Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Underground Scams: Cutting the Head Off a Snake

Shortly after publishing our post about Terror EK, "King Cobra" (a Twitter account that we mentioned at the end of that blog post), tweeted a note to us:


Figure 1: King Cobra's tweet to Trustwave

This, along with other feedback from friends in the InfoSec community, made us realize that this is an opportunity to look at a different aspect of the underground economy through the escapades of one Mr. "King Cobra", author of the Terror Exploit Kit.

We'll begin by going back to October 29th, 2016 when a user by the name of "javascriptshowAlert" was offering a free test of his new exploit kit on hackforums[.]net:


Figure 2: A post offering free test of a new exploit kit

Later in the same thread is a message saying that the user was banned but another user posted his Jabber account: "kingcobra[at]".


Figure 3: Request to post the kit author's jabber account

Despite the thread stating that this is a free test, on the same date someone else on the forums claims to have been scammed by the author, and wants their money back. Looking back at the original post (Figure 2) we see that it was modified by the author at some point, so it's possible that this test wasn't free at first:


Figure 4: User "MaskedRat" complaining about the kit working but having a "shitty panel"

This user provides the following two screenshots as proof that the panel looks terrible:


Figure 5: Screenshot 1 - "Best exploit rate since coffee"???

And why does this panel look familiar?


Figure 6: Sakura Exploit Pack Panel (circa 2012)


Figure 7: Screenshot 2 posted by the complaining user. DOGE!

(Spoiler alert: this theme of posts that neither prove anything nor make any particular sense as to why the author posted them will be a repeating theme throughout this blog post.)

This 2nd screenshot looks rather fishy, particularly because this complaining user still made a point of saying that "at least the exploits work". It's worth noting that the name of the complaining user, "MaskedRat", is very similar to the alias King Cobra uses on skype: "MaskedRoot". It might be a bit of a leap, but it's possible that this is a fake post meant to generate some buzz and advertise his kit. Alternately, it could be a genuine scam complaint, as we see later on in this post the complaints don't stop here.


Figure 8: Thread selling Terror EK "from the creators of ICEPACK"

So this is the actual sale thread of Terror EK being advertised in underground forums, ifud[.]ws, nulled[.to], hackforums etc.

It was posted almost a month after the publishing of the "test kit" thread we showed earlier and it is being advertised as coming "From the creators of ICEPACK", much like a movie preview.

For those of you who don't know, or perhaps don't remember, ICEPACK originally appeared in the wild in 2007 and was active through 2008. It can easily be thrown into the category of "1st generation exploit kits" which makes it a rather strange mention for a thread posted in 2016. The exploit kit market has evolved tremendously since then and only vaguely resembles the days of ICEPACK. While there's no proof to support this claim aside from the word of the author, it's hard to imagine anyone but the author relying on the popularity of a decade old EK.

The author added videos and screenshots of Terror EK:


Figure 9: Videos of proof by Terror EK author



Figure 10: Screenshots of Terror EK by the author

The panel looks different (and better) than the previous screenshots provided. It also looks a little familiar and presents a rather strange combination of old exploits, ancient exploits (MDAC?), the promised new and shiny IE11 0day and a Chrome RCE that's coming soon.

So let's talk prices: how much does this Terror kit cost? ... Quite a lot actually:


Figure 11: Advertised Terror EK prices

Unlike most EK pricing models these days, there does not appear to be any volume discount here. The price for a week is the same as 7 days and the price of a month is the same as 4 weeks.

On the same thread a user complains about the price:


Figure 12: User complaining about Terror EK price.

…and that is just the base price, if you want some of the "0days" you must pay for those separately:


Figure 13: Price of additional exploits

But let's leave pricing and get back to his claimed statistics for average exploit rate:


Figure 14: Terror EK statistics advertised by kit author

Now, 54% success rate is a very ambitious number, not even Angler EK in its prime when it was adopting new exploits within hours boasted such rate.

On one forum the author, using alias "Andrew Carnegie", gives a screenshot as proof of these exploitation rates, unfortunately the screenshot itself lists 0 exploited hosts.


