Google TAG block domains belongs to one of Indian hack-for-hire group
Hack-for-hire groups constitute experts who offer hacking as a service to those entities who are not having the skills or the capability to do so and fully dependent on them for both offensive and defensive services.
Recently, Researchers from Google’s Threat Analysis Group (TAG) revealed that dozens of networks of ‘hack-for-hire‘groups in India have been operating. They break into the online accounts of businesses and individuals to steal data for paying clients. It has blocked dozens of malicious websites and domains such as myproject-login[.]shop, mail-goolge[.]com, or rnanage-icloud[.]com operated by hack-for-hire groups from India, Russia, and the U.A.E.
Google TAG attributed this campaign to Indian based hack for hire group, Rebsec Solutions situated in Amritsar. According to its dormant twitter account it is “Rebellion securities”. Its company website down for maintenance and also claims to offer corporate espionage as one of its services. As per records it was founded by Vishavdeep Singh in 2012.
Their campaign involved sending spear phishing emails containing malicious links when clicked, launches an attacker-controlled phishing page designed to siphon credentials entered by unsuspecting users. There target area includes government, healthcare, and telecom sectors in Saudi Arabia, the United Arab Emirates, and Bahrain.
A similar set of cyber espionage activities targeting journalist, human right activists has been linked to Russian based actor Void Balaur investigated by Trend Micro in 2017.
TAG also detailed the activities of hack for hire group based in UAE which has the connections with the remote access Trojan called njRAT (aka H-Worm or Houdini).
In 2018, Amnesty International uncovered a phishing attempt by password reset lures to steal credentials from targets in government, education, and political organizations in the Middle East and North Africa.
Both the threat actors have similar pattern of maintaining persistence by granting an OAuth token to a legitimate email application like Thunderbird, generating an App Password to access the account through IMAP or linked the target’s gmail account to an adversary-owned account on a third-party mail provider.
On earlier investigation TAG discovered the attacker’s public website (no longer available) advertising account hacking capabilities for email and social media services. Based on TAG analysis it was revealed a spyware named “Hermit” was developed by Italian Spyware Company named RCS Lab who used this spyware to target Android and iOS users in Italy and Kazakhstan.
Hack for hire group generally proved beneficial for those countries that want to strong its foothold in cyber sphere but do not have the capability to incorporate.