Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Developer of Advanced ‘Bachosens’ Malware Fails to Hide Identity

Symantec has been tracking the activities of a “lone wolf” hacker who has apparently developed a sophisticated piece of malware that he has used to access the systems of at least two major organizations. However, researchers believe the cybercriminal made a relatively small profit and failed to protect his real identity.

Symantec has been tracking the activities of a “lone wolf” hacker who has apparently developed a sophisticated piece of malware that he has used to access the systems of at least two major organizations. However, researchers believe the cybercriminal made a relatively small profit and failed to protect his real identity.

The security firm first spotted the malware, which it tracks as “Bachosens,” in 2014, but there is evidence that its developer had launched attacks since as early as 2009. Symantec initially believed that the attacks involving Bachosens had been carried out by a nation-state threat actor given the malware’s sophistication, but further analysis revealed some rookie mistakes.

Bachosens, believed to have been delivered via spear-phishing emails, is a backdoor Trojan that gives its operator persistent access to the targeted system. In the attacks it analyzed, Symantec also spotted a keylogger, which researchers believe was manually pushed by the cybercriminal onto the infected device.

Unlike many other backdoors, which use HTTP or HTTPS to communicate with their command and control (C&C) servers, Bachosens uses DNS, ICMP and HTTP. The malware leverages a domain generation algorithm (DGA) to create C&C domains, but experts determined that the DGA is configured to only generate 13 domains per year.

Symantec has observed Bachosens infections on the systems of a Chinese autotech company and a large commercial airline. There is also evidence that the attacker targeted an online gambling firm, but his attempts failed.

While Bachosens is fairly advanced, the fact that the keylogger did not use any obfuscation, and the fact that one malware sample was packaged with an online game led experts to realize that these attacks were not the work of a sophisticated threat actor.

A closer analysis of strings found in the malware and domain registration data pointed researchers to a Russian-speaking individual who appears to reside in the town of Tiraspol in eastern Moldova. Tiraspol is the capital of the self-proclaimed state of Transnistria, where Russian is the dominant language.

The hacker, who researchers have identified only as Igor, is apparently connected to an auto parts store, which explains why he would target the Chinese autotech company. Researchers said the cybercriminal stole car diagnostics software that retails for $1,100 and sold it for only $110 on various forums and specifically created websites. On the other hand, it’s unclear why Igor would target a commercial airline.

Experts said the hacker posted personal information on public car forums, exposing his real identity.

“The level of information the attacker knowingly or negligently revealed about himself online gave us high confidence that he is an individual involved in the auto industry who is based in this part of Eastern Europe,” Symantec said in a blog post.

“His likely location in Tiraspol may also explain why he appears to have such modest aims when it comes to the gains he seems to be making from cyber crime. Although it is hard to get official data given it is a disputed territory, the average monthly salary in Transnistria has been reported as being as little as a few hundred euro. In that context, selling stolen software online for a few hundred euro could represent quite the windfall for an individual based in that part of the world,” the company added.

While researchers have apparently obtained a significant amount of information on the malware and its developer, some questions remain, including how Igor managed to create a sophisticated piece of malware while doing such a poor job at protecting his identity. One possibility is that he acquired the malware from someone, but Symantec believes this is unlikely given that no one else has used Bachosens.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack