Cybercriminals who use ransomware rarely get the first access to the target themselves. More often, this access is acquired from a cybercriminal broker who specializes in acquiring credentials for remote access – such as usernames and passwords required to remotely connect to the target’s network. In this post we look at the notes that “BabamâThis was chosen by a cyber criminal who has sold this type of traffic to ransomware groups on many occasions in the past few years.
Since the beginning of 2020, Babam has set up numerous auctions in the Russian-language cybercrime forum Exploit, mainly selling Virtual Private Networking (VPN) credentials stolen from various companies. Babam has written more than 270 posts since joining Exploit in 2015, including dozens of sales threads. However, none of Babam’s posts on Exploit contain any personal information or any clues as to his identity.
But in February 2016, Babam joined them Verified, another Russian-language crime forum. Verified has been hacked at least twice in the past five years and its user database has been brought online. This information shows that Babam joined with the email address “Verified”.[email protected]The latest verified leak also revealed private messages exchanged by forum members, including more than 800 private messages Babam has sent or received on the forum over the years.
In early 2017, Babam confided to another verified user via private message that he was from Lithuania. In virtually all of his forum posts and private messages, Babam can be seen communicating in transliterated Russian instead of using the Cyrillic alphabet. This is common among cybercriminal actors for whom Russian is not their first language.
Cyber ââintelligence platform Constella Intelligence informed KrebsOnSecurity that the address [email protected] was used in 2016 to create an account. to register filmai.in, a movie streaming service for Lithuanian speakers. The username associated with this account was “bo3dom. “
A reverse whois search on DomainTools.com says [email protected] was used to register two domain names: bonnjoeder[.]com back in 2011 and sanjulianhotels[.]de (2017). It is unclear whether these domains were ever online, but the address in both records was “24 Brondegstrasse” in Great Britain. [Full disclosure: DomainTools is a frequent advertiser on this website.]
A reverse search at DomainTools on “24 Brondeg St.” reveals another domain: wwwecardone[.]com. The use of domains that begin with âwwwâ is quite common among phishers and passive âtyposquattingâ sites that attempt to steal credentials from legitimate websites when people enter a domain incorrectly; B. accidentally the “.” After entering “www”.
Search DomainTools for the phone number in the WHOIS records for wwwecardone[.]com – +44.0774829141 – leads to a handful of similar typosquatting domains, including wwwebuygold[.]com and wwwpexppay[.]com. Another UK phone number in a newer record for wwwebuygold[.]com domain – 44.0472882112 – is bound to two other domains – how maniphone unlocks[.]com, and PortalsagePay[.]com. All of these domains date from 2012 to 2013.
The original registration records for the iPhone, Sagepay and Gold domains share an email address: [email protected]. A search for the user name “bo3dom” via the Constella service reveals an account at ipmart-forum.com, a now defunct forum dealing with IT products such as mobile devices, computers and online games. This search shows the user bo3dom, who is registered with ipmart-forum.com with the e-mail address [email protected], and from an Internet address in Vilnius, Lithuania.
[email protected] was used to register multiple domains including wwwsuperchange.ru back in 2008 (again note the suspicious “www” as part of the domain name). Gmail’s password recovery feature says the backup email address is for [email protected] reads email@example.com. Gmail accepts the address [email protected] as a recovery email for this devrian27 account.
According to Constella, the [email protected] address has been subjected to multiple data breaches over the years and in each case one of two passwords has been used: “lebeda1” and “a123456“.
If you search Constella for accounts that use these passwords, you will see a number of additional âbo3domâ email addresses, including [email protected]. If you panning to this address in Constella, it shows that someone by the name Vytautas Mockus used it to register an account with mindjolt.com, a website with dozens of simple puzzle games that visitors can play online.
At some point mindjolt.com was apparently also hacked, because according to a copy of its database at Constella, [email protected] used two passwords on this page: lebeda1 and a123456.
A reverse WHOIS search for “Vytautas Mockus” at DomainTools shows the email address [email protected] was used to register the domain name in 2010 Perfect money[.]co. This is a character from Perfectmoney[.]com, an early virtual currency that was very popular with cyber criminals at the time. The phone number associated with this domain registration was “86.7273687“.
A Google search for âVytautas Mockusâ says there is a person with that name who runs a mobile food service company in Lithuania called âPalvisa. âA report on Palvisa (PDF) bought at Rekvizitai.vz – an official online directory of Lithuanian companies – says that Palvisa was founded in 2011 by a Vytautaus mockus using the phone number 86.7273687, and the email address [email protected] The report says that Palvisa is active but had no employees other than the founder.
Mr. Mockus, 36, who was reached at [email protected], expressed amazement at how his personal information ended up in so many records. “I am not involved in any crime,” Mockus wrote in response.
The domains that Babam apparently registered for nearly 10 years suggest that he initially stole primarily from other cyber criminals. Until 2015, Babam was heavily involved in “carding”, the sale and use of stolen payment card data. By 2020 he had almost completely shifted his focus to selling access to businesses.
A profile created by threat intelligence company Flashpoint states that Babam received at least four positive feedback reviews from crooks associated with the LockBit ransomware gang on the cybercrime exploit forum.
According to Flashpoint, in April 2021, Babam announced the sale of Citrix credentials for an international laboratory testing, inspection and certification company with annual sales of more than $ 5 billion and more than 78,000 employees.
Flashpoint says Babam originally announced that it had sold the access but later reopened the auction because the potential buyer got out of the deal. A few days later, Babam republished the auction, added more information about the depth of illegal access, and lowered his asking price. Access was sold less than 24 hours later.
âBased on the statistics provided and sensitive source reports, Flashpoint analysts have a high degree of certainty that the compromised organization was likely Bureau Veritas, an organization headquartered in France that operates in a wide variety of sectors, âthe company concluded.
In November, Bureau Veritas admitted it closed its network in response to a cyber attack. The company did not say if the incident was ransomware and, if so, what type of ransomware, but their response to the incident is straight from the Ransomware Attack Response Playbook. Bureau Veritas has not yet responded to requests for comment; its most recent public statement, dated December 2, provides no further details on the cause of the incident.
Flashpoint notes that Babam’s use of transliterated Russian in both Exploit and Verified will continue until around March 2020 when he mainly switches to Cyrillc in his forum comments and sales threads. According to Flashpoint, this could be an indication that someone else has been using the Babam account since then, or more likely that Babam initially had a poor level of Russian, and that his language skills and confidence improved over time.
Belief in the latter theory is that Babam still makes linguistic errors in his posts that suggest that Russian is not his original language, Flashpoint found.
“The threat actor’s use of the double” n “in words such as” Ð¿ÑÐ¾Ð´Ð°Ð½Ð½Ð¾ “(correct – Ð¿ÑÐ¾Ð´Ð°Ð½Ð¾) and” ÑÐ´ÐµÐ»Ð°Ð½Ð½Ñ “(correct – ÑÐ´ÐµÐ»Ð°Ð½Ñ) proves that this spelling is not possible in machine translation because it would not be the correct one Spelling of the word being, âwrote Flashpoint analysts.
“This type of grammatical error is often found in people who have not had sufficient schooling or Russian is their second language,” the analysis continued. âIn such cases, when someone tries to spell a word correctly, they accidentally or unknowingly exaggerate the spelling and make these kinds of mistakes. At the same time, the colloquial language can be fluent or even native. That is often typical for a person who comes from the states of the former Soviet Union. “