Figure 15: Proof of exploit rates as published by Terror EK author


Figure 16: Members of the forum losing patience with Andrew Carnegie

It looks like at this point the local forum crowd also get tired of the suspicious nature of these posts.

Another minor incident occurred after this, where some of the exploits from the "test kit" were leaked. As we mentioned in our previous blog post, these exploits were all taken from either Metasploit, or stolen from other EKs, so the leak hardly revealed anything new. Regardless, the author of Terror EK responded by releasing some of these exploits himself:



Figure 17: Terror EK author releasing exploits from test kit to the public

Again members think it is too good to be true and banter to that extent popped up in the thread.






Figure 18: Forum members getting very suspicious about the exploit kit

The word even got to exploit[.]in, where someone asked if anyone heard about this kit:


Figure 19: exploit[.]in members say what they think about Terror EK

It seems that the overall reaction of the underground is that the kit looks too good to be true (i.e. a scam). In line with this reputation, King Cobra was also selling a crypter (under different nicknames) that yielded questionable responses from the underground community:


Figure 20: Complaint thread about a crypting service run by Terror EK author

Full text:



Figures 21: King Cobra using account "Bugs Bunny" selling stolen code.

As we can see from these conversations, the author is a master of copy paste, and not just when it comes to exploits.

But a legacy of stolen code isn't all that King Cobra has to offer - the author sometimes fights back to eliminate the competition, in the following thread he claims to have been scammed by beps EK (AKA Sundown)


Figure 22: King Cobra using account "Bugs Bunny" writing he got scammed at the Beps sale thread


Figure 23: Thread claiming scam by BEPS

Despite his earlier mocking of Hunter EK and the quality of exploits in it, King Cobra also dabbled in selling Hunter EK himself, despite Hunter EK having been previously leaked:


Figure 24: King Cobra using account "CrackingGod" selling Hunter EK

He also provided "proof" images, here's one worth sharing:


Figure 25: King Cobra's "proof"

Note that he kept the archive name in the folder name "hunter_ek.tar", which is exactly as it is found in the leaked source.

He was also selling Hunter EK's source code on hackforums[.]net:


Figure 26: Original sale thread, cached by Google



Figure 27: Sale thread has been closed, reason below

Eventually someone noticed this is a pure scam.


Figure 28: A warning from a user that almost bought Hunter EK from "King Cobra"

But wait, there is more! (again...) The world of cybercrime sales is not only for exploit kits and crypters and this guy knows it, so he branched out into scamming traffic:


Figure 29: A thread of traffic sale



Figure 30: Member who tried Terror EK already, report this is the same guy, another member being ignored by "King Cobra" on skype, doesn't sound promising.

And at some point he even tried to scam his way with "his own" RAT called MrRobot:


Figure 31: MrRobot Rat version info includes mysterious ShadowTech Rat info



Figure 32: Strings search on the executable reveals King Cobra's skype account


But yet again, this is a copy/paste of code available on github:


Figure 33: ShadowTech is just a publicly available example of a RAT



Figure 34: The info King Cobra forgot to change when he compiled MrRobot RAT


Aside from being a seasoned businessman, he also understands that he is part of a community and shares his more successful ventures with it.


Figure 35: King Cobra bragging about taking a site down

This guy really "knows" what he is doing, he is a real role model for all the young cybercriminals out there trying to find their way... But worry not, skiddie, you too can become just like him if you attend his class for only $140.


Figure 36: King Cobra selling a "skid to pro" course


Closing Words

This post zoomed in on a character in the underground that we happened to run into as part of our research into Terror EK, but the purpose of this post was not to single him out. On the contrary, King Cobra is nothing special. The story we see here is simply part of everyday life in the underground. It's interesting to see that, just like any other market out there (legitimate or otherwise), the underground has its scammers, frauds and people trying to make a quick buck through fake sales. The underground is also a community that, through reputation and public opinion, tries to weed these cases out and keep a market of quality "products" running smoothly.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More