The Dark Web and Deep Web are primarily used for cybercriminals and have become known globally due to recent Dark Web Marketplace operator arrests. The Dark Web and Deep Web are webs that are not found in commonly used search engines. It also has the ability to anonymize the information of the connected users, and criminals use this function to commit crimes. Cyber crimes that take place within the Dark Web and Deep Web can range from fraud, prostitution, child prostitution, drug and gun transactions.
However, the types and numbers of cybercrime in the Dark Web and Deep Web are soaring, and there is no countermeasure or service to counter them. Tracking actual criminals with anonymous data within a specific network or within a specific website is a big challenge.
In this talk, Horangi team will conduct research related to the Deep Web, and will share the methods and share cases that have attempted to collect the samples.
POC 2018 - whatever talk_ Let's go OSINT using DeepWeb
1. Not for public distribution • Copyright 2018 Horangi Pte Ltd
03 NOV 2018
Horangi Pte Ltd
Not for public distribution • Copyright 2018 Horangi Pte Ltd
Horangi Pte Ltd
https://www.horangi.com
Horangi ~ !!!!!
POC2018
November 8-9, 2018 Seoul, Korea
2. Not for public distribution • Copyright 2018 Horangi Pte Ltd
08 NOV 2018
Horangi Pte Ltd
Not for public distribution • Copyright 2018 Horangi Pte Ltd
Horangi R&D
Let’s go OSINT using Deep Web.
3. 3Not for public distribution • Copyright 2018 Horangi Pte Ltd
Tigers
Directing
Seunggi Jeong
Developing & Analyzing
Dasom Kim
Malware analysis
Sangsu Jeong
Contributor
Nikolay Akatyev
Jiyeon Kong
4. 4Not for public distribution • Copyright 2018 Horangi Pte Ltd
1. Introduction
2. Motivation
3. Our tools
4. Research
5. Conclusion
6. 6Not for public distribution • Copyright 2018 Horangi Pte Ltd
The deep web, invisible web,
or hidden web are parts of the
World Wide Web whose
contents are not indexed by
standard web search engines
for any reason. [1]
In Deep web, mainly sell
personal information, drug,
gun and products related to
malware.
What is
DeepWeb?
Surface Web
Deep Web
Dark Web
7. 7Not for public distribution • Copyright 2018 Horangi Pte Ltd
Trip to world beard competition
ends in arrest for alleged dark web
drug dealer [2]
DarkWeb
Case
Investigators tracked the transaction
details of the Bitcoin Wallet account.
He then tracked his account on the
social network and compared the
dealers' text with his text.
According to the evidence presented in
the Florida courts, he found many
similarities between the two users,
including the use of the word "cheers",
frequent quotes, and occasional
French articles.
9. 9Not for public distribution • Copyright 2018 Horangi Pte Ltd
Motivation
Discovered Malware forum on DeepWeb
Who’s next victims?
Who’s next attackers?
“ So how to collect the critical information? ”
10. 10Not for public distribution • Copyright 2018 Horangi Pte Ltd
Focus on DeepWeb
Dark Web has useful data,
but the amount of data is less than that of deep web.
Deep Web
Dark Web
11. 11Not for public distribution • Copyright 2018 Horangi Pte Ltd
Focus on Open Source
Word
- Slang
- Nickname
- Discord Id
- Etc
Sample hashes
Time stamp
- dateparser ( python module )
Bypass anti-bot
- cfscrape ( python module )
Open source to identify user
Peerlyst, DarkWeb research 101 [3]
13. 13Not for public distribution • Copyright 2018 Horangi Pte Ltd
Why did we choose NULLED?
Famous forum on DeepWeb
It is a web that is usually difficult to discover, and is accessible
from a normal browser.
