To defend against cyber attacks, it is helpful to know who the hackers are, what they do, how they coordinate with each other and, above all, how criminal hacking organizations work. To find out, we snuck into a criminal group – here’s what we found.
The term hacker derives from the English to hack, which means to cut or tear apart. In particular, taking up the definition of the Treccani vocabulary, a hacker is someone who “using his knowledge in the programming technique of electronic computers, is able to illegally penetrate a computer network to use data and information contained therein, for more in order to increase the degrees of freedom of a closed system and teach others how to keep it free and efficient”.
Many ignore the behind the scenes of the term hacker: what tools they use, how they coordinate, and what their goals are. To find out, we will deal below with how the criminal group that we will call by the fictitious name of BadKitties operates.
Table of Contents
How The Hacker Group Will Be
It was a day like any other, and like every other day, I checked in the evening my “trap” computers vulnerable to RDP brute-forcing attacks with “administrator” and “admin” credentials. As usual they had been “holed” and in the folders managed by some of my scripts I found some malware other than the ransomware that usually are found in these situations.
I then immediately mobilized to analyze the device searching for what the hacker who had previously connected had entered me and looked at some processes I saw unknown executables executed by tasks not entered by me and malicious.
BadKitties Hacking Team: how to become a Hacker
BadKitties is a well-structured hacker group made up, to date, of more than 400 members. Starting your career within this criminal group is relatively easy. As soon as you receive an invitation from a member, you will need to contact the group leader through a “Telegram Bot” to be given instructions to start “working” in the sector.
After sending the bot’s contact request, I didn’t have to wait more than 10 minutes for “X” to send me a direct message: the speed with which I received the feedback was incredible.
We then began to write to each other via Telegram. After collecting some information about the group dynamics, I began to ask about him and what his role was within the organization.
Without problems, he told me that he was the “Boss” of the group and that due to a series of misunderstandings he believed I was another person from whom he was expecting a message: from that moment we began to enter the heart of the speech and the most important thing was explained to me.
Also Read: 16 Hacking Abbreviations And What They Mean
Telegram and Hackers
In the Telegram group used for communications and the sale of information, if you browse to the “Files” section, you can find TXT with CSV formatting containing large DBs with credentials that affect various types of sites and services, here are some brands present:
Other files that can be found are old versions of web scanner, batch, key generator, ransomware payload generator, various types of databases containing leaks, IP lists and much more.
The platform guarantees a certain level of anonymity, and it is also possible to use bots to satisfy the needs of those who manage these “teams” in an automated way.
The most common Attacks
Today, the most common and effective hacker attacks reach our systems through emails using various methodologies that can be more or less effective. Here are some examples:
- Identity theft: after stealing a user’s credentials, these are used to send emails containing “VBA.Downloaders” appropriately obfuscated to all contacts with whom the latter regularly communicated;
- MITM (Man in The Middle): control of the flow of emails between two interlocutors by making minor alterations to the conversation, such as when paying for a service or a certain quantity of goods, the IBAN contained in the attachment is changed. Message or written in plain text in the message body;
- Spear phishing: targeted and carefully studied phishing to effectively target the chosen target;
- Phishing: general content phishing performed with mass emails to use statistics as a strength.
The most common Payloads
Usually, the types of malware that are most effective are those that seem “most common”: by now anyone knows that an executable (.exe) sent by email should not be opened, but few know that even files marked “Microsoft” as the Word (.doc), Excel (.xls), PowerPoint (.ppt) inside them can contain macros written in Visual Basic which, once activated, can compromise the entire device and, in the most desperate cases, the whole IT infrastructure.
The following are the most used extensions for email attacks:
- .xls, .doc, .ppt, .xlsx, .docx, .pptx, (other Microsoft Office extensions), .vba, .vbs, .js, .jar, .jse, .msi, .scr, .lnk,. pif, (Compressed file extension) + Password protection, .htm, .pdf, .bat
How to Recognize an Attack and what to do to Protect Yourself
To effectively detect a hacker attack, you need to be aware that anything that can reach us via email can compromise our system after a few clicks.
With this firmly in mind, it is necessary to pay attention to grammatical errors, unexpected data changes by one of our suppliers or customers, requesting special permissions to open attached files and, finally, opening hours—receipt of the email.
Most malware campaigns are targeted at emails with company domains, but even a private user can fall into the dense web of spam.
Unfortunately, the most significant vulnerability is human interaction. The patch can only be done with education and awareness of what can happen when working with any internet-connected device.
To conclude, to mitigate cyberattacks, some practical measures can be:
- keeping the OS at the latest stable version;
- updating of anti-virus and anti-malware software ;
- use of dedicated antispam;
- firewall upstream of the network;
- the hiring of Security Operation Center (SOC) for proactive monitoring of the infrastructure;
- SIEMs configured with alerting rules for suspicious activity.