8th April: Hydra Market shut down ++ Attack on retail chain ++ Remote access malware „Borat“

BKA and American authorities shut down illegal darknet marketplace „Hydra Market”

The server infrastructure of the world’s largest and probably oldest illegal darknet marketplace „Hydra Market“ was shut down this Tuesday. A total of 543 Bitcoins with a value of around 23 million euros were seized.

The German Federal Criminal Police in collaboration with US law enforcement were investigating into Hydra Market since 2021. Identities of operators and administrators are still unknown. After the action by German officials was announced, the US Treasury issued sanctions against Hydra „in a coordinated international effort to disrupt proliferation of malicious cybercrime services, dangerous drugs, and other illegal offerings available through the Russia-based site.“ The digital marketplace primarily traded drugs, but also offered spied data, forged documents, and digital services. In total, over 17 million customer and 19 000 seller accounts were registered.

The investigation is directed against the so far unknown operators and administrators of „Hydra Market“. The illegal marketplace „Hydra Market“ is a Russian language darknet platform that existed since 2015 and was accessible via the Tor network. Sellers were located in Russia, Ukraine, Belarus and other surrounding countries.

Hydra’s specialty were so called “dead drop” services, were the sold goods are hidden in public places by the vendors and then picked up by the customers, without any direct interaction.

According to estimates by ZIT and BKA, it is said to have been the platform with the highest turnover, with at least 1.23 billion euros in 2021.

BKA – Listenseite für Pressemitteilungen 2022 – Illegaler Darknet-Marktplatz „Hydra Market“ abgeschaltet
Hydra: How German police dismantled Russian darknet site – BBC News
Darknet Hydra Market site seized and shut down: Department of Justice (cnbc.com)Hydra Market: Deutsche Ermittler schalten illegalen Marktplatz im Darknet ab | ZEIT ONLINE

Cyberattack on British retail chain: „The Works“ closes stores

The British retail chain „The Works“ has fallen victim to a cyberattack that has led to the closure of several stores due to cashier problems. Merchandise deliveries have been interrupted, processing times for online orders are lengthening, and payment security has been compromised. The discount retailer operates 530 stores in the United Kingdom and Ireland, selling books, toys, stationery, and other products. Annual sales are around 300 million euros.

The company has now switched to new secure third-party providers for credit and debit card payments to ensure the security of payments. „Customers can continue to shop securely at The Works, both in-store (physically) and online,“ the company’s statement said. „All debit and credit card payment data is processed securely outside the group’s systems via accredited third-party networks, so there is no risk that this payment data has been accessed unlawfully.

„The Works“ says the network intruders did not have access to customer payment data. However, the scenario of compromised customer data cannot yet be ruled out. The Information Commissioner’s Office has been notified of the incident. As immediate measures, the company has, among other things, blocked all internal and external access to IT systems and stopped forwarding e-mail communications to external providers. A team of cybersecurity experts are working on the recovery and impact of the attack. 

Until date there is no evidence that it was a ransomware attack, according to Computer Weekly no demands for ransom have been made.

According to experts, small and medium sized businesses face more and more attacks in the last months. This might be caused by the relatively low security measures companies this size often have. Many companies still think that they are not interesting targets since they mostly are not able to pay large amounts of money. But it becomes more and more obvious that the attackers go for easily accessible targets they are more likely to be able to breach.

UK retail chain The Works shuts down stores after cyberattack (bleepingcomputer.com)
Discount retailer The Works hit by cyber attack (computerweekly.com)
The Works forced to close some stores after cyber-attack | Retail industry | The Guardian
The Works responds to cyber-attack | BCI (thebci.org)

Borat – new remote access malware detected

A new RAT (remote access trojan) was found on darknet markets. Attackers can gain control over keyboards and mouses, access files and network points and are very hard to detect.

The name is based on Sacha Baron Cohen’s famous character Borat whose movies were huge successes in the early 2000. It is assumed that due to “comical features” including playing audio, swapping mouse buttons, showing or hiding a desktop and taskbar, freezing the mouse, tampering with webcam lights, turning off a monitor, and more. Unfortunately the malware is way mightier than just that, the features include DDos attacks, UAC bypass and ransomware deployment.

According to Cyble, specialists in Deepweb and Darkweb intelligence that originally found the malware, it comes in form of a package that includes a builder that enables users to customize the attacks they are planning. Ranging from keylogging and ransomware to process hollowing and credential stealing.

The tools are often distributed “via laced executables or files that masquerade as cracks for games and applications, so be careful not to download anything from untrustworthy sources such as torrents or shady sites.” It is strongly advised to only use reliable and well-known sources for that.

One of the clues about the origin of the trojan was found by BleepingComputer, finding that the payload executable was newly identified as AsyncRAT. Probably the starting point of the author of Borat RAT.

Cyble will continue to watch Borat closely and new information will be featured on the website. You can find the link to their full report below.

Deep Dive Analysis – Borat RAT — Cyble
Borat RAT malware: A ‚unique‘ triple threat that is far from funny | ZDNet
New Borat remote access malware is no laughing matter (bleepingcomputer.com)
„Borat“ RAT-Malware: Eine „einzigartige“ dreifache Bedrohung, die alles andere als lustig ist – it-daily.net
Borat RAT: Neue Malware kombiniert Remote Access, Spyware und Ransomware – silicon.de
This New Remote Access Malware Called Borat Is No Laughing Matter (threatadvice.com)
Borat RAT malware: A ‚unique‘ triple threat that is far from funny | ZDNet
Borat: new remote access trojan is no laughing matter (techunwrapped.com)

Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.