BSidesSF 2025 - Tracking the World's Dumbest Cyber Mercenaries (Cooper Quintin, Eva Galperin)

All right, everybody. Let's uh get ready for one of the most interesting conversations I think we gonna hear here. So, if you don't know our speakers, you certainly should. And uh kind of in a nod to severance, not trying to plug Apple TV Plus, whatever. I'm John D, your MC, also your ring master here in the big main ring. And we will have I just blanked Cooper. We're Cooper Q. We're going to have Cooper Q and Eva S as your presenters here. Let's give them a big round of applause. Thank you. Thank you. Want to do a quick intro? Sure. So, hi everybody. Thanks for coming out today. Uh, as as the ring master said, my name

is Cooper Quinton. I'm a senior staff technologist at the Electronic Frontier Foundation where I've been for 10 years uh developing Privacy Badger and uh stopping uh spies from tracking your phones and looking into state sponsored malware. Hi, I'm Eva Galprin, which does not start with an S. I'm the director of cyber security at the Electronic Frontier Foundation where I have been for going on 18 years. My job is nearly old enough to vote. um it's it's not going to um and then uh a lot of what I have been doing involves uh providing support to especially vulnerable populations in their uh digital privacy and security needs which includes journalists and activists and more recently survivors of domestic abuse.

And what we're going to be doing right now is we're going to tell you a story about a threat actor that we have been tracking for many years. This is this is a bit of a romp so hold on. So we can go ahead and uh and get started. Uh let us begin at the beginning. Our story begins at the dawn of time which is to say the '9s. This is Idin Petrus. uh in the Petrushova is a uh journalist and activist who for for many years and especially in the '90s uh was based in Kazakhstan. Uh one of she started one of Kazakhstan's only independent newspapers. Uh it uh went on to become Kazakhstan's only independent newspaper

and it was not popular uh with the government of Kazakhstan. uh whose president for many decades was uh Nurultan Nazarbay. I'm basically here just to pronounce things like that. Um Nurultanf did not enjoy Patrusha's work. In fact, uh he wellh next slide. Ita had a skull left on the printer's doorstep at uh at at their office. Uh there was a severed dog's head left outside of her home with a note saying that she would be next. Um her office was burned down. Uh there were threats to kidnap her son uh who later became older and became one of her co-editors. So didn't kidnap her son. Cool. Uh and in 2002 uh Petrova and her family including her

son fled to Russia. And that should give you some idea of how serious the situation was that this woman was like so Kazakhstan is too hot. It's going to be safer in Russia for me. Um and uh she went on to bring Republica online. Uh and the uh the paper went online in 2007. Fast forward to 2014. Uh this is uh like the the shortly after the summer of Snowden Wikileaks is a big deal. The Snowden revelations are a big deal. Lots of people are starting up leaks websites and using them in order to hold the powerful uh accountable uh for their behavior. And one of those sites is uh is a site called Kazawword. Uh Kazaw is hosting

leaked documents from inside of the Nazarbay uh administration. And uh Nazarbayaf is not happy about it. Needless to say, they're showing all kinds of corruption, all kinds of double dealing. It's not good. uh and Kazakhstan sues in New York court to get an injunction to stop Dispublica from publishing the stolen emails. The reason why they go to court in New York is that the web host for Dispublica is located in New York. Uh now right around this time uh they turn around and become EFF clients because if you are sued in New York and you would like to be able to you know report uh on what's going on in Kazakhstan having to do with emails

that honestly you did not steal information that you got from this you know leaks website that you don't run. Um then you go hey we need lawyers and we don't have a lot of money and you call up EFF. Uh so we were their lawyers and right around that time uh the folks at Ris Publas started getting fishing emails. So the fishing emails begin to arrive. They target, they target her son, they target, uh their lawyer and they look like this. Uh this is a spear fishing email sent to uh Alexander Petrus. Uh it claims to be from a lawyer named Eric Rushett. Uh, interestingly enough, this email claims to be a legal invoice for Balata Bay,

uh, Kazak dissident and theater director who was also targeted in this campaign. Uh, the email has a PDF attachment. The attachment is blurry. Uh, an error message comes up when you open up the attachment and when you click on the error message, it installs a novel Windows rack called Banduk. And that brings us to Operation Manul, which is essentially uh what happened when Cooper got our when Cooper and I got our hands on uh on this sample. Take it away, Cooper. So, yeah, we wrote this paper in 2016 called Operation Manel. Uh Manel being a cat native to the steps of Kazakhstan and also adorable. The Banduk malware is pretty uh pretty typical for what you see in a RAT. It

