The ShadowBrokers have promised the release of NSA exploit UNITEDRAKE which remotely targets Windows machines to subscribers.
This week, the threat group posted an update to the Monthly Dump service, which will now include two cache dumps every four weeks for subscribers. The changes have been made potentially as a means to drum up extra interest for cyberattackers, government groups, or vendors which have chosen to subscribe to the service to gain access to the stolen exploits and malware samples.
As noted by Joseph Cox, the September dump includes a manual for UNITEDRAKE (.PDF), modular malware which remotely targets Microsoft Windows machines. Able to compromise Windows PCs running on XP, Windows Server 2003 and 2008, Vista, Windows 7 SP 1 and below, as well as Windows 8 and Windows Server 2012, the attack tool acts as a service to capture information. UNITEDRAKE, described as a "fully extensible remote collection system designed for Windows targets," also gives operators the opportunity to take complete control of a device.
The malware's modules -- including FOGGYBOTTOM and GROK -- can perform tasks including listening in and monitoring communication, capturing keystrokes and both webcam and microphone usage, the impersonation users, stealing diagnostics information and self-destructing once tasks are completed.
These tools were developed and used by the US National Security Agency (NSA) to perform mass surveillance and bulk hacking worldwide, and only came to light due to Edward Snowden's disclosures in 2014. ShadowBrokers has now chosen to only accept Zcash (ZEC), rather than Monero (XMR). This may be related to the work of a researcher wh1sks, who estimates that the group was able to make up to $88,000 in July alone.
In a blog post, the researcher explained that they were able to scrape the email addresses and payment IDs (PIDs) on the Monero (XMR) blockchain. In addition, Monero lacks encrypted memo fields, which would force the ShadowBrokers to use multiple channels to send files, while using ZEC ensures content can be sent straight to an email address.
To further capitalize on the theft, the hackers have made previous dumps available for purchase, with prices ranging from 100 ZEC ($24,000) to 1600 ZEC ( $3.8m). In August last year, the cyberattack group attempted to sell off its full cache of exploits through an "auction" which demanded millions of dollars' worth of Bitcoin. However, after falling flat, it seems subscriptions are more lucrative -- at least while the vulnerabilities last.
The subscription service is shrouded in secrecy, but several months ago, one subscriber came out in public. The subscriber, going under the name fsyourmoms, complained that the "Wine of the month" club was a rip-off. "TheShadowBrokers ripped me off," the subscriber said. "I paid 500 XMR for their "Wine of the Month Club" and only they sent me a single tool that already requires me to have a box exploited.
A tool, not even an exploit! The tool also looks to be old, and not close to what the ShadowBrokers said could be in their subscription service." A leaked NSA exploit called EternalBlue became the platform for the recent WannaCry ransomware attackers which crippled businesses and core services worldwide.
Download SafeUM — communicate privately, without advertising and spam.
