Underground Scams: Cutting the Head Off a Snake

Shortly after publishing our post about Terror EK, "King Cobra" (a Twitter account that we mentioned at the end of that blog post), tweeted a note to us:

1

Figure 1: King Cobra's tweet to Trustwave


This, along with other feedback from friends in the InfoSec community, made us realize that this is an opportunity to look at a different aspect of the underground economy through the escapades of one Mr. "King Cobra", author of the Terror Exploit Kit.

We'll begin by going back to October 29th, 2016 when a user by the name of "javascriptshowAlert" was offering a free test of his new exploit kit on hackforums[.]net:

2

Figure 2: A post offering free test of a new exploit kit


Later in the same thread is a message saying that the user was banned but another user posted his Jabber account: "kingcobra[at]jabb3r.org".

3

Figure 3: Request to post the kit author's jabber account


Despite the thread stating that this is a free test, on the same date someone else on the forums claims to have been scammed by the author, and wants their money back. Looking back at the original post (Figure 2) we see that it was modified by the author at some point, so it's possible that this test wasn't free at first:

4

Figure 4: User "MaskedRat" complaining about the kit working but having a "shitty panel"


This user provides the following two screenshots as proof that the panel looks terrible:

5

Figure 5: Screenshot 1 - "Best exploit rate since coffee"???


And why does this panel look familiar?

6

Figure 6: Sakura Exploit Pack Panel (circa 2012)

7

Figure 7: Screenshot 2 posted by the complaining user. DOGE!


(Spoiler alert: this theme of posts that neither prove anything nor make any particular sense as to why the author posted them will be a repeating theme throughout this blog post.)

This 2nd screenshot looks rather fishy, particularly because this complaining user still made a point of saying that "at least the exploits work". It's worth noting that the name of the complaining user, "MaskedRat", is very similar to the alias King Cobra uses on skype: "MaskedRoot". It might be a bit of a leap, but it's possible that this is a fake post meant to generate some buzz and advertise his kit. Alternately, it could be a genuine scam complaint, as we see later on in this post the complaints don't stop here.

8

Figure 8: Thread selling Terror EK "from the creators of ICEPACK"


So this is the actual sale thread of Terror EK being advertised in underground forums, ifud[.]ws, nulled[.to], hackforums etc.

It was posted almost a month after the publishing of the "test kit" thread we showed earlier and it is being advertised as coming "From the creators of ICEPACK", much like a movie preview.

For those of you who don't know, or perhaps don't remember, ICEPACK originally appeared in the wild in 2007 and was active through 2008. It can easily be thrown into the category of "1st generation exploit kits" which makes it a rather strange mention for a thread posted in 2016. The exploit kit market has evolved tremendously since then and only vaguely resembles the days of ICEPACK. While there's no proof to support this claim aside from the word of the author, it's hard to imagine anyone but the author relying on the popularity of a decade old EK.

The author added videos and screenshots of Terror EK:

9

Figure 9: Videos of proof by Terror EK author

10a

10b

Figure 10: Screenshots of Terror EK by the author


The panel looks different (and better) than the previous screenshots provided. It also looks a little familiar and presents a rather strange combination of old exploits, ancient exploits (MDAC?), the promised new and shiny IE11 0day and a Chrome RCE that's coming soon.

So let's talk prices: how much does this Terror kit cost? ... Quite a lot actually:

11

Figure 11: Advertised Terror EK prices


Unlike most EK pricing models these days, there does not appear to be any volume discount here. The price for a week is the same as 7 days and the price of a month is the same as 4 weeks.

On the same thread a user complains about the price:

12

Figure 12: User complaining about Terror EK price.


…and that is just the base price, if you want some of the "0days" you must pay for those separately:

13

Figure 13: Price of additional exploits


But let's leave pricing and get back to his claimed statistics for average exploit rate:

14

Figure 14: Terror EK statistics advertised by kit author


Now, 54% success rate is a very ambitious number, not even Angler EK in its prime when it was adopting new exploits within hours boasted such rate.

On one forum the author, using alias "Andrew Carnegie", gives a screenshot as proof of these exploitation rates, unfortunately the screenshot itself lists 0 exploited hosts.

