Hackers too leave their fingerprints as they attack enterprises and individuals and cyber security researchers have now developed a new technique to "fingerprint" them, spotting two prolific Russian-origin sellers of Windows exploits.
The team from cyber security firm Check Point, when analysing a complicated attack against one of their customers, noticed a very small 64-bit executable that was executed by the malware. The sample contained unusual debug strings that pointed at an attempt to exploit a vulnerability on the victim machine.
Even more importantly, the sample had a leftover programme database (PDB) path. "With the absence of any online resource with this implementation of CVE-2019-0859, we realised that we are not looking at a publicly available PoC, but rather a real-world exploitation tool. This intrigued us to dig deeper," the researchers said in a blog post on Friday.
Generally, researchers tend to look at the people behind a specific malware family as one unbroken unit.
"It's easier to envision that each and every component was written by a single person, team, or group. Truth is, writing advanced malware by nation-states or criminals involves different groups of people with various skills," said Check Point.
A cyber-espionage organisation of a nation-state, is likely to have hundreds or even thousands of employees in different groups and branches. In such an organisation, the workload of writing the common components is broken down among specialised teams, with different ones responsible for the initial access, collecting sensitive data, lateral movement, and more.
The Check Point team looked specifically at the small 64-bit binary from the incident response case. "It made a great candidate for us to fingerprint, as the executable was refined from code written by someone other than the exploit author.
"Moreover, the executable was separated from the main binary of the malware, an infamous crimeware, which made us believe that this exploit wasn't developed in-house by the malware developers," the researchers explained.
With a careful analysis of the samples, the team was able to understand which samples exploited which CVE. "At this point, we had more than 10 CVEs that we were able to attribute to the same exploit developer, based on our fingerprinting technique alone and without further intelligence," Check Point revealed.
Later on, public reports revealed the name of the target exploit seller: Volodya (aka Volodimir), previously known as BuggiCorp. "It seemed we were not the only ones to track this exploit seller, as Kaspersky reported some relevant information about them on several occasions".
According to Kaspersky, Volodya first made headlines under their "BuggiCorp" nickname, when they advertised a Windows 0-day for sale with a starting price of $95,000.
Across the years, the price went up and some of their Windows LPE 0-day exploits were sold at a price as high as $200,000.
Volodya sold exploits to both crimeware and APT groups. "The fact that we were able to use our technique, repeatedly, to track 16 Windows LPE exploits, written and sold by two different actors, was very surprising".
"We believe that this research methodology can be used to identify additional exploit writers. We recommend other researchers try our suggested technique and adopt it as an additional tool in their arsenal," the researchers emphasised.