The distributor of the ransomware-as-a-service (RaaS) product known as “Philadelphia” executed an aggressive spam campaign on the jabber messaging platform last month, enticing would-be cybercriminals to purchase its crimeware, Israeli consulting and intelligence company ClearSky Cyber Security reported in a blog post this week.
This anti-security vendor, which calls itself The Rainmaker Labs, also set up a professional website in February 2017 to advertise its highly customizable ransomware service, followed by a video promoting the product. (Security blogger Brian Krebs originally reported on the video in March.) After analyzing this online store and its domain, ClearSky has determined that the vendor pushing Philadelphia may not be Russian as previously assumed, but actually Brazilian.
Sold for around $400, Philadelphia is a updated version of an RaaS product known as Stampado. In an interview with SC Media, Sergey Shykevich, head of research at ClearSky, said that for a week in mid-April the Philadelphia spam campaign was sending between five and 10 spam advertisements per day. “Jabber spam advertising illegal services [has become] more popular lately,” said Shykevich. Such activity suggests that Rainmaker is expanding its activity and marketing budget, the company theorizes in its blog post.
The spam campaign itself touts many of Philadelphia’s key features and attributes, boasting that it bypasses firewalls and User Account Control, and allows buyers to generate unlimited builds, track their attacks via maps and PDF reports, edit content, and specify which countries to attack or avoid.
None of the features mentioned in the jabber messages was brand new, as the last update of Philadelphia took place before the spam campaign on March 19. What is new, said Shykevich, is the method of promotion.
The new website advertises not just Philadelphia, but also Stampado and other malicious services and tools, including CyanoBinder, a file joiner; SkypeBomber, a phone distributed denial of service tool; V-Eye, a remote access trojan spyware program; RemoTV, an application that opens a hidden modified TeamViewer app and sends over the credentials; and Mailer, a PHP script that sends emails to multiple addresses simultaneously. ClearSky notes in its blog post that the prices for these tools are relatively low, compared to other cybercrime vendors’ offers.
Researchers also found that the same person or group who registered the domain of The Rainmaker’s online store also registered three others domains featuring the tern “Viracopos,” which is the name of an international airport in Brazil that operates a website under the domain viracopos.com. “So we can assume that the malware vendor conducted in 2016 some kind of phishing activity connected to the Viracopos airport,” reported ClearSky, noting that the malicious Viracopos domains were registered using legitimate names.
These findings, combined with the observation that the vendor used English, and not Russian, while recently communicating in one of the main Russian cybercrime forums, have convinced ClearSky that The Rainmaker is actually from Brazil, and not Russia as originally theorized.
ClearSky also reported finding a mirror Rainmaker website, registered in May 2016 and active through last week, which listed a phone number connected to a network of more than 1,000 domains, all of which were likely malicious while in operation (they are now defunct).
“What the marketing of Philadelphia and the increasingly aggressive and professional marketing of other crimeware demonstrates is that we’ve reached the point where malware has really morphed into a business,” said Alan Brill, senior managing director in the Cyber Security & Investigations practice of corporate investigations and risk consulting firm Kroll.
“These vendors and criminals understand that one product doesn’t make a catalog. They are developing an increasing range of products at different price points and levels of sophistication. It’s to their advantage to keep up with the latest trends,” Brill continued. “They believe that they can get away with being publishers in what I suspect they would refer to as their new cybercrime ecosystem.”