Security Alert: The Shadow Brokers Retire, Release Free Windows Hacking Tools, but Keep Previous Sale Online
Cybercriminals can still purchase a batch of Windows hacking tools for 750 BTC
The Shadow Brokers are back with another “yard sale”, which may become the source of a new wave of attacks targeting systems running Windows.
UPDATE [January 12, 2016]: The Shadow Brokers just announced two hours ago that they are ‘going dark’, along with releasing several Windows hacking tools to the public for free.
In their final goodbye note, they announce that it was always about the money (in this case, Bitcoins) and that they would only come out of hiding if their Bitcoin wallet received 10,000 BTC.
Before going silent, The Shadow Brokers announced that they will not close their offer to sell a batch of Windows hacking tools for 750 BTC. (For context, see the details of the alert below.)
At the same time, they released an archive with 58 Windows hacking tools to the public, which, fortunately, are currently detected by Kaspersky antivirus. This batch of tools can be downloaded from their website (at your own risk) and the password needed to unlock it is “fucktheworld”.
失陪 [shī péi] pic.twitter.com/wHoMBF7DLY
— theshadowbrokers (@shadowbrokerss) January 12, 2017
Security Alert: The Shadow Brokers are Trying to Push Windows Hacking Tools to Mass Market
For those of you new to the topic, The Shadow Brokers is a notorious threat actor or group of black-hat hackers credited with publishing exploits, vulnerabilities, and “powerful espionage tools created by the National Security Agency’s elite group of hackers” (source: Washington Post, August 2016).
The Shadow Brokers’ activity is also tied to The Equation Group, another threat actor whose level of sophistication astounded even some of the most experienced malware researchers in the world.
But now the group is trying to sell another batch of Windows-based hacking tools. They announced the sale on Twitter, using a few words and two screenshots:
— theshadowbrokers (@shadowbrokerss) January 8, 2017
The newly advertised website claims that, for a total price of 750 BTC (Bitcoins), the buyer can purchase the entire database of hacking tools that The Equation Group used, which are entirely focused on the Windows platform.
The Shadow Brokers also provide a short description of the many different tools that can be used to compromise and remotely control Windows systems after they’ve been enrolled into a central botnet.
Here is the list of tools, their type and their respective prices:
DanderSpritz All – DanderSpritz Everything – 250.0 BTC
DanderSpritz Base – DanderSpritz LP Only – 25.0 BTC
PC2.2 – DanderSpritz RAT – 25.0 BTC
ST1.14 – DanderSpritz Backdoor – 25.0 BTC
LegacyWindowsExploits – DanderSpritz Exploits – 25.0 BTC
DAPU – DanderSpritz Plugin – 10.0 BTC
Dark Skyline – DanderSpritz Plugin – 10.0 BTC
Demi – DanderSpritz Plugin – 10.0 BTC
Df – DanderSpritz Plugin – 10.0 BTC
DmGz – DanderSpritz Plugin – 10.0 BTC
Dsky – DanderSpritz Plugin – 10.0 BTC
EP – DanderSpritz Plugin – 10.0 BTC
Flav – DanderSpritz Plugin – 10.0 BTC
Gath – DanderSpritz Plugin – 10.0 BTC
GeZu – DanderSpritz Plugin – 10.0 BTC
GrCl – DanderSpritz Plugin – 10.0 BTC
GrDo – DanderSpritz Plugin – 10.0 BTC
Grok – DanderSpritz Plugin – 10.0 BTC
Pacu – DanderSpritz Plugin – 10.0 BTC
Pc – DanderSpritz Plugin – 10.0 BTC
Pfre – DanderSpritz Plugin – 10.0 BTC
SCRE – DanderSpritz Plugin – 10.0 BTC
StLa – DanderSpritz Plugin – 10.0 BTC
Tedi – DanderSpritz Plugin – 10.0 BTC
UtBu – DanderSpritz Plugin – 10.0 BTC
Zbng – DanderSpritz Plugin – 10.0 BTC
The description of these tools (which you can see in the screenshots below) clearly states how they can be applied into practice. The database put up for sale also includes different types of exploits and other tools to aimed at fuzzing Windows components.
The Remote Administration (RAT) tool DanderSpritz that we see in the list also appears in several of the documents that Edward Snowden previously leaked. Now this tool, among other things, can be bought and used by cyber criminals.
The tools are constantly being monitored to identify if they are used, standalone or in combination with other malicious software, and when and where than happens.
For more information, follow this website, but please know that you are doing so at your own risk:
https://onlyzero [.] net / theshadowbrokers.bit / page / windows /
While this sale could follow the path of the previous auction attempt by The Shadow Brokers, it could also mean that cyber criminals have a new set of tools they can use to launch attacks from new and unexpected angles.
*This article features cyber intelligence provided by CSIS Security Group researchers.