can do things like start a shell, monitor the webcam and the mics, mess with system files, download second stage infections, uh collect data about nearby Wi-Fi access points, all the sorts of things that you would expect to see in any sort of uh decent off-the-shelf rat. But an interesting thing about Bandic that you don't see in most decent off-the-shelf rats is that the command and control system was running Windows. So that's weird. Um, specifically they were running a Windows Apache MySQL stack called X Amp. Now the fun thing about XAMP is at least the version that they were using left the directory indexes open by default. So if you don't have an index.html HTML file in there. You can

see a list of all the files that are in the directory. The second fun thing that we discovered is that the attackers were uploading the files to the CNC server inside of the web route. And so we were able to using Derbuster enumerate all the directories that had exfiltrated files from the Banduk malware and download all of the exfiltrated data to start to get an idea of who else besides Arena they might be targeting. Uh, so we broke out Derbuster, scanned all these directories, downloaded all the files, and examined them at our leisure. And we found dozens of other targets in this campaign, as well as files from other campaigns, including one that appeared to be a Vietnamese

cigarette company that was being targeted for reasons unclear. We found backups of entire Windows machines. We also found uh web login forms for their command and control, which seemed like they might be slightly vulnerable. and we found files extracted from mobile devices which made us think that there may be a mobile component to the attack. So we talked about all this research in 2016 or 2017 and a couple of months later uh Mike Michael Flossman and Mike Murray and see now I'm forgetting names. Uh some really nice fellows from Lookout came to us and said, "Hey, you mentioned that there was a mobile component. We think we found it. Uh and do you want to

take a look at it with us?" So, hell yeah we do. So, we ended up doing this research and releasing another paper about a year later. Uh Andrew Blake is the other gentleman from Lookout, so credit to them. Uh we ended up releasing another paper about a year later called Dark Caracall. And in dark caracall we studied the mobile component. Uh what we we so the mobile component we named palace which is again named after a cat this time native to Syria. And you'll find out why. Uh the palace malware was usually backdoored versions of legitimate applications. Things like secure messaging signal WhatsApp uh privacy applications like Orbot or Siphon uh and other miscellaneous applications. but

tons of different dozens of different applications all backdoored with this spyware. Again, the spyware does the typical things that you might expect mobile spyware to do. Take photos, get GPS data, get text messages and call logs, uh get nearby Wi-Fi access points, remember that for later, and get the plain text of encrypted messages. And there was a lot of data because again the command and control servers were still entirely open. So we were able to download all of the mobile data and all of the desk data from the desktop infections. And going through it we found a total of 81 gigabytes of data. The majority of which was from mobile infections. So it was incredibly

effective despite not using any exploits at all. The method for all of this malware was always fishing. It was messages like, "Hey, install this app so we can communicate more securely, send you the APK." It was emails like the ones that went to Arena. Um, and that just used PowerShell scripts to install it. Um, and we were seeing these actors really expanding their desktop capability to include mobile capability, but they're still using X-AM, like I said. And we learned another fun thing that can uh that X AMP does by default. is that it has this module called Apache status. And Apache status gives anybody who goes to the web page a real time log of everybody who's visiting the

server. Now, this is really fun because it listed the IP addresses of everybody that was infected by this malware. But it was even more fun because it listed the IP addresses of people visiting those web loginins that I mentioned a couple of slides ago. So those might be the IPs of the people running this command and control infrastructure. So we took a look at where people were logging into those web portals and oh yeah, their obsac is perfect. They're clean on OBSAC. They're doing great. No notes so far. The funny thing about this actually is that after uh so so I forgot to tell Lookout at first about these open uh Xamp directory indexes and they looked

at the mobile malware for a couple of weeks and they were like yeah we think we're ready to report on this there's not much here. Then I was like oh wait I was did I tell you that there were directory indexes open with all of the files exfiltrated from people's infected devices? They were like um no that would have been important. Can we please go back to the drawing board? And then we spent another six months working on this just because of all the stuff we got from the directory indexes. So good thing I eventually remembered. So let's talk about some of the things that we found. Uh so you may remember a couple of slides ago when we discovered

that we had the IP addresses of everybody who was logging in to uh the admin panels. Uh so let's uh let's go figure out uh where in the world is dark kacol. So we started by geollocating the compromised devices. Uh there are concentrated in the Middle East uh but it was really global with infections across 20 countries including China, Vietnam cigarette company, uh South Korea, uh Lebanon, Saudi Arabia, Jordan, uh in Europe there were uh infections in Germany and France. So, we were we were seeing infections pretty much all over the world, but we had some idea of where we wanted to narrow things down because the admin console login were just coming from Lebanon, specifically Beirut.

