Security experts from Kaspersky Lab discovered an interesting one-stop-shop for purchasing hacking goods while investigating activity of a popular RAT.

Security experts from Kaspersky Lab discovered an interesting one-stop-shop for purchasing hacking goods. The malware researchers were analyzing traffic from a number of infected machines that appear to be generated by the HawkEye RAT.

HawkEye is a popular RAT that can be used as a keylogger, it is also able to identify login events and record the destination, username, and password.

The domain was used as a C&C server of the HawkEye RAT and at the same time was also being used as a one-stop-shop for purchasing hacking goods.

Kaspersky discovered a group of WhiteHat hackers who call themselves Group Demóstenes who scans the Internet and looking to exfiltrate stolen data from Command and Control servers.

When the hackers find a server containing the stolen data they look for a backdoor that would give them access to the filesystem. In this way they monitor incoming stolen data, then they would collect the stolen credentials and send emails to the victims’ accounts, both manually or automatically.

The email send to the victims includes an attachment with proof that their machine has been hacked and the suggestion to change passwords and offer to help.

Hi *********** Our SERVERS detected information from a server on the US, we don’t even know goverment or another sourse …. we send a file with all your logins and passwords of all your accounts from hxxp://www.p******op[.]biz/*******

WE HAVE TESTING IN YOUR PAYPAL ACCOUNT. LOG IN TO YOUR ACCOUNT AND YOU WILL SEE TWO CANCELED BILLING (OUR JOB IS WHITE HAT NO HACK …. Steal)

Seme you verify this information. it’s better thing we hurt all change password on the other computer Because Called Computer Name PC USER-PC

Local Time: 03.10.2016. 18:45:02

Installed Language: en-

Net Version: 2.0.50727.5485

Operating System Platform: Win32NT

Operating System Version: 6.1.7601.65536

Operating System: Microsoft Windows 7 Home Premium

Internal IP Address: 192.168.0.101

External IP Address:

Installed Anti virus: Avast Antivirus

Installed Firewall: have a keylogger harm report All That You write, messages, passwords or more. ¿Why we do it?

We have a Cause Called Group Demóstenes looking for Ciber attacks and false info.

Please Donate by PayPal at h**cg**an@gmail[.]com 5 USD or more, Because this is only our ingress. PLEASE WRITE ME AT THIS MAIL FOR KNOW IF YOU KNOW ABOUT THIS

Back to the one-stop-shop discovered by Kaspersky, the experts discovered it is composed of a back-end for storing stolen credentials and a front-end for selling some of them, alongside many other hacking “goods”.

“To purchase goods in the private shop you must deposit money into your account on the website. The attackers accept Bitcoins, PerfectMoney and WebMoney.” states the analysis published by Kaspersky.

The shop allows users to register an account in order to make purchases. Kaspersky discovered the C&C was affected by a crucial vulnerability which allowed researchers to download the stolen data.

Among the items offered for sale, there are scam pages specifically designed to target Amazon, Apple, Netflix and even National Bank of Australia and Barclays.

The shop also includes information regarding the support to receive while using scam services.

The researchers discovered stolen credentials for sensitive applications across multiple industries, including government, healthcare, banking and payment web applications.

“Among them is the following web server which belongs to the Pakistani government.” states the report. “As mentioned, hundreds of machines were found to be compromised by just one C2.”

Researchers from Kaspersky obtained the attackers’ credentials from one very small file that was discovered on the server.

The analysis of affected users revealed they are mostly located in APAC (i.e. Japan, Thailand, and India) and Eastern Europe (i.e. Russia and Ukraine).

Pierluigi Paganini

(Security Affairs – one-stop-shop, hacking)

Share this...

Linkedin Reddit Pinterest

Share On