NULLED
Sinister
raidforum
HOT
14. 14Not for public distribution • Copyright 2018 Horangi Pte Ltd
NULLED - Malware forum
Product & Information
Dumps ( Database, ID & Password )
Malware ( Ransomware … etc )
Leak ( 0-day, 1-day ... etc )
Cracked software ( MS office … etc )
15. 15Not for public distribution • Copyright 2018 Horangi Pte Ltd
Payment
Unlimited access to some malware and hidden contents through pay to BTC or ETH.
NULLED - Malware forum
17. 17Not for public distribution • Copyright 2018 Horangi Pte Ltd
VIP Leaks & VIP Dumps
Account: eBay, amazon, Netflix, Steam, Spotify, etc
Key: express vpn, MS office, malwarebytes, etc
Coupon: eBay, amazon, Netflix, etc
NULLED - Premium board
18. 18Not for public distribution • Copyright 2018 Horangi Pte Ltd
Nulled’s characteristics
● Nulled uses the cloudflare
We need to bypass cloudflare ddos protect solution
● Nulled blocks the Users sending a lot of queries
We set the waiting times
( Tried the other way. But this way is the best way )
● Nulled opens the hidden contents for paid members
We need to buy the membership
NULLED - Malware forum
20. 20Not for public distribution • Copyright 2018 Horangi Pte Ltd
Our tools
Web tag tracker
Web tag
tracker
21. 21Not for public distribution • Copyright 2018 Horangi Pte Ltd
Our tools
Scanner ( real time )
● The notification of changed contents based on web tag
● the malware board on Deep Web
● the specific company information on Surface Web
● the Cryptocurrency wallet address on Dark Web
Analyzer
#Keyword: ID, Sample name, e-mail, etc
● The timeline
● The frequency information
● Comments count information
● The user activity information
● The most popular sample information
● The most active user name
Web tag
tracker
29. 29Not for public distribution • Copyright 2018 Horangi Pte Ltd
Specific user sharing the malicious
code related Discord.
And we need tracking his identify
information.
Timeline, activities, the most
popular sample, related user, etc.
Let’s start to tracking his identify
information using our tools.
30. 30Not for public distribution • Copyright 2018 Horangi Pte Ltd
Let’s collect the open source
about ObbedCode
31. 31Not for public distribution • Copyright 2018 Horangi Pte Ltd
Add a filter
Specific user id
32. 32Not for public distribution • Copyright 2018 Horangi Pte Ltd
Start 2017.11
First activity at 2017.11
33. 33Not for public distribution • Copyright 2018 Horangi Pte Ltd
The most popular sample is
Discord token stealer.
Discord Token Stealer is hotter than other sample
34. 34Not for public distribution • Copyright 2018 Horangi Pte Ltd
The most popular sample is
Discord token stealer.
35. 35Not for public distribution • Copyright 2018 Horangi Pte Ltd
The count & timeline
of Discord token stealer
36. 36Not for public distribution • Copyright 2018 Horangi Pte Ltd
Our tools
2018.01 - 2018.10
Discord token
stealer
The amount of data
in the graph
is rapidly increasing.
37. 37Not for public distribution • Copyright 2018 Horangi Pte Ltd
Most relevant users of
Discord token stealer
1. Felonious13Monk
2. Gayl0rd
3. RedPa456
4. TheBigGayThing
39. 39Not for public distribution • Copyright 2018 Horangi Pte Ltd
He start activity at 2017.11.
His the most popular sample is Discord token stealer.
Discord token stealer increase count on 2018.01 - 2018.10
1. Felonious13Monk wrote many comment on his post.
42. 42Not for public distribution • Copyright 2018 Horangi Pte Ltd
1. Target
ObbedCode
2. Abstract
It is the user who showed the most number
of activities recently and showed a rapid change
in a short period.
This user mainly produces malware
related to discord and updates it frequently.
In addition, he share samples of cracked malware,
and he is actively releasing his Discord ID.