specifically downtown Beirut, which is funny because the author of the Banduk Malware, who goes by Prince Ali, claims to live in Beirut. You may wonder if this is going to come up again later. Yes. Oh, yes, it is. So, we pop all the data into a Maltiggo graph and we get one cluster of devices that appear to be the very first infections. These are the test devices, the first ones, the test data messages that read test test and hack hack, just in case we were not clear on what was going on. Um, and the only picss uh that were coming from these infections were up the nose shots of someone in their office and it only ever connected to a

single Wi-Fi network. And that network was called BLD3F6, building 34 6. It's a goddamn mystery. So what we did was uh we sent someone to Lebanon to wander around uh looking for this uh this particular uh Wi-Fi with a with an Android device and confirmed the location of building 3 floor 6 Wi-Fi. Building three, floor 6 Wi-Fi is located in downtown Beirut uh in the only building with at least six floors anywhere near it. And it is conveniently loc labeled across the top. It is the headquarters of the general directorate of general security. So we publish. Journalists go to the general directorate of general security. GDGS denies it. Then they say that if they did it, it was totally legal.

They also they also accused us of working for the CIA andor Mossad. We're very busy. Uh so what is Lebanon doing hacking Kazak dissident? Uh we think we're looking at a guy who works at GDS GDGS during the day and moonlights as a cyber mercenary. Uh this is really before the working from home craze. was he was working from work. But this guy was not done. Indeed, uh we uh there we were uh when a whole new version of Banduke came out in 2002. So in 2002, uh some new people that are not us for the first time start writing reports about Banduke. uh report comes out called Bandidos at large detailing a spying campaign in Latin America that

was put out by uh Checkpoint. Oh no, so that was ESET. Checkpoint security also put out a report called signed and delivered which was detailing a Banduke campaign targeting what they called a usually wide an unusually wide variety of sectors and locations. So uh Prince Ali we think because he doesn't seem to sell it online anywhere that we can find is staying very busy. And then in 2022, we found an entirely new sample of Banduk with new features and new prizes to be uncovered. Uh so I found it on Virus Total and started taking a look at it, trying to figure out who he might be targeting this time. And we, like I said, Banduk

has the ability to download a secondary infection, which in this case it does from a secondary server to the CNC. The the CN command and control server is one server and there's a second URL from which you can download plugins for Banduk. Um, so we took a look at the uh uh we took a look at the malware and extracted the domains and the CNC domain was a RU and it had a it had command and control running on it. But sadly for me, they're no longer running X AMP. Apparently, they read our reports and they have learned from their mistakes. Good for them. Um, they're not running Apache. The only ports they have open

are uh TCP that are necessary for command and control. But there was a second domain and it was called uncleso.com and I thought that was interesting. So, I started looking into it with Nap and Durbuster the way I usually do and quickly found out they forgot to register it. So being the helpful guy I being the helpful guy I am, I registered it for them and we set in a move I call the Marcus Hutchkins. We set it up and started looking at all the traffic coming to it. Unfortunately, they forgot to include a kill switch for me. So we set up a sinkhole and we started collecting all the traffic coming from infected machines to the

secondary command and control which was not personally identifiable in any way other than the IP addresses. It was just infections connecting to the secondary server looking to download uh team viewer and we started logging what times that traffic was coming in. We also wrote a privacy policy for our sinkhole because we're EFF and privacy policies belong everywhere. uh what we saw was about 7 or 800 machines connecting every weekday and on and on weekends in a lower number around 100 to 300 uh roughly during work hours. So we think that these are business machines that aren't being used on weekends. Maybe corporate espionage is his game this time. Maybe he's getting into the ransomware game.

