- The information-stealing malware dubbed M00nD3v Logger was recently auctioned off on Hack Forums, together with HakwEye Reborn.
- The threat actor – operating under the alias “M00nD3v” – states that they sold the malware in response to being diagnosed with COVID-19.
- M00nD3v was previously involved in sales of the infamous HawkEye information stealer.
- Blueliv research indicates that it is quite likely that M00nD3v is based in Islamabad, Pakistan.
- Blueliv analysts uncovered links between M00nD3v and several other aliases on Hack Forums, including the one that nominally “purchased” HawkEye from M00nD3v in December 2018, CerebroTech.
On June 14, 2020, the rights to a new up-and-coming information stealer, dubbed the M00nD3v Logger, went up for sale on the cybercriminal watering hole Hack Forums.
At first glance, this isn’t terribly strange. The cybercriminal underground is, after all, a place of commerce, in which goods and services are bought, rented, swapped, cracked, and everything in between. In fact, the threat actor offering the M00nD3v Logger rights for sale, M00nD3v, had offered the rights to the popular HawkEye stealer for sale about a year and a half prior. But the motivation for this sale is what made it stand out. According to the threat actor, the M00nD3v Logger was being offered for sale due to financial hardships caused by… a COVID-19 diagnosis.
The M00nD3v Logger
The M00nD3v Logger is an information-stealing malware offered for sale by the threat actor “M00nD3v” (formerly known as “NoCTRL”). Sales of the malware began on Hack Forums in April 2020.
Image 1: A portion of the graphic used to advertise the M00nD3v Logger. Flashy advertising graphics are commonplace on Hack Forums.
According to the Hack Forums advertisement, the M00nD3v Logger has the following features:
- Exfiltrates data via SMTP, FTP, or “proxy”
- Monitors keystrokes and the clipboard, encoded with unicode with support for all languages
- Takes screenshots
- Takes photos with the webcam
- Password stealer that steals information from browsers, email clients, FTP, and more. The stealer uses its own custom code, coded in .NET
- Kills antivirus and other bot processes
- Avoids being killed and grants administrator privileges
- Uses a light stub of 150 kb
M00nD3v created multiple sales threads advertising the M00nD3v Logger on Hack Forums. In one sales thread, M00nD3v lists five different pricing models for the malware, seen in Image 2 below. Updates and rebuilds are included in the price. Prior Blueliv research has found that information stealers are typically priced at roughly $100 USD when available for outright purchase, putting the M00nD3v pricing in a fairly normal range.
Image 2: M00nD3v’s pricing structure for the M00nD3v Logger.
M00nD3v: HawkEye Threat Actor
M00nD3v registered on Hack Forums on February 23, 2017. The threat actor rose to prominence – using the alias NoCTRL at the time – with their first major malware offering, HawkEye.
HawkEye is a credential stealer with keylogging capabilities. Since its initial release, the malware has been cracked and released on various occasions, making it widely available to all kinds of cybercriminals. Research by Blueliv analysts in June 2018 found that HawkEye was among the top five most active stealer families, as measured by number of samples detected in H1 2018.
In December 2018, however, M00nD3v authored a post on Hack Forums in which they offered the rights to Hawkeye for sale, stating:
…recently I was selling [HawkEye] since I have official rights. Due to some critical situation, the original coder has decided to sell his project with full rights.
The rights to HawkEye were acquired by the threat actor operating under the alias “CerebroTech,” who proceeded to sell the malware under the “HawkEye Reborn” branding.
Image 3: CerebroTech began offering HawkEye Reborn for sale on Hack Forums on January 2, 2019.
Forever the Sickest Kid: M00nD3v
On June 12, 2020, M00nD3v did what most people do when they learn of a serious diagnosis: they logged into their account on a criminal forum and shared the difficult news.
It’s not unusual for cybercriminals to claim sickness – especially as an excuse for poor customer service or response times – but M00nD3v took the extraordinary step of actually sharing an image showing a positive lab result for COVID-19.
Image 4: The lab results shared by M00nD3v are dated June 12, 2020, the same date the threat actor shared the image on Hack Forums.
A reverse image search for the medical facility’s logo revealed that the results likely came from the Islamabad Diagnostic Centre located in Islamabad, Pakistan. M00nD3v went on in the thread to state that they’re “less than 24” years old.