ObbedCode’s status
Overview
3. Sample List
● SkyWyder RAT
● DynAmite
● Discord token stealer
44. 44Not for public distribution • Copyright 2018 Horangi Pte Ltd
Resource
Sample Name MD5
SkyWyder RAT F1083F240EFC99D8C3DEEC8A1A062815
DynAmite FCF4F7FDCE4BC49F307E048B13936D1F
Discord token stealer 427B959EA59621459BA6BA8DA81953C6
45. 45Not for public distribution • Copyright 2018 Horangi Pte Ltd
Sample list
Sample Name Virus Total Hybrid Analysis Malwares.com
SkyWyder RAT 5 / 54 No result No result
DynAmite 43 / 67 73 / 100 100 / 100
Discord token stealer 2 / 66 No result No result
47. 47Not for public distribution • Copyright 2018 Horangi Pte Ltd
SkyWyder RAT
Open Source
Created
May 10 2016
url
[1] Hack tool stuff, SkyWyder RAT Cracked Full and Final Edition [HackToolStuff]
https://hacktoolstuff.blogspot.com/2016/10/skywyder-rat-cracked-full-and-final.html
[2] Reddit, Slithx-Team
https://www.reddit.com/user/Slithx-Team/
48. 48Not for public distribution • Copyright 2018 Horangi Pte Ltd
SkyWyder RAT
Overview - PE
Version:
● Visual Basic 6.0[Native]
Section:
● .text, .sedata, .idata, .rsrc
More
● BotKill, AVKiller, AntiVM,
Keylogger, Miner etc
49. 49Not for public distribution • Copyright 2018 Horangi Pte Ltd
SkyWyder RAT
What is your intention?
50. 50Not for public distribution • Copyright 2018 Horangi Pte Ltd
SkyWyder RAT
Not working
Trial or Error
51. 51Not for public distribution • Copyright 2018 Horangi Pte Ltd
SkyWyder RAT
Codejock.ocx
COMDLG32.ocx
MSCOMCTL.ocx
resourcehacker
52. 52Not for public distribution • Copyright 2018 Horangi Pte Ltd
SkyWyder RAT
53. 53Not for public distribution • Copyright 2018 Horangi Pte Ltd
SkyWyder RAT
available
FTP,SMTP
54. 54Not for public distribution • Copyright 2018 Horangi Pte Ltd
SkyWyder RAT
55. 55Not for public distribution • Copyright 2018 Horangi Pte Ltd
SkyWyder RAT
56. 56Not for public distribution • Copyright 2018 Horangi Pte Ltd
SkyWyder RAT
57. 57Not for public distribution • Copyright 2018 Horangi Pte Ltd
SkyWyder RAT
58. 58Not for public distribution • Copyright 2018 Horangi Pte Ltd
SkyWyder RAT
59. 59Not for public distribution • Copyright 2018 Horangi Pte Ltd
SkyWyder RAT
61. 61Not for public distribution • Copyright 2018 Horangi Pte Ltd
DynAmite
Open Source
Created
DEC 09 2010
url
[1] aaa
62. 62Not for public distribution • Copyright 2018 Horangi Pte Ltd
DynAmite
Overview - PE
Version:
● .Net (MPRESS)
Section:
● .text, .rsrc, .reloc
More
● Unprotect
● Entropy 91%
● LOC 6086
63. 63Not for public distribution • Copyright 2018 Horangi Pte Ltd
DynAmite
Before After
64. 64Not for public distribution • Copyright 2018 Horangi Pte Ltd
DynAmite
Let’s do deep analysis about this
● Abstracted Files
● The issue of http://darkerdyna.blogspot.com
● MS Office Macro
● CryptoLocker
65. 65Not for public distribution • Copyright 2018 Horangi Pte Ltd
DynAmite
Abstract file
66. 66Not for public distribution • Copyright 2018 Horangi Pte Ltd
DynAmite
Issue URL
67. 67Not for public distribution • Copyright 2018 Horangi Pte Ltd
DynAmite Ms office macro
68. 68Not for public distribution • Copyright 2018 Horangi Pte Ltd
DynAmite
Detracted file
● .bat
● .zip
● .crt
● .xml
● .exe
69. 69Not for public distribution • Copyright 2018 Horangi Pte Ltd
DynAmite
70. 70Not for public distribution • Copyright 2018 Horangi Pte Ltd
DynAmite
