Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Underground Scams: Cutting the Head Off a Snake

Shortly after publishing our post about Terror EK, "King Cobra" (a Twitter account that we mentioned at the end of that blog post), tweeted a note to us:

9266_510cc629-8bd8-4dc0-8a8e-2d15059c2977

Figure 1: King Cobra's tweet to Trustwave


This, along with other feedback from friends in the InfoSec community, made us realize that this is an opportunity to look at a different aspect of the underground economy through the escapades of one Mr. "King Cobra", author of the Terror Exploit Kit.

We'll begin by going back to October 29th, 2016 when a user by the name of "javascriptshowAlert" was offering a free test of his new exploit kit on hackforums[.]net:

10869_9da9f052-94b7-4fa3-ab7b-16bb82e5258d

Figure 2: A post offering free test of a new exploit kit


Later in the same thread is a message saying that the user was banned but another user posted his Jabber account: "kingcobra[at]jabb3r.org".

12499_ec3481f1-7bcb-467e-b4eb-40b23936f7af

Figure 3: Request to post the kit author's jabber account


Despite the thread stating that this is a free test, on the same date someone else on the forums claims to have been scammed by the author, and wants their money back. Looking back at the original post (Figure 2) we see that it was modified by the author at some point, so it's possible that this test wasn't free at first:

10398_8742e749-45a5-4f22-b1e7-d7476b875bff

Figure 4: User "MaskedRat" complaining about the kit working but having a "shitty panel"


This user provides the following two screenshots as proof that the panel looks terrible:

8045_147d0d9d-3b15-45d3-a918-00a3dfd8a046

Figure 5: Screenshot 1 - "Best exploit rate since coffee"???


And why does this panel look familiar?

11611_c189f8e3-37be-46bc-bdcf-00c59869d05b

Figure 6: Sakura Exploit Pack Panel (circa 2012)

12472_eb3b8f23-7e4b-4f2f-be77-a01d9045513b

Figure 7: Screenshot 2 posted by the complaining user. DOGE!


(Spoiler alert: this theme of posts that neither prove anything nor make any particular sense as to why the author posted them will be a repeating theme throughout this blog post.)

This 2nd screenshot looks rather fishy, particularly because this complaining user still made a point of saying that "at least the exploits work". It's worth noting that the name of the complaining user, "MaskedRat", is very similar to the alias King Cobra uses on skype: "MaskedRoot". It might be a bit of a leap, but it's possible that this is a fake post meant to generate some buzz and advertise his kit. Alternately, it could be a genuine scam complaint, as we see later on in this post the complaints don't stop here.

9814_6d7f5ad7-4ed6-4b87-ab5e-a9daf9589533

Figure 8: Thread selling Terror EK "from the creators of ICEPACK"


So this is the actual sale thread of Terror EK being advertised in underground forums, ifud[.]ws, nulled[.to], hackforums etc.

It was posted almost a month after the publishing of the "test kit" thread we showed earlier and it is being advertised as coming "From the creators of ICEPACK", much like a movie preview.

For those of you who don't know, or perhaps don't remember, ICEPACK originally appeared in the wild in 2007 and was active through 2008. It can easily be thrown into the category of "1st generation exploit kits" which makes it a rather strange mention for a thread posted in 2016. The exploit kit market has evolved tremendously since then and only vaguely resembles the days of ICEPACK. While there's no proof to support this claim aside from the word of the author, it's hard to imagine anyone but the author relying on the popularity of a decade old EK.

The author added videos and screenshots of Terror EK:

8170_1a8b032b-3f0b-4a4c-9019-e3a643374279

Figure 9: Videos of proof by Terror EK author

12327_e57e0b1f-3d3e-4d1d-bf27-aa3a63325f61

11093_a8809614-0fe5-4819-be81-b60dd58b961b

Figure 10: Screenshots of Terror EK by the author


The panel looks different (and better) than the previous screenshots provided. It also looks a little familiar and presents a rather strange combination of old exploits, ancient exploits (MDAC?), the promised new and shiny IE11 0day and a Chrome RCE that's coming soon.

So let's talk prices: how much does this Terror kit cost? ... Quite a lot actually:

12350_e690361b-1001-4521-a66a-00a7288fb23b

Figure 11: Advertised Terror EK prices


Unlike most EK pricing models these days, there does not appear to be any volume discount here. The price for a week is the same as 7 days and the price of a month is the same as 4 weeks.

On the same thread a user complains about the price:

9199_4e233693-bb4e-4e32-9598-0bdbf95e924b

Figure 12: User complaining about Terror EK price.


…and that is just the base price, if you want some of the "0days" you must pay for those separately:

8079_16dade4b-e34d-49c2-a27e-d3ab567b1b9a

Figure 13: Price of additional exploits


But let's leave pricing and get back to his claimed statistics for average exploit rate:

11070_a73217d6-54bf-488d-9892-7337e6caf2c0

Figure 14: Terror EK statistics advertised by kit author


Now, 54% success rate is a very ambitious number, not even Angler EK in its prime when it was adopting new exploits within hours boasted such rate.

On one forum the author, using alias "Andrew Carnegie", gives a screenshot as proof of these exploitation rates, unfortunately the screenshot itself lists 0 exploited hosts.

9530_5ec1f3c0-bc3d-4bea-bcc8-ca337e192009

Figure 15: Proof of exploit rates as published by Terror EK author

9911_71f95a9b-f13f-497b-8e80-47147a672428

Figure 16: Members of the forum losing patience with Andrew Carnegie


It looks like at this point the local forum crowd also get tired of the suspicious nature of these posts.