Uncle can also map where the these machines are located. And so we did. Uh there were some infections in the US, Canada, in the UK, a few in Chile and Spain. Neat little cluster in Venezuela, but mostly they were located in the Dominican Republic this time. So that's interesting. I don't think GDGS is going after Dominican Republic. Obviously, this guy's moonlighting career must have finally taken off, which good for him because several years earlier, he had tried to get a job with hacking team. And thanks to the leaked Hacking Team emails that ended up in Wikileaks, we found out that when he emailed Hacking Team his resume, Hacking Team said, "This guy's a scrub. We're not going to

hire this guy. He sucks. Don't even respond to him." So, you know, he's been trying to do this for a long time, and he's finally made a career out of it. Anyway, we thought for a while about why they might be going after Dominican Republic, and couldn't come up with any good answers. And then about a month later, I was listening to an episode of Darknet Diaries about a guy who had looked into Dark Caracall and noticed that the Banduk malware was being used to deploy the Conti ransomware. Now, the Ki ransomware gang runs a pretty tight ship and they keep really tight control of their ransomware. So, has Prince Ali partnered with Ki? Has he gotten a job with them?

Were they finally willing to hire him and not learn the lessons of his last several years of mistakes which hacking team already did? or was this a political hacking or was political hacking for hire not paying enough? Right? Is GDGS not paying the bills anymore and he's got to go the ransomware ship? We don't know. Um, will Dark Caracall start deploying ransomware as a method of silencing political targets? Maybe. It might be pretty useful. It might be pretty effective, I should say. But we have a photo of his nostrils. However, the contents of his brain remain a mystery. So, For these several years of mistakes, we give Dark Caracall the Duncap. They might be some of the worst

effective cyber mercenaries out there. They keep getting caught. They keep doing stupid things. It turns out there's a wide variety of cyber mercenaries. Some of them are NSO group, some of them are Paragon Solutions, and some of them are idiots. But you don't have to deploy zeroclick mobile malware to be effective. There be dragons and even this kind of idiot dragon is still a dragon and it can still breathe fire. So we think they're still worth watching out for which brings us which brings us to some conclusions. Uh again, despite the number of mistakes they made, uh Dark Ca Caracol is still disturbingly effective. Uh the number of cyber mercenaries is growing and there is a spectrum and not everybody is a

high-end player. There is a lot of room at the bottom here. Uh a lot of this growth is due to how successful encryption has been. Uh web encryption is now ubiquitous. Uh end-to-end encrypted communications are now uh extremely common. uh the most common uh method of of uh communication all over the world is WhatsApp where all messages are end to end uh encrypted by default. Uh and so increasingly uh governments and criminals uh if they would like the contents of your device are are forced to deploy malware. Uh this means again that uh governments are increasingly hacking uh individual devices in order to spy on people. Um obviously individual devices have become more hardened over time. Uh some more so

than others. uh for example in recent years uh Apple rolled out a lockdown mode which has been effective in uh you know keeping away uh pretty much every government attack that we have seen so far. Uh both uh both Apple and Google have reported on uh a numerous campaigns carried out uh by NSO group and Paragon solutions. Uh sometimes even with uh you know zeroclick zero days, the fanciest form of ode uh and uh none of those have worked against an iPhone in lockdown mode. Uh which is pretty awesome. So encryption was the fight of the last 30 years and I won't go so far as to tell you that the encryption fight has been

won. I am never going to run out of work to do. Uh but most recently spyware has entered the chat as uh as the way around that and that's really one of the things that we are going to have to grapple with uh as an infosc community. Uh if you are interested in hearing more at five o'clock uh Cooper and I will be talking with Bill Martzac uh doing a panel talking about whether or not uh cyber mercenaries and human rights can coexist. Uh you will not be surprised to discover that my answer is haha no. Uh also a short panel so short it's it's mostly just going to be me laughing. Uh, so thank you so much uh for for coming

to see our our little comedy act. And uh here's to the dumbest cyber mercenaries. May they continue to give us things to talk

about. So there are no questions on the slido, which is kind of hard for me to believe. So, I'm going to say we'll have two minutes. We got two. No, we got 30 seconds. All right, guys. So, here's here's the deal. If you got questions for our wonderful speakers here, Eva and Cooper, please give them one more round of applause. I believe the EFF has a table. We do in the Sky View Lounge area. And they may even be there. There you go. So, hey, thank you. One more round of applause for our amazing speakers. And I got some stuff to think about. I'm telling you what.