71. 71Not for public distribution • Copyright 2018 Horangi Pte Ltd
DynAmite
SSL
73. 73Not for public distribution • Copyright 2018 Horangi Pte Ltd
Discord token stealer
Open Source
Created
APR 07 2018
url
[1] aaa
74. 74Not for public distribution • Copyright 2018 Horangi Pte Ltd
Discord token stealer
Overview - PE
Version:
● .NET
Section:
● .text, .rsrc, .reloc
More
● Send to Email
● Infected case
75. 75Not for public distribution • Copyright 2018 Horangi Pte Ltd
Discord token stealer
76. 76Not for public distribution • Copyright 2018 Horangi Pte Ltd
Discord token stealer
77. 77Not for public distribution • Copyright 2018 Horangi Pte Ltd
Discord token stealer
Possible to send Email
78. 78Not for public distribution • Copyright 2018 Horangi Pte Ltd
Discord token stealer
Possible to send Email
79. 79Not for public distribution • Copyright 2018 Horangi Pte Ltd
Discord token stealer
80. 80Not for public distribution • Copyright 2018 Horangi Pte Ltd
Discord token stealer
81. 81Not for public distribution • Copyright 2018 Horangi Pte Ltd
Discord token stealer
82. 82Not for public distribution • Copyright 2018 Horangi Pte Ltd
Discord token stealer
83. 83Not for public distribution • Copyright 2018 Horangi Pte Ltd
Discord token stealer
84. 84Not for public distribution • Copyright 2018 Horangi Pte Ltd
Discord token stealer
85. 85Not for public distribution • Copyright 2018 Horangi Pte Ltd
Discord token stealer
86. 86Not for public distribution • Copyright 2018 Horangi Pte Ltd
Discord token stealer
88. 88Not for public distribution • Copyright 2018 Horangi Pte Ltd
Result
ObbedCode
Alone? Group?
89. 89Not for public distribution • Copyright 2018 Horangi Pte Ltd
Result
Quick analysis of the forum is possible.
It is possible to check quickly user's sharing data that a specific.
In addition to data for specific users, overall monitoring is also
possible.
For example, monitoring for specific malware, monitoring for
malware uploaded on a specific date, monitoring for
Cryptocurrency wallet addresses that are open on the dark web,
and so on.
92. 92Not for public distribution • Copyright 2018 Horangi Pte Ltd
Conclusion
Horangi OSINT Service
1. Support for Investigate specific target on Deep Web
• Keep collect the critical information from DeepWeb & SurfaceWeb
• Threat intelligence for find the next victims & the find next attackers
2. Expand the function of our tools
• More add the visualizing module
• Upgrade the bypass module for Deep Web
93. 93Not for public distribution • Copyright 2018 Horangi Pte Ltd
Reference
[1] wikipedia, Deep Web https://en.wikipedia.org/wiki/Deep_web
[2] the guardian, Trip to world beard competition ends in arrest for alleged dark web drug dealer
https://www.theguardian.com/us-news/2017/sep/28/world-beard-moustache-competition-dru
g-dealer
[3] Peerlyst, DarkWeb research 101 - Dasom Kim
https://www.peerlyst.com/posts/darkweb-research-101-release-dasom-kim?trk=user_notificati
on#comment-okw5QwAfWcD4yhneL
[4] intsight, THE DARK SIDE OF ASIA: AN INSIDE LOOK INTO ASIA'S GROWING UNDERGROUND WORLD
https://www.intsights.com/dark-side-of-asia-research-report
[5] Recorded future, Chasing Foxes by the Numbers: Patterns of Life and Activity in Hacker Forums
https://www.blackhat.com/docs/eu-16/materials/eu-16-Ahlberg-Chasing-Foxes-By-The-Numbe
rs-Patterns-Of-Life-And-Activity-In-Hacker-Forums.pdf