Void Balaur is a prolific cyber mercenary group expanding its hack-for