15

Figure 15: Proof of exploit rates as published by Terror EK author

16

Figure 16: Members of the forum losing patience with Andrew Carnegie


It looks like at this point the local forum crowd also get tired of the suspicious nature of these posts.

Another minor incident occurred after this, where some of the exploits from the "test kit" were leaked. As we mentioned in our previous blog post, these exploits were all taken from either Metasploit, or stolen from other EKs, so the leak hardly revealed anything new. Regardless, the author of Terror EK responded by releasing some of these exploits himself:

17

17b

Figure 17: Terror EK author releasing exploits from test kit to the public


Again members think it is too good to be true and banter to that extent popped up in the thread.

18

18b

18c

18d

18e

Figure 18: Forum members getting very suspicious about the exploit kit


The word even got to exploit[.]in, where someone asked if anyone heard about this kit:

19

Figure 19: exploit[.]in members say what they think about Terror EK


It seems that the overall reaction of the underground is that the kit looks too good to be true (i.e. a scam). In line with this reputation, King Cobra was also selling a crypter (under different nicknames) that yielded questionable responses from the underground community:

20

Figure 20: Complaint thread about a crypting service run by Terror EK author


Full text: http://pastebin.com/yTSgJttH

21

21b

Figures 21: King Cobra using account "Bugs Bunny" selling stolen code.


As we can see from these conversations, the author is a master of copy paste, and not just when it comes to exploits.

But a legacy of stolen code isn't all that King Cobra has to offer - the author sometimes fights back to eliminate the competition, in the following thread he claims to have been scammed by beps EK (AKA Sundown)

22

Figure 22: King Cobra using account "Bugs Bunny" writing he got scammed at the Beps sale thread

23

Figure 23: Thread claiming scam by BEPS


Despite his earlier mocking of Hunter EK and the quality of exploits in it, King Cobra also dabbled in selling Hunter EK himself, despite Hunter EK having been previously leaked:

24

Figure 24: King Cobra using account "CrackingGod" selling Hunter EK


He also provided "proof" images, here's one worth sharing:

25

Figure 25: King Cobra's "proof"


Note that he kept the archive name in the folder name "hunter_ek.tar", which is exactly as it is found in the leaked source.

He was also selling Hunter EK's source code on hackforums[.]net:

26

Figure 26: Original sale thread, cached by Google

27

Figure 27: Sale thread has been closed, reason below


Eventually someone noticed this is a pure scam.

28

Figure 28: A warning from a user that almost bought Hunter EK from "King Cobra"


But wait, there is more! (again...) The world of cybercrime sales is not only for exploit kits and crypters and this guy knows it, so he branched out into scamming traffic:

29

Figure 29: A thread of traffic sale

30

Figure 30: Member who tried Terror EK already, report this is the same guy, another member being ignored by "King Cobra" on skype, doesn't sound promising.


And at some point he even tried to scam his way with "his own" RAT called MrRobot:

31

Figure 31: MrRobot Rat version info includes mysterious ShadowTech Rat info

32

Figure 32: Strings search on the executable reveals King Cobra's skype account

But yet again, this is a copy/paste of code available on github:

33

Figure 33: ShadowTech is just a publicly available example of a RAT

34

Figure 34: The info King Cobra forgot to change when he compiled MrRobot RAT

Aside from being a seasoned businessman, he also understands that he is part of a community and shares his more successful ventures with it.

35

Figure 35: King Cobra bragging about taking a site down


This guy really "knows" what he is doing, he is a real role model for all the young cybercriminals out there trying to find their way... But worry not, skiddie, you too can become just like him if you attend his class for only $140.

36

Figure 36: King Cobra selling a "skid to pro" course

Closing Words

This post zoomed in on a character in the underground that we happened to run into as part of our research into Terror EK, but the purpose of this post was not to single him out. On the contrary, King Cobra is nothing special. The story we see here is simply part of everyday life in the underground. It's interesting to see that, just like any other market out there (legitimate or otherwise), the underground has its scammers, frauds and people trying to make a quick buck through fake sales. The underground is also a community that, through reputation and public opinion, tries to weed these cases out and keep a market of quality "products" running smoothly.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.