Security Alert: The Shadow Brokers are Trying to Push Windows Hacking Tools to Mass Market

Share and earn Cybytes
Facebook Twitter LinkedIn Email

The Shadow Brokers are back with another “yard sale”, which may become the source of a new wave of attacks targeting systems running Windows.

For those of you new to the topic, The Shadow Brokers is a notorious threat actor or group of black-hat hackers credited with publishing exploits, vulnerabilities, and “powerful espionage tools created by the National Security Agency’s elite group of hackers” (source: Washington Post, August 2016).

The Shadow Brokers’ activity is also tied to The Equation Group, another threat actor whose level of sophistication astounded even some of the most experienced malware researchers in the world.

In August 2016, The Shadow Brokers sold a batch of hacking tools supposedly stolen from the NSA for 1000 Bitcoins. However, their auction was not as successful as expected.

But now the group is trying to sell another batch of Windows-based hacking tools. They announced the sale on Twitter, using a few words and two screenshots:

#Message7 theshadowbrokers.bit #ZeroNet

— theshadowbrokers (@shadowbrokerss) January 8, 2017

The newly advertised website claims that, for a total price of 750 BTC (Bitcoins), the buyer can purchase the entire database of hacking tools that The Equation Group used, which are entirely focused on the Windows platform.

The Shadow Brokers also provide a short description of the many different tools that can be used to compromise and remotely control Windows systems after they’ve been enrolled into a central botnet.

Here is the list of tools, their type and their respective prices:

DanderSpritz All – DanderSpritz Everything – 250.0 BTC
DanderSpritz Base – DanderSpritz LP Only – 25.0 BTC
PC2.2 – DanderSpritz RAT – 25.0 BTC
ST1.14 – DanderSpritz Backdoor – 25.0 BTC
LegacyWindowsExploits – DanderSpritz Exploits – 25.0 BTC
DAPU – DanderSpritz Plugin – 10.0 BTC
Dark Skyline – DanderSpritz Plugin – 10.0 BTC
Demi – DanderSpritz Plugin – 10.0 BTC
Df – DanderSpritz Plugin – 10.0 BTC
DmGz – DanderSpritz Plugin – 10.0 BTC
Dsky – DanderSpritz Plugin – 10.0 BTC
EP – DanderSpritz Plugin – 10.0 BTC
Flav – DanderSpritz Plugin – 10.0 BTC
Gath – DanderSpritz Plugin – 10.0 BTC
GeZu – DanderSpritz Plugin – 10.0 BTC
GrCl – DanderSpritz Plugin – 10.0 BTC
GrDo – DanderSpritz Plugin – 10.0 BTC
Grok – DanderSpritz Plugin – 10.0 BTC
Pacu – DanderSpritz Plugin – 10.0 BTC
Pc – DanderSpritz Plugin – 10.0 BTC
Pfre – DanderSpritz Plugin – 10.0 BTC
SCRE – DanderSpritz Plugin – 10.0 BTC
StLa – DanderSpritz Plugin – 10.0 BTC
Tedi – DanderSpritz Plugin – 10.0 BTC
UtBu – DanderSpritz Plugin – 10.0 BTC
Zbng – DanderSpritz Plugin – 10.0 BTC

The description of these tools (which you can see in the screenshots below) clearly states how they can be applied into practice. The database put up for sale also includes different types of exploits and other tools to aimed at fuzzing Windows components.

list contents

shadow brokers announcement

The Remote Administration (RAT) tool DanderSpritz that we see in the list also appears in several of the documents that Edward Snowden previously leaked. Now this tool, among other things, can be bought and used by cyber criminals.

The tools are constantly being monitored to identify if they are used, standalone or in combination with other malicious software, and when and where than happens.

For more information, follow this website, but please know that you are doing so at your own risk:

https://onlyzero [.] net / theshadowbrokers.bit / page / windows /

While this sale could follow the path of the previous auction attempt by The Shadow Brokers, it could also mean that cyber criminals have a new set of tools they can use to launch attacks from new and unexpected angles.

*This article features cyber intelligence provided by CSIS Security Group researchers.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Heimdal Security
We protect users and companies from cyber-criminal actions, by keeping confidential information and intellectual property safe. We build products focused on proactive cyber security and we dedicate a big part of our efforts to cyber security education for everyone.
Promoted Content
Expert Roundup: Is Internet Security a Losing Battle?
A while ago, one of our readers asked us to answer the following questions: Is Internet security a losing battle? How come companies are always 1-2 steps behind the fight? How can the bad guys respond so fast?That reader is certainly not the only one with this issue on his mind. Many Internet users feel discouraged by the current state of cyber crime and its consequences, and the rest don’t yet understand why they should care about it. We wanted to do something to change this.Naturally, users like you and me are not the only ones who wrestle this dilemma. Within the industry, cyber security experts are deeply involved in studying the causes and changes which have brought us to this point so they can create better solutions. Each of these experts brings a different perspective to the discussion, because no single person can ever claim to have the full picture.That is why we reached out to some of the most experienced cyber security specialists in the field to gather their thoughts on the topic. We believe that the questions we received are justified and they deserve an honest answer. And you will find plenty of them in the article!

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?