A cyber mercenary group called Void Balaur, otherwise known as Rockethack, has been launching attacks against prominent targets worldwide, some of which have resulted in real-life consequences.
Trend Micro has been investigating the group for more than a year now, believing that the group has been active since 2015, primarily in cyberespionage and data theft and selling the stolen information to anyone willing to pay the right price. In a report released Wednesday, Trend Micro notes that the group has targetted over 3500 individuals and businesses combined, some of which were attacked repeatedly.
Feike Hacquebord, a security researcher over at Trend Micro, published a research paper titled Void Balaur: Tracking a Cybermercenary’s Activities, which takes a deeper look into the group’s activities offerings, targets, connections with other threat actors, and the potential consequences they might have had on their victims.
Hackers for hire
The group appeared on Trend Micro’s radar after the latter was provided with multiple phishing emails from a source. The researchers, however, initially believed that these were the work of Pawn Storm, a Russian group that also goes by the names Fancy Bear, Sednit, Pawn Storm, and Strontium.
And even though the emails were attributed to Void Balaur, researchers did find an overlap between the two groups, although Void’s targets and customers were more diverse.
One of their primary services includes hacking into mailboxes and social media accounts. In some cases, the group can even provide complete copies of a stolen mailbox without user interaction, although these go for a higher price. This is especially dangerous as it would require something like an insider threat or even a full compromise of the email provider’s servers to happen.
Void Balaur also started selling private data of Russian individuals beginning in 2019. This data included the following:
- Passport and flight information
- Criminal records
- Credit history
- Account balance and statements
- Printouts of SMS messages.
Trend Micro’s report states that it’s difficult to determine how the group came across such extensive information, especially the telecom data. Possibilities include telecom engineers being hacked or the system itself being compromised.
As for advertising, the group uses Russian underground websites such as forums like Darkmoney and Probiv. The group even seems to be respected in these forums, with the reviews being almost unanimously positive.
Void Balaur has also targeted cryptocurrency exchanges and their employees by making multiple phishing sites to dupe customers and get access to their wallets. Cryptocurrency exchange EXMO has taken the brunt of these attacks by the group.
Using external reports from eQualit.ie and Amnesty International, Trend Micro identified other victims, including human rights activists, journalists, media, and political news websites. The group also launched attacks on several high-profile targets, including a former head of an intelligence agency, active government ministers, members of the national parliament in an Eastern European country, and even presidential candidates.
Based on Amnesty’s report, Balaur has also been found using a simple but specialised malware. One such malware, known as Z*Stealer, is designed to gather credentials from various types of programs, including but not limited to instant messaging apps, browsers, email clients and even RDP programs and cryptocurrency wallets.
Another malware found on the group’s record was DroidWatcher. In addition to stealing data, it also provides the operator with spying and remote tracking capabilities.