There's truly no honor among (cyber-)thieves

Sep 5, 2016 01:15 GMT  ·  By

A hacker who uses the name Pahan has had a prodigious streak infecting fellow hackers with all sorts of malware, presumably for his own gain.

The Internet is filled with "hacking forums" where people can learn about hacking and even download or buy hacking tools.

These are not the places where you find malware and exploits employed by APTs (cyber-espionage) groups that are hard to detect even by the most up-to-date antivirus engines.

These are the places where common cyber-criminals peddle their pathetic attempt at developing malware, which, in most cases, is also kept under close surveillance by security firms, mainly because these forums are also available via Google and for everyone to view.

Hacker hacks other hackers to gain access to their hacking tools

According to a Sophos report, in the past year, a crook has spent most of his time targeting other hackers, just as much as targeting regular users.

Using the names Pahan, Pahan12, Pahan123, or Pahann, this individual has been adding ads for various hacking tools on several hacking forums, but Sophos has discovered that all these tools were infected with malware.

The most likely motives for his actions is that he's trying to learn what other hackers are up to, or trying to deploy keyloggers to steal passwords and hijack their malware/botnet control panels.

The hacker has been at it for the past ten months

Sophos reports on three instances when Pahan tried to infect others with malware-laced malware.

The first case dates back to an ad on an underground hacking forum where Pahan was providing a free download of the Aegis Crypter, a tool for obfuscating and hiding malware from antivirus scanners. According to Sophos, this tool was infected with the RxBot trojan.

The second incident dates to March 2016, when Pahan (using the Pahann nickname) was selling a version of the KeyBase keylogger that was infecting its buyers with the COM Surrogate malware, which then downloaded RxBot again, a trojan that enslaves computers inside a botnet.

The last incident dates back to July 2016, on LeakForums, where Pahan, using the name Pahan12, was offering a free version of a PHP-based RAT (Remote Access Trojan) called SLICK RAT. Sophos researcher Gabor Szapannos says SLICK RAT was infecting its victims with the KeyBase keylogger, which was collecting passwords and sending the data back to Pahan.

It's unknown how many wannabe hackers got infected with Pahan's malware, but as we've seen with a recently released RAT called Revenge, nowadays, hackers expect the hacking tools they download from such forums to be backdoored and usually perform a code audit before installing anything on their PCs.

Pahan's Aegis Crypter ad
Pahan's Aegis Crypter ad

Photo Gallery (3 Images)

Pahan's SLICK RAT ad
Pahan's Aegis Crypter adPahan's KeyBase ad
Open gallery