Image 5: The Facebook page for the Islamabad Diagnostic Centre uses the same logo as seen in the report shared by M00nD3v. The page also spotlights the center’s drive through COVID-19 testing.
The image from the Islamabad Diagnostic Centre is not the first piece of evidence indicating that the threat actor may be based in Pakistan. M00nD3v has also posted a series of videos detailing how to setup the M00nD3v Logger in which interesting information is revealed. In some of these videos, the threat actor’s screen can be seen making a Google search, with several of the search suggestions relevant to Pakistan.
Image 6: Still from a video made for clients of the M00nD3v Logger.
Image 7: Another still from a video made for clients of the M00nD3v Logger.
The suggested searches with ties to Pakistan include:
- Gul Ahmed – Pakistani textile company
- Gujranwala – city in Pakistan
- Gul Panra – Pakistani singer
- A trio of searches relating to Urdu, the national language of Pakistan
Thanks to these findings we can state that M00nD3v / NoCTRL is quite likely located in Pakistan, probably in or near Islamabad.
Lights, Camera, Auction: Malware for Sale
As a result of M00nD3v’s COVID-19 diagnosis, the threat actor decided to auction off their rights to the M00nD3v Logger and Hawkeye Reborn, as well as another project dubbed NetSeal Manager. NetSeal Manager is described as a tool for managing malware clients. M00nD3v originally offered the trio as a bundle, but at the suggestion of community members, the threat actor separated the auction into two separate offerings: one for the M00nD3v Logger and another for HawkEye Reborn, each coming with a version of the NetSeal Manager.
Image 8: M00nD3v Logger auction on Hack Forums. The threat actor states that they “really really need money”.
The auction pricing is as follow:
- Hawkeye Reborn:
- Starting bid: $1,000 USD
- Buy it now price: $2,500 USD
- M00nD3v Logger:
- Starting bid: $1,000 USD
- Buy it now price: $3,000 USD
To promote the sale of the malware, the threat actor shared their recent earnings and client numbers. According to the threat actor, in the past four months they had made over $12,000 USD and amassed over 350 clients. M00nD3v noted that they did that without actively advertising the product.
Image 9: Image of the NetSeal Manager showing information relevant to M00nD3v’s malware products.
It’s not clear if these numbers reflect earning from Hawkeye Reborn, M00nD3v Logger, or both. The same image was included in the auction threads for each individual product as well as the bundle offering both of them.
Final Bid: Auction Concludes
On June 20, 2020, M00nD3v announced the end of the auction, indicating that the bundle of projects had been sold to the threat actor “Autolog19.” A few days later, in a strange twist, Autolog19 offered the projects for sale again. In Autolog19’s new auction thread, the threat actor states that “My only intention to purchase the project was to help [M00nD3v] fight his corona disease.”
According to Autolog19, the collection of projects was purchased from M00nD3v for $2,000 USD. Autolog19 was seeking to recover some, if not all of those costs. The starting bid for the auction was $500 USD, with a buy-it-now price of $1,200 USD until June 27th, after which the buy-it-now price would be increased to $1,500 USD. At least one threat actor has expressed interest in the sale.
At the end of their auction thread, Autolog19 left a curious disclaimer:
If the project is not sold by 30th June’2020 i will give the ownership back to M00nd3v free of cost by default and i will say bye to HF and delete my other contact info and emails.
If M00nd3v is able to fight corona and returns , he will be the owner of the project if not sold or else his works and efforts will be lost forever.
Multiple Identity Disorder
Now, it’s curious to see M00nD3v offering for sale the rights to HawkEye Reborn, a malware that M00nD3ev apparently sold off to CerebroTech in December 2018. An investigation by Blueliv analysts suggests that M00nD3v and CerebroTech are in fact one and the same, and that usage of multiple aliases is somewhat of a pattern for M00nD3v, who controls different identities on Hack Forums.
Link between M00nD3v/NoCTRL and fmuhammad51: Richard Rivers
When M00nD3v registered on Hack Forums in 2017 – at the time using the alias NoCTRL, before their subsequent name change to “M00nD3v” on the same account – the threat actor also stated that they go by “Richard Rivers.”
Image 11: M00nD3v introduces themselves on Hack Forums in a post titled “Its [sic] Richard Rivers here…”
Looking carefully into that name reveals a link between “Richard Rivers” and the email address fmuhammad51@gmail[.]com:
Image 12: A post on a tech support forum from 2018 reveals a link between the aliases “Richard Rivers” and “fmuhammad51.”
