*in order to preserve confidentiality, the name of the company is hidden
CyberSEALs was contacted by one of the largest strategic budget-forming state-owned enterprises with the problem of spam attacks on their mail server
During the investigation (OSINT / underground):
- the command center is installed (admin panel of the bot)
- received an OS dump from a hosting provider
- OS dump analysis performed
Also found:
- Smokebot is a modular bot that, after loading, performs all tasks and removes itself, that is, it is not installed on the system
Modules:
- STEALER – a module for collecting saved passwords from various programs (browsers, FTP, Mail), all passwords are collected and sent to the control center (bot admin panel)
- FORM GRAB is a form grabber that works in real time with all browsers, intercepts all POST requests, authorization forms, payment data, etc.
- PASS SNIF is a password sniffer that works in real time with all applications, can intercept passwords, all data is also sent to the admin panel
A person was established, as well as accounts on underground forums, where it was established:
- forum name
- registration date
- number of posts on the forum
- most posts on the topic: security and hacking
- date of last visit to the forum
During the analysis of the activity on the forum, it was found that the hacker was looking for a loader to download software that would infect executable files on all disks, flash drives, etc., and after reinstalling the OS without formatting, there was a hope that the bot would launch the loader. The hacker’s budget was $ 3,000
Approach and result
- check carried out
- built a blocker model with subsequent verification
- it is determined that the hacker was a candidate for employment in the client’s company
- refusal to cooperate with a compromised candidate
Business effect
- financial risks averted
- reputational risks are prevented
