Security News OffensiveWare Sold on Hacking Forums as Exploit Builder and Next-Gen Keylogger

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
The latest addition to the malware scene is a new set of hacking tools advertised under the OffensiveWare brand, available as rentable MaaS (Malware-as-a-Service) toolkits, and sold on hacking forums by the same crook that developed the Aaron Remote Installable Keylogger (ARIK) and Ancalog Exploit Builder.

First signs of this new service appeared at the end of August when the hacker behind these tools started posting ads about his new product on HackForums, a popular destination for wannabe hackers.

The ads, which also included presentational YouTube videos, led buyers back to the OffensiveWare website, where they could buy several types of tools advertised under the OffensiveWare brand.

OffensiveWare's remote keylogger
This list of tools included several variations of an exploit builder for weaponizing Office files (priced at $49, $99, $290) and a remote keylogger that also included a password dumper and screenshot-taking feature (priced at $80).

While the OffensiveWare author tried to boost his product by posting screenshots of good reviews he received from previous HackForums buyers, the OffensiveWare Remote Keylogger (ORK) was inferior to many spyware applications currently available on the same HackForum.

ORK currently includes the ability to steal passwords from email applications, browsers, social networks, and IM clients. Other keyloggers we wrote in the past supported a larger number of targeted applications than ORK supports, and also supported several other application types, such as Bitcoin wallets and FTP clients.

OffensiveWare's exploit builder
Nevertheless, putting aside the inferior keylogger, the exploit builder the crook was selling, the OffensiveWare Multi-Exploit Builder (OMEB), provided malware authors with a more useful tool.

According to the OffensiveWare dev, malware authors can use OMEB to create weaponized DOC, JS, HTA, VBS, or CHM documents, which in turn could leverage macros, UAC bypasses, and silent exploits to deliver and install the hacker's desired malware payload.


OMEB interface
Platforms such as HackForums are mostly populated with low-quality hackers, and you rarely see an exploit builder sold on the site, which is mostly filled with for-hire DDoS services, RATs, and keyloggers.

While OMEB is more unique than advanced, the builder is simplistic, and rather unsophisticated. The same opinion is also shared by Fortinet researchers, who didn't take long to identify various slip-ups in the malware's mode of operation.

"An inspection of the binary’s strings reveals that this malware [generated via OMEB] has been provided through the OffensiveWare platform," Fortinet's Joie Salvio writes. "This assertion is further supported by the fact that the IP address of the package download site is the same as the platform’s official website."

This means that a sysadmin could block access to the OffensiveWare website and prevent the malware from working altogether.

Professional MaaS services would have never been caught downloading malicious packages from the same server they host their website. A simple DDoS attack on this server, or a well-placed firewall rule, can sabotage the entire OffesinveWare operation.

This is the main disadvantage of (poorly-coded) MaaS services, which may be more accessible to unskilled attackers, but are also easier to block by security products.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top