Interestingly enough, fmuhammad51 is a registered user of Hack Forums, being member since December 2010. The account has been inactive since 2012. Much of fmuhammad51’s activity on Hack Forums was related to RATs, crypters, and malware in general.
Image 13: fmuhammad51 offers infected bots to the members of the Hack Forums community in June 2011.
A quick Google search for the fmuhammad51 nickname shows that it is not really common, returning just a few results. One of these results is especially interesting. In a forum where the user was later banned, the individual self-identifies their location as “Pakistan” stating that they are interested in “hacking,” that they work as a “Government Employee” and that their birth date is December 25, 1985. Blueliv analysts believe it is more likely that M00nD3v/fmuhammad51 was indeed born in 1985 instead of being “under 24” as they claimed on Hack Forums following their COVID-19 diagnosis.
Image 14: The alias fmuhammad51 was active on a forum related to mobile devices from 2010 to 2013.
All this could be just an interesting coincidence with no strong links between fmuhammad51 and M00nD3v. However, 9 years ago, the group LulzSec leaked different databases as their final movement before “retirement”, including the database of Hack Forums. In this database which contains information about 200,000 users of the forum, we can see that the user fmuhammad51 used the e-mail address fmuhammad51@gmail[.]com to register on Hack Forums, used the birth date December 25, 1985 and used different IP addresses located to Pakistan, Islamabad, the same origin as NoCTRL/M00nD3v. Blueliv analysts believe it is quite likely that both accounts are linked to the same individual, located in Pakistan.
Image 15: The Hack Forums user fmuhammad51 used the same e-mail address tied to Richard Rivers, fmuhammad51@gmail[.]com, and was connecting from Pakistan.
CerebroTech did not have a prolonged presence on Hack Forums leading up to the HawkEye Reborn auction. The threat actor registered on Hack Forums on December 18, 2018, only two days before the rights to HawkEye were offered for sale. After winning the HawkEye auction, the threat actor began to advertise the malware on the forum starting in January 2019. By March 2019, however, the thread advertising HawkEye Reborn had become inactive. This fact and the new auction of HawkEye Reborn by M00nD3v after it was already sold to CerebroTech might indicate that M00nD3v and CerebroTech are indeed handles managed by the same person. Blueliv researchers also found further compelling evidence linking M00nD3v to CerebroTech, based on leaked databases and collected intelligence from both profiles.
Furthermore, when CerebroTech registered on Hack Forums in 2018. In their introduction post, another forum member noted that the IP used by CerebroTech was the same as three other users on the forum.
Image 16: Hack Forums members “.fury” states that CerebroTech apparently shares an IP with three other registered members of Hack Forums. They include a screenshot that shows “Latest IP Matching Other Members: 3”
CerebroTech stated elsewhere that they use a VPN to connect to Hack Forums. To be fair, it is quite common for cybercriminals to do that when accessing forums. On the other hand, Blueliv analysts have identified three accounts connected to this single threat actor: CerebroTech, NoCTRL/M00nD3v, and fmuhammad51. Blueliv analysts believe that it is likely that M00nD3v operates a fourth alias on Hack Forums as well. While it is not explicitly known who CerebroTech shares and IP with, this is a possible explanation.
Analysts have published research on the usage of COVID-19 as a theme in carrying out phishing and malware attacks, and its impact on cybercrime as an industry. However, this story reminds us of both the human element of cybercrime and the human impact of COVID-19. Cybercriminals are not excluded from the victims of the pandemic, and COVID-19 can indeed affect the underground ecosystem and malware activity.
Continuing on the theme of the human element of cybercrime, cybercriminals aren’t infallible tech savants with bulletproof OPSEC, as witnessed in the case of M00nD3v. Rock solid OPSEC is difficult to maintain, and even small details such as suggested Google searches in a YouTube video or emails used on unrelated tech support forums can provide critical hints into the (multiple) identity of a threat actor.
While it’s not clear what the aim of HawkEye’s nominal changing of hands was, it highlights how there may often be more than meets the eye in the underground. At the end of the day, these individuals are cybercriminals, with many of them experienced in social engineering techniques necessary to distribute their malware; such social engineering of their fellow forum members logically also occurs.
This blog post was authored by the Blueliv Labs team.