Cybercriminal gangs that deploy ransomware seldom gain initial access to the target themselves. More generally, this access is purchased from a cybercriminal broker specializing in acquiring remote access credentials, such as usernames and passwords needed to connect to the network remotely. of the target. In this article, we’ll take a look at the clues left by “Babam, The pseudonym chosen by a cybercriminal who has sold such access to ransomware groups several times over the past few years.
Since the beginning of 2020, Babam has set up numerous auctions on the Russian-speaking cybercrime forum Feat, mainly selling stolen Virtual Private Network (VPN) credentials from various companies. Babam has authored over 270 articles since joining Exploit in 2015, including dozens of discussion threads. However, none of Babam’s messages on Exploit contain any personal information or clues as to his identity.
But in February 2016, Babam joined Checked, another criminal forum in Russian. Verified has been hacked at least twice in the past five years, and its user database has been published online. This information shows that Babam has joined Verified using the email address “[email protected]. The latest verified leak also exposed private messages exchanged by forum members, including over 800 private messages Babam has sent or received on the forum over the years.
In early 2017, Babam told another Verified user via a private message that he was from Lithuania. In virtually all of his forum posts and private messages, Babam can be seen communicating in transliterated Russian rather than using the Cyrillic alphabet. This is common among cybercriminals for whom Russian is not their mother tongue.
Cyber intelligence platform Constella Intelligence told KrebsOnSecurity that the address [email protected] was used in 2016 to register an account on filmai.in, which is a movie streaming service for Lithuanian speakers. The username associated with this account was “bo3dom. “
A reverse WHOIS lookup through DomainTools.com shows that [email protected] was used to register two domain names: bonnjoeder[.]com in 2011, and sanjulianhotels[.]com (2017). It is not clear if these domains have ever been online, but the mailing address on both records was “24 Brondeg Street” UK. [Full disclosure: DomainTools is a frequent advertiser on this website.]
A reverse search on DomainTools for “24 Brondeg St.” reveals another area: wwwecardone[.]com. The use of domains beginning with “www” is quite common among phishers and by passive “typosquatting” sites that seek to siphon credentials from legitimate websites when people type a domain incorrectly, for example by omitting accidentally the “”. after typing “www”.
DomainTools lookup for phone number in WHOIS records for wwwecardone[.]com – +44.0774829141 – leads to a handful of similar typosquatting domains, including wwwebuygold[.]com and wwwpexpay[.]com. A different UK phone number in a newer registration for wwwebuygold[.]com domain – 44.0472882112 – is linked to two other domains – how to unlock iPhone for free[.]com, and pay portal[.]com. All of these domains date from 2012 to 2013.
The original registration records for the iPhone, Sagepay, and Gold domains share an email address: [email protected]. A search for the username “bo3dom” using the Constella service reveals an account on forum-ipmart.com, a now defunct forum devoted to computer products, such as mobile devices, computers and online games. This search shows user bo3dom registered on ipmart-forum.com with the email address [email protected], and from an internet address in Vilnius, Lithuania.
[email protected] was used to register multiple domains including wwwsuperchange.ru in 2008 (again notice the suspicious “www” in the domain name). Gmail’s password recovery feature indicates that the backup email address for [email protected] is email@example.com. Gmail accepts address [email protected] as recovery email for this devrian27 account.
According to Constella, [email protected] has been exposed to multiple data breaches over the years, and in each case, she used one of two passwords: “lebeda1” and “a123456“.
Searching Constella for accounts using these passwords reveals a large number of additional “bo3dom” email addresses, including [email protected]. Pivoting to that address in Constella reveals that someone with the name Vytautas Mockus used it to create an account at mindjolt.com, a site with dozens of simple puzzle games that visitors can play online.
At one point, mindjolt.com was apparently also hacked, as a copy of its database at Constella indicates that [email protected] used two passwords on that site: lebeda1 and a123456.
A reverse WHOIS lookup on “Vytautas Mockus” on DomainTools shows the email address [email protected] was used in 2010 to register the domain name perfect money[.]co. He’s a character out of perfectmoney[.]com, which was a very popular first virtual currency with cybercriminals at the time. The telephone number associated with this domain registration was “86.7273687“.
A Google search for “Vytautas Mockus” indicates that there is a person by that name who runs a mobile catering business in Lithuania called “Palvisa. “A report on Palvisa (PDF) purchased from Rekvizitai.vz – an official online directory of Lithuanian businesses – says that Palvisa was established in 2011 by a Vytautaus Mockus, using the phone number 86.7273687, and the e-mail address [email protected] The report states that Palvisa is active, but has had no other employees other than its founder.
Contacted via [email protected], Mr Mockus, 36, expressed his mystification as to how his personal information ended up in so many files. “I am not involved in any crime,” Mockus wrote in response.
Domains apparently registered by Babam for almost 10 years suggest that he mainly started stealing from other cyber crooks. In 2015, Babam was heavily involved in the “carding”, sale and use of stolen payment card data. By 2020, he had focused almost entirely on selling access to businesses.
A profile produced by threat intelligence firm Flashpoint indicates that Babam received at least four positive comments on the Cybercrime Exploit forum from crooks associated with the LockBit ransomware gang.
According to Flashpoint, in April 2021, Babam announced the sale of Citrix credentials for an international company engaged in laboratory testing, inspection and certification, and which has more than $ 5 billion in annual revenues and over 78,000 employees.
Flashpoint says Babam initially announced that it had sold the access, but then reopened the auction because the potential buyer withdrew from the deal. Several days later, Babam republished the auction, adding more information on the depth of the illicit access and lowering its asking price. Access sold less than 24 hours later.
“Based on the statistics provided and reports from sensitive sources, Flashpoint analysts are confident that the compromised organization was likely Bureau Veritas, a France-based organization that operates in a variety of industries, ”the company concluded.
In November, Bureau Veritas admitted to having closed its network in response to a cyber attack. The company did not say whether the incident involved ransomware and, if so, what strain of ransomware, but its response to the incident is straight out of the ransomware attack response manual. Bureau Veritas has not yet responded to requests for comment; his latest public statement on Dec. 2 provides no further details on the cause of the incident.
Flashpoint notes that Babam’s use of transliterated Russian persists on both Exploit and Verified until around March 2020, when he primarily uses Cyrillic in his forum comments and sales threads. Flashpoint said this could indicate that someone else has started using the Babam account since then, or more likely that Babam only had a tenuous understanding of Russian to begin with and that his language skills and self-confidence were failing. are improved over time.
To give credence to the latter theory is that Babam always makes linguistic errors in his publications which suggest that Russian is not his native language, Flashpoint found.
“The use of the double ‘n’ in words such as ‘проданно’ (correct – продано) and” сделанны “(correct – сделаны) by the threatening actor proves that this style of writing is not possible during using machine translation because that won’t be the correct spelling of the word, ”Flashpoint analysts wrote.
“These types of grammatical errors are often found in people who have not received sufficient education in school or if Russian is their second language,” the analysis continues. “In such cases, when someone tries to spell a word correctly and then accidentally or unknowingly, they are spelling incorrectly and making these kinds of mistakes. At the same time, colloquial language can be fluent or even native. This is often typical for a person who comes from the states of the former Soviet Union.