Account Takeover & Analysis of Brute Force Style Tools
Summary
Account Takeover is an ongoing threat to any organization commonly resulting in the theft, sale, or purchase of personally identifiable information (PII) or sensitive data through a number of methods. One such method is CVA.
Credential Validation Attacks (CVA) or Credential Stuffing is a type of brute force attack that consist of attackers leveraging collections of usernames and passwords, typically obtained from previous leaked data dumps from breaches such as LinkedIn, and attempting to validate those credentials on other sites such as financial sites. Confirmed valid credentials can then be used for sale or account takeover.
Financial companies are a prime target for CVA, brute force and password-guessing style attacks. Successful entry into bank accounts provide much value particularly when it comes to facilitating fraudulent activity such as transferring funds through unsuspecting money mules. Financial companies are not the only target, however. A recent breach of the company North Face, whom has recently reset its customers’ passwords after attackers launched a credential-stuffing attack against the popular outdoor outfitter’s website. In a recent data-breach notification, the company alerted the customers about an unusual activity involving its website, thenorthface.com, on October 9. Further investigation revealed that the attacker previously gained access to the email address and password from another source and subsequently used those same credentials to access the account on thenorthface.com.
Brute force tools that have been leaked or purchased on the dark web and various communication channels such as Telegram facilitate much of this activity. Some of these brute force tools also include extended capabilities such as bypassing or avoiding common CAPTCHA methods. Other methods include paid CAPTCHA solving services using real human workers to solve the CAPTCHAs. A few of these services include 2Captcha, DeathByCaptcha, and AntiCaptcha.
This article aims to provide a glimpse into the functionality behinds these tools and highlights several features such as CAPTCHA bypass and variable randomization such as user agents, illustrating the need for continuous research and intelligence gathering to stay ahead of the bad guys.
Technical Analysis
BruteCore by Zaramsim
The first tool being examined is one that was developed in 2020 by a threat actor and developer of a number of unique brute force tools who goes by the handle Zaramsim. Zaramsim appears to be a native Russian speaker who is active is several illicit communities, which include Best Hack Forums, WWH-Club and Raid Forums. Throughout 2020, Zaramsim’s tools have been advertised on those forums. Example of targets for these tools include:
- Steam
- Apple
- PayPal
- Mail.ru
- Several Banks
Many of these leaked tools can be examined by searching them on VirusTotal, but a VT Intel account is required.
https://www.virustotal.com/gui/search/zaramsim/files
A number of tools in the search result go by the name BruteCore. BruteCore tools tend to be designs for specific targets instead of implementing a one sized fits all approach. The sample examined in this article is for Mail.ru (SHA256:0b3b7db2d8f244b802156a38d01ddbf681ee00e768f2d777ad468a3ae358a9ae)
The GUI for BruteCore is quite simple. A quick glance at some of the options provides an idea of the tools capabilities. Like most tools, it takes a wordlist as input, supports proxies, control of threads and user-agent customization.
By conducting some dynamic analysis in an isolated environment to prevent connecting to the target, it is easy to determine that the tool is certainly functional through network traffic analysis (e.g. Wireshark).
Focusing more on the code to provide better insight into the tool and possibly the developer(s) we opened it up in dnSpy for analyzing the .NET code. All of the brute tools we examine in this article are all written in .NET. Using a tool such as Detect It Easy shows us the library and is one simple way to make that determination and to see if we might be working with a packed or obfuscated sample.
An overview of some of the information once loaded into dnSpy.
The metadata provides information such as versioning, authorship, production times and frameworks used. Browsing through some of the structure of the program there are a few quick determinations. First, and thankfully, the code is not obfuscated. This means we do not have to deobfuscate the code to determine what all of the functions are doing. Second, compared to some of the later samples we examined, the code is clean and organized, which allows us to speculate a bit on the developer’s capability. This can be important when classifying the level of a threat actor.
The Class BruteForceEngine.Brute appears to contain the basic overall workflow of the tool so it seemed like a good place to begin the analysis. There are four main functions supporting the Class which are Run(), Stop(), UpdateStatistics(), and Work().
There are also a number of other functions called within these four main functions as well as ways the program handles successful attempts, unsuccessful attempts, errors and things such as proxy configuration as shown in the left navigation in the image below.
Moving through the initial functions we can quickly see that both run() and stop() aren’t too interesting and do exactly what you’d think. Likewise, UpdateStatistics() is passed the result of the Work() function which appears to contain most of the functionality.
Work() is passing the login and password arguments to another function called CheckerRaw() prior to storing the result.
CheckerRaw() appears to be the function responsible for facilitating the connections to the target, in this case, mail.ru. Moving into the Request Class, the first piece of code we see appears to randomize the iOS version passed in the request. There’s also references to a function called GenerateSensorData(). This function appears to generate data to avoid appearing like a bot or automated program in order to circumvent security controls that detect such activity.
Scrolling through a bit further the code takes the user agent assigned or grabs one from the list specified in the BruteCore settings. Constructing the headers for the request are shown in the next few lines followed by the POST request to the login endpoint. Lastly, conditions to determine failure or success in an if/else statement.
That is the basic overview of the BruteCore tool by Zaramsim. It is simple, effective, and contains all of the functionality used to mimic a legitimate connection to its target. Other .NET versions of the various BruteCore tools identified on VirusTotal had similar construction however, there were also several unconfirmed tools linked to Zaramsim that used packers or were developed in entirely different languages such as C.
