One threat actor appears to be behind several ongoing, related campaigns.
An ongoing DeathRansom malware campaign has been found by researchers to be part of a larger collection of malicious offensives, all carried out by an actor going by the nickname “scat01.”
According to Artem Semenchenko and Evgeny Ananin at FortiGuard Labs, evidence found on Russian underground forums and in their forensic investigations points to a significant connection between ongoing DeathRansom and various infostealing malware campaigns, all likely directed by one Russian-speaking individual living in Italy.
The first DeathRansom connection they were able to make was to an ongoing Vidar info-stealing campaign.
“[The samples] share the naming pattern and infrastructure used,” researchers explained in a recent blog. “We also found evidence that a Vidar sample tried to download the DeathRansom malware.”
Starting with a sample with a file name of “Wacatac_2019-11-20_00-10.exe,” the researchers found that it was being downloaded from a Bitbucket directory maintained by someone using the handle “scat01.” In looking at other malicious samples that accessed the same directory, they saw that one of them also contained standard Vidar libraries used to extract passwords from different browsers. This particular sample in turn was seen trying to download another DeathRansom variant that also used “Wacatac” in its name.
“DeathRansom uses the name ‘Wacatac’ to store crypto keys in a registry,” Semenchenko and Ananin explained. “Therefore, based on the same malware hosting, the same name pattern, and the fact that the Vidar sample tried to download a DeathRansom sample, we can conclude that the Vidar campaign and the DeathRansom campaign are run by the same actor, who uses scat01 as a Bitbucket profile name as well as a name for some malware samples.”
To dig deeper, they then looked for other malware samples containing the string scat01 – which revealed a cornucopia of malware types all apparently connected to this handle. The researchers found samples of the Azorult info-stealer that connects to a command-and-control (C2) server called “scat01[.]tk,” for instance, as well as other scat01 connections to the Evrial info-stealer and the 1ms0rryStealer.
The investigation also led them to a website called gameshack[.]ru, controlled by attackers and used to distribute malicious samples with scat01 attribution strings. The domain housed a root folder containing various malicious samples for downloader malware, which in turn fetched samples of the Evrial stealer and the Supreme cryptominer. The former listed scat01 in its owner field, while the latter was found to contain the Evrial stealer inside its body.
“This sample uses the same iplogger service for counting the infected hosts as the DeathRansom samples,” the researchers noted.
In total, they were able to link scat01 to campaigns using the Vidar stealer, Azorult stealer, Evrial stealer, 1ms0rryStealer and the Supreme miner – and of course DeathRansom, which began as a malicious joke – demanding a ransom without actually encrypting files. Recently though, FortiGuard Labs found that it has evolved into a fully fledged malware with real encryption capabilities.
Who is scat01?
The threat actor, scat01, turns out to (very likely) be a Russian-speaking cybercriminal living in Italy named Egor Nedugov, researchers said.
To find that out, the researchers embarked on a bonanza of web searches, following contact-info breadcrumbs across the internet.
For instance, scat01 was linked to a yandex.ru email address in the owner section of various samples. Semenchenko and Ananin thus decided to search underground forums for “scat01” – and found various additional connections to the malware constellation that they had previously uncovered.
A person with the scat01 nickname provided reviews (in Russian) of the Vidar stealer and Supreme miner; while another scat01 post on another forum has to do with the Evrial stealer. There was also a product review on Yandex.Market using the yandex.ru email address previously seen linked with the malware. This review was geotagged as being posted from Aksay, a small Russian town near Rostov-on-Don. The reviews all had the same profile picture.
“At this point, we are pretty sure that this Yandex profile is related to the scat01 profile we found on the Russian underground forum…as well as to the malware distributed from gameshack[.]ru,” the researchers noted.
From there, the duo attempted to link the scat01 handle with a real person. They got a hit when other searches turned up a YouTube channel advertising the gameshack[.]ru malicious website, with the username “SoftEgorka.” They also turned up a Skype link for the YouTube channel with the same username.
“When we searched for a SoftEgorka Skype user, we found [a] user profile on the same Russian underground forum #4,” the researchers noted. “This time the username ‘Super Info’ is used…By digging further among Super Info posts, we found an announcement about game accounts sales (Steam, WoT, Origin). Here we should note that stealers observed above are capable of stealing passwords from different games and game distribution platforms. This more indirect evidence that Super Info may be connected to the ongoing stealers campaign.”
The profile contained a WebMoney ID, which is also mentioned in another post from the same user, which contains yet another Skype address, “nedugov99.” After a search for that address, they found an old advertisement for the sale of a game account. That contained a mobile phone number belonging to the Rostov-on-Don region and an ID corresponding to the name Egor Nedugov.
“The name ‘Egor’ corresponds to one of the underground nicknames, SoftEgorka, and the surname Nedugov corresponds to the Skype account nedugov99,” the researchers said. “According to the profile, this individual lives in Rostov-on-Don. Remember that the Yandex review made by scat01 was done from Aksay – a small town near Rostov-on-Don.”
In looking at Instagram and Facebook accounts for Egor Nedugov, researchers found that he had lived in Italy for some time.