section of the CyberBerkut website lists several documents leaked regarding specific individuals considered as traitors.

    Who is part of CyberBerkut?

    It is difficult to exactly identify the individuals involved in a hacktivist group as the group is usually composed of several people using different monikers. For this CyberBerkut, we know for a fact that there are at least 4 members, and their handles are “Mink,” “Artemov,” “MDV,” and “KhA.”

    On January 7th 2015, the same day the German attack happened, personal information about certain members of the cyber group had been posted on Pastebin by “PravyjSektorUANationalistsUkraineAnon ” of the Pravy Sektor (Ukrainian right wing activists). The Pastebin post has since been removed but we were able to take a screenshot.

    Figure 4. Pastebin post containing information on CyberBerkut members

    Below is a rough translation of the text:

    / **

    * Members CyberBerkut tasks

    * Here are the key members CyberBerkut exposed

    * (CyberBerkut @ Cyberberkut1)


    * Brought to you right quadrant

    * ##PravyjSektorUANationalistsUkraineAnon ##

    ** /


    Full name: Alexander Ulyanov

    Aliases: MDV

    Date of Birth: 24/03/1986

    Country: Russia

    Residence: 14 Polozova Street, St. Petersburg

    I.T.B Identification: 649


    Notes: Found at ITB database, he lead the operation Privat. Interference in the work of the Central Election Commission of Ukraine by IFES damage to the system before the election. Temporarily blocked the work of MOI of Ukraine and the Prosecutor General of Ukraine. Temporarily blocked the work sites of TV channels “Inter” and “1 + 1″. The attacks on the NATO website. The attack on the websites of private military companies in the US.

    Full Name: Zac Olden

    Aliases: Mink, M. Rodchenko

    Date of Birth: Unknown

    Country: Australia

    Residence: Unknown



     Notes: Hacking mailbox and publication of correspondence IV Kolomoiskiy with the prosecutor in Lviv region, and computer hacking and e-mail Assistant oligarch. Also lined with the contents of the archives 89 email accounts of employees of the Lviv regional prosecutor’s office. He is the leader of retribution network (


    Full name: August “Artemov” Pasternak

    Aliases: Artemova, Artemov

    Date of Birth: 07/04/1994

    Country: UKRAINE

    Residence: 194, 15 Pushkin, Megeve, Dnipropetrovsk region

    I.T.B Identification: 151403

     Notes: Putting public access telephone recording Supreme representative of the European Union for Foreign Affairs and Security Policy Catherine Ashton and Foreign Minister Urmas Paet. Hacking and publication of the correspondence of the Acting Minister of Internal Affairs of Ukraine AB Avakova.

     Zac Olden aka ”Mink”

    The member named Zac Olden (alias: “Mink”) caught our attention so we decided to dig up a little more information on him. The initial data we had from the Pastebin post was:

    Full Name: Zac Olden

    Aliases: Mink, M. Rodchenko

    Date of Birth: Unknown

    Country: Australia

    Residence: Unknown



    Notes: Hacking mailbox and publication of correspondence IV Kolomoiskiy with the prosecutor in Lviv region, and computer hacking and e-mail Assistant oligarch. Also lined with the contents of the archives 89 email accounts of employees of the Lviv regional prosecutor’s office. He is the leader of retribution network (

    Our findings revealed that he has been involved in more than just what it is mentioned in the Pastebin post.

    Figure 5. Graph that summarizes different information about “Mink.” (Click the image above to zoom in)

    Mink uses different monikers such as “Videsh”, “Videshkin” and “Gmr.” We found that he is part of different Russian underground forums such as,, damagelab, and an old security focused forum named

    He also owns a website that is a fake version of a legitimate Australian Bead online store.

     Real store:

    Fake Store:

    Here are the emails addresses he uses:


    On the Russian social network he advertises the forum and a website named


    • net
    • cc
    • sx
    • com
    • in

    The fake names he uses are “Kolesnikov Alexandr“ and  “MIKHAILOVICH RODCHENKO.” His other online profiles can be found here:

    • Skype: CyberBerkut

    Mink has a Pastebin account where you can find his different posts. He appears to be a bit paranoid about his fellows colleagues and on Oct 14th 2014, he declared “MDV” a traitor and released information about him, which can be found at the following Pastebin link:

    He also did the same thing to “artemova” on Jun 16th 2014, with the information found at this Pastebin link:

    Regarding CyberBerkut websites, we found the following information:

    Figure 6. has been registered using the above information.

    Figure 7. Information about the domains associated with Click the image above to zoom in.

    There is only little information about the domains as they are behind a CloudFlare infrastructure.

    How does CyberBerkut Perform Their DDoS Attacks?

    Last May 14 2014, CyberBerkut posted a new message on their VK profile and asked for volunteers to join the battle against Ukraine by running a DDoS tool dubbed as ClientPort. The tool came in two versions: one for Windows and one for Linux. The attack was allegedly executed on May 14, 2014 at 10 AM. In addition, the group also asked the persons joining the said attack to visit their website (  to download the tool.


    Figure 8. Original VK post


    Figure 9. Original page of

    We were able to get a copy of both versions of the ClientPort tool. The ClientPort tool connects to Tor and then connects to epwokus5rkeekoyh.onionto get the domain name that should be targeted. The ClientPort tool can perform routines such as HTTP connection flooding, UDP flooding, and TCP flooding. This is a typical case of botnet by agreement. We also suspect that the latest DDoS attacks may have been perpetrated the same way, by recruiting Pro-Russia volunteers to join the cause. Volunteers are recruited via their several social networks profiles such as VK and Odnokalsninki and any other social networks where CyberBerkut has pages:



    CyberBerkut members are first and foremost Pro-Russians cyber-criminals, fighting for a political cause. As with most hacktivist groups, they used distributed denial-of-service (DDoS) attacks to take down and disturb official government websites, as well as infect specific targets. This is all done in order to gather email credentials to read their target’s communication and documents. The malware used could either be a Trojan, keylogger or other forms of badness they would leverage to gain their victims’ email credentials.

    CyberBerkut’s attacks are definitely falling into the targeted attack umbrella type of threats as they are politically motivated and have targeted operations.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice