Unit 42, Palo Alto Networks' threat research arm, has investigated the actor behind the SquirtDanger malware, including a confessional blog, social media accounts and a Telegram account of roughly 900 attackers co-ordinating their activity.
It reports that the code repository was posted by Russian cyber-criminal TheBottle who was found to have been active on global underground marketplaces for years, distributing, selling, and trading malware and source code, and came up with the following findings:
Bad customer service - TheBottle has encountered several issues throughout his career as a malware author, according to Vitali Kremez of Business Risk Intelligence company Flashpoint, TheBottle has been banned by underground market places for multiple customer infractions, including not delivering adequate support for ongoing criminal activity.
Confessional posts - A confessional blog post saying it is by TheBottle claims responsibility for creating several malware families, including Odysseus Project, Evrial, Ovidiy Stealer, and several others.
Dodging responsibility - TheBottle's Twitter conversations helped shed some light on how TheBottle feels about individuals using their malware, “It's written in my rules that I'm not responsible for using the program. Responsibility is borne by the buyer only”, for example.
Co-ordinating attacks - By looking closer at TheBottle's blog posting a Telegram channel was found exposing a group of roughly 900 individuals most of whom appear to be Russian. Here the channel members are coordinating attacks, developing code, and trading/selling access to several different botnets and builders.
Hacker hangout - This Telegram group appears to be a common haunt of some interesting prolific actors, some with high-profile ties; such as foxovsky, an underground actor who is famous in underground communities for developing malware as the author of malware family Rarog. Additionally, the ‘1MSORRY‘ actor was identified as being a member of this community, who is behind the 1MSORRY cryptocurrency botnet and other malware families being distributed around the globe.
Earlier report 23/4/2018
Palo Alto's Unit 42 researchers identified a new botnet malware family described as “Swiss Army Knife Malware” that was designed by a veteran threat actor and is capable of taking screenshots and draining cryptocurrency wallets.
Dubbed “SquirtDanger,” the malware family likely was created by a Russian hacker using the handle “TheBottle” and delivered via illicit software downloads also known as “Warez,” according to an 17 April blog post.
The malware is also capable of stealing passwords, deleting malware, sending files, clearing browser cookies, listing processes, kill processes, getting directory information, downloading files, as well as uploading, deleting and executing files.
“Once run on the system, it will persist via a scheduled task that is set to run every minute,” researchers said in the post. “SquirtDanger uses raw TCP connections to a remote command and control (C2) server for network communications”
The malware's suspected author is a well-known Russian cyber-criminal who has been active on global underground marketplaces for years. So far, researchers have spotted 1,277 unique SquirtDanger samples used across multiple campaigns.