Symantec has been tracking the activities of a “lone wolf” hacker who has apparently developed a sophisticated piece of malware that he has used to access the systems of at least two major organizations. However, researchers believe the cybercriminal made a relatively small profit and failed to protect his real identity.
The security firm first spotted the malware, which it tracks as “Bachosens,” in 2014, but there is evidence that its developer had launched attacks since as early as 2009. Symantec initially believed that the attacks involving Bachosens had been carried out by a nation-state threat actor given the malware’s sophistication, but further analysis revealed some rookie mistakes.
Bachosens, believed to have been delivered via spear-phishing emails, is a backdoor Trojan that gives its operator persistent access to the targeted system. In the attacks it analyzed, Symantec also spotted a keylogger, which researchers believe was manually pushed by the cybercriminal onto the infected device.
Unlike many other backdoors, which use HTTP or HTTPS to communicate with their command and control (C&C) servers, Bachosens uses DNS, ICMP and HTTP. The malware leverages a domain generation algorithm (DGA) to create C&C domains, but experts determined that the DGA is configured to only generate 13 domains per year.
Symantec has observed Bachosens infections on the systems of a Chinese autotech company and a large commercial airline. There is also evidence that the attacker targeted an online gambling firm, but his attempts failed.
While Bachosens is fairly advanced, the fact that the keylogger did not use any obfuscation, and the fact that one malware sample was packaged with an online game led experts to realize that these attacks were not the work of a sophisticated threat actor.
A closer analysis of strings found in the malware and domain registration data pointed researchers to a Russian-speaking individual who appears to reside in the town of Tiraspol in eastern Moldova. Tiraspol is the capital of the self-proclaimed state of Transnistria, where Russian is the dominant language.
The hacker, who researchers have identified only as Igor, is apparently connected to an auto parts store, which explains why he would target the Chinese autotech company. Researchers said the cybercriminal stole car diagnostics software that retails for $1,100 and sold it for only $110 on various forums and specifically created websites. On the other hand, it’s unclear why Igor would target a commercial airline.
Experts said the hacker posted personal information on public car forums, exposing his real identity.
“The level of information the attacker knowingly or negligently revealed about himself online gave us high confidence that he is an individual involved in the auto industry who is based in this part of Eastern Europe,” Symantec said in a blog post.
“His likely location in Tiraspol may also explain why he appears to have such modest aims when it comes to the gains he seems to be making from cyber crime. Although it is hard to get official data given it is a disputed territory, the average monthly salary in Transnistria has been reported as being as little as a few hundred euro. In that context, selling stolen software online for a few hundred euro could represent quite the windfall for an individual based in that part of the world,” the company added.
While researchers have apparently obtained a significant amount of information on the malware and its developer, some questions remain, including how Igor managed to create a sophisticated piece of malware while doing such a poor job at protecting his identity. One possibility is that he acquired the malware from someone, but Symantec believes this is unlikely given that no one else has used Bachosens.