Bank Combine by GBRW
Bank Combine (SHA256:47804fbb6bb7877cfdf15de99fd5b18f21ea6f9542ba2bc6e129563df8b7c2c0) is a brute force tool that was advertised on two forums, DedicateT and BHF by user Atlantis443 who was providing no-cost access. The tool was described to target a number of banks such as Chase and Wells Fargo. Bank Combine was uploaded to VirusTotal on 9/21/2020 and at the time of this writing has 36 engines detecting it as malicious with Trojan-like signatures. Unground forums and fraud marketplaces unsurprisingly don’t discriminate on who they target and often times programs advertised for free and sometimes even those with associated costs may contain backdoors. This has been the case with several Phishing Kits developed, where developers placed backdoors in the code to collect victim information obtained by the purchasers.
Running the tool in an isolated environment simply generated .NET errors regardless of which operating system or version of .NET that were running. Aside from the VirusTotal engine results, this was another red flag that the program both does not work as intended and may be trojanized. The tool appears to target six different financial institutions. It supports the use of proxies and throttling as most brute force tools do. Unlike the previous tool however, the user-agent does not appear to be customizable.
Plugging the executable into Detect It Easy yields the following results.
The library is identified as .NET similar to the BankCore tool. The difference here is the inclusion of the ‘protector’ field, which shows .NET Reactor. .NET Reactor is a popular tool used for intellectual property protection that can obfuscate code.
Again, loading the tool in dnSpy will confirm suspicions of a packed or obfuscated sample. As shown in the left navigation, the functions certainly appear to be obfuscated.
Certain tools exist to identify and deobfuscate obfuscated code such as this. De4dot is one open source tool written in C# and supports a number of command line options and advanced unpacking and deobfuscating techniques however, in this case, no arguments are required to unpack the code. De4dot is able to identify .NET Reactor, clean the code and save it to a new file.
Loading the cleaned version of BA Combine into dnSpy shows that now all of the previously obfuscated functions appear readable.
The first six classes are not very interesting. Class3 contains a function called Main() which initializes the program and calls Form1. Form1 contains most of the functionality and visualizations so we are going to begin there.
Scrolling down within the start_Click function there is a very alarming code within the try-catch block at the top that does not appear to have anything to do with the functionality that we would expect in a brute force tool.
The code checks if the directory %Appdata%\win exists and if not it is created. Then it checks if the file ‘Health.exe’ exists within that directory and if not it creates the file with the contents of the Pastebin link. Finally, it runs the file.
At the time of this writing, the Pastebin page does not exist and unfortunately, there were not any cached records of it. The program also has a similar routine further down in the Class. It checks for a file and directory and if it does not exist, it creates it and writes the contents of the paste to a file.
Although the fact that this is apparently a trojanized version of a brute force tool, nevertheless it does still contain some functionality that we can analyze to potentially derive valuable intelligence.
Again, just scrolling through Form1 there is some key functionality that can be observed to learn more about the tool. This If/Else statement, for example, shows us that this is a trial version and the author sells the full version for $250. It is really no surprise that someone would trojanize a trial as opposed to a full version of the tool.
Even though it is a trial, the code for targeting two of the institutions exists and can be reviewed. Things such as URLs, header information and user-agents exist and since the tool does not appear to go through any steps to randomize the user-agent or any of this information they can provide valuable indicators. We can also see based on how the tool responds to a CAPTCHA response, that it does not appear to contain any type of bypass methods as previously mentioned.
All Bank Combine
Another brute force tool advertised as “All Bank Combine” was identified in early January 2020 on illicit forums and later on Telegram channel “Hack Boss” where brute force style tools appear to be regularly advertised. The tool has a similar name to the tool previously analyzed (BA Combine), but that appears to be the only similarity as there is no identified overlap in the code.
Two samples were found that were examined independently as one sample was heavily obfuscated and the other not. Both are trial versions of the tool and seemingly the same outside of the usage of packers.
Packed/Obfuscated Sample
Unpacked Sample
Like the others, the library is identified as .NET with Detect It Easy unable to detect any Protectors. Exeinfo PE is another similar tool that supports packer detection and fingerprinting of PE files. It provides slightly different results and provides more information on what kind of obfuscation methods might be used in the packed sample. Exeinfo PE identifies Intellilock v.1.5.x.0 .NET Reactor.
In this case De4dot was unable to unpack and clean the code in the packed version; nevertheless, since the unpacked version is available a side-by-side analysis could be performed.
When attempting to run the program, the user is redirected to the Telegram channel shown previously.
This version of All Bank Combine references two DLL files. The first SkinSoft.VisualStyler.dll is related to visual styling and GUI construction whereas Leaf.xNet.dll handles much of the web request functionality. This DLL provides a number of functions that include general web request construction, complete user agent randomization and CAPTCHA bypass functionality supporting services such as 2captcha.com.
The full version of All Bank Combine has not currently bee obtained for analysis.
Conclusion
Examining multiple brute force tools illustrate the varying degrees of capability and sophistication that each tool or associated actor may present. The ease of availability and low-cost arms even non-technical users with the ability to conduct impactful attacks against critical infrastructure. With development continuing to advance to include bypassing CAPTCHA and randomizing variables it can be difficult to identify and subsequently protect against some of these attack's, highlighting the important of research and intelligence gathering as new tools and techniques surface.