Another minor incident occurred after this, where some of the exploits from the "test kit" were leaked. As we mentioned in our previous blog post, these exploits were all taken from either Metasploit, or stolen from other EKs, so the leak hardly revealed anything new. Regardless, the author of Terror EK responded by releasing some of these exploits himself:

10295_822ac4eb-74d1-4b13-a6be-42f7501e3937

8442_2936e180-90a0-4011-8c6d-68d7334d5fa3

Figure 17: Terror EK author releasing exploits from test kit to the public


Again members think it is too good to be true and banter to that extent popped up in the thread.

7651_0211dd91-fe5b-4cb3-b004-ff1d4b2628f1

10445_89ac652a-b0a4-4d19-9ff0-7314b28bd8a6

12504_ec720dbd-a3eb-4fc6-9234-8a25575c3f7d

10492_8c4b4ff0-8235-427b-a30c-e1809ed18ecf

9293_52b0980e-90fe-4a48-b628-7f498b74bc9f

Figure 18: Forum members getting very suspicious about the exploit kit


The word even got to exploit[.]in, where someone asked if anyone heard about this kit:

9072_48ce4548-b326-4366-857d-c23a8ed403b7

Figure 19: exploit[.]in members say what they think about Terror EK


It seems that the overall reaction of the underground is that the kit looks too good to be true (i.e. a scam). In line with this reputation, King Cobra was also selling a crypter (under different nicknames) that yielded questionable responses from the underground community:

12542_ee0a8dec-30a3-4337-8a44-76fb6eab4dbb

Figure 20: Complaint thread about a crypting service run by Terror EK author


Full text: http://pastebin.com/yTSgJttH

11371_b59544f3-7d3b-41da-9176-1e5d740f3930

8467_2a89e3db-07f6-4808-9bf2-e3ca47c6d259

Figures 21: King Cobra using account "Bugs Bunny" selling stolen code.


As we can see from these conversations, the author is a master of copy paste, and not just when it comes to exploits.

But a legacy of stolen code isn't all that King Cobra has to offer - the author sometimes fights back to eliminate the competition, in the following thread he claims to have been scammed by beps EK (AKA Sundown)

12254_e1e27178-8b65-4c00-a750-8ff4115089bc

Figure 22: King Cobra using account "Bugs Bunny" writing he got scammed at the Beps sale thread

10283_818aa686-a956-4612-9314-5b23b6c3c35b

Figure 23: Thread claiming scam by BEPS


Despite his earlier mocking of Hunter EK and the quality of exploits in it, King Cobra also dabbled in selling Hunter EK himself, despite Hunter EK having been previously leaked:

11502_bc63311a-0abf-40d8-9a5a-e28553309ade

Figure 24: King Cobra using account "CrackingGod" selling Hunter EK


He also provided "proof" images, here's one worth sharing:

11177_ac0e1fe4-2636-4e0d-a1d3-b3ab5e794c3a

Figure 25: King Cobra's "proof"


Note that he kept the archive name in the folder name "hunter_ek.tar", which is exactly as it is found in the leaked source.

He was also selling Hunter EK's source code on hackforums[.]net:

8246_1e4b997e-41e5-4735-a289-113ee99e52a9

Figure 26: Original sale thread, cached by Google

 

10400_876bf9a6-f501-4032-9c88-ec0f4426049a

Figure 27: Sale thread has been closed, reason below


Eventually someone noticed this is a pure scam.

10374_85d59ee5-6894-4051-83cd-dabb79b23a6d

Figure 28: A warning from a user that almost bought Hunter EK from "King Cobra"


But wait, there is more! (again...) The world of cybercrime sales is not only for exploit kits and crypters and this guy knows it, so he branched out into scamming traffic:

8278_201c9cdd-9f24-4d95-9cd2-7c5a46d09682

Figure 29: A thread of traffic sale

 

10997_a395ebd5-3c87-437f-8fd6-89c3911db2e3

Figure 30: Member who tried Terror EK already, report this is the same guy, another member being ignored by "King Cobra" on skype, doesn't sound promising.


And at some point he even tried to scam his way with "his own" RAT called MrRobot:

10938_a09c6c17-ff94-4736-bf63-114f6a7b9801

Figure 31: MrRobot Rat version info includes mysterious ShadowTech Rat info

 

9754_6a82cc22-5f7f-400c-bed0-55272d7b23de

Figure 32: Strings search on the executable reveals King Cobra's skype account

 

But yet again, this is a copy/paste of code available on github:

11335_b3de7bdb-f2dd-4cc2-95e3-d7f5968b4b08

Figure 33: ShadowTech is just a publicly available example of a RAT

 

11978_d30e80ca-e2ae-4493-b31e-a29ffd681f96

Figure 34: The info King Cobra forgot to change when he compiled MrRobot RAT

 

Aside from being a seasoned businessman, he also understands that he is part of a community and shares his more successful ventures with it.

9104_4a54ba97-6dac-49f5-8236-f3b8ad358b5e

Figure 35: King Cobra bragging about taking a site down


This guy really "knows" what he is doing, he is a real role model for all the young cybercriminals out there trying to find their way... But worry not, skiddie, you too can become just like him if you attend his class for only $140.

10473_8b115427-2df9-4f39-99bb-15284e818243

Figure 36: King Cobra selling a "skid to pro" course

 

Closing Words

This post zoomed in on a character in the underground that we happened to run into as part of our research into Terror EK, but the purpose of this post was not to single him out. On the contrary, King Cobra is nothing special. The story we see here is simply part of everyday life in the underground. It's interesting to see that, just like any other market out there (legitimate or otherwise), the underground has its scammers, frauds and people trying to make a quick buck through fake sales. The underground is also a community that, through reputation and public opinion, tries to weed these cases out and keep a market of quality "products" running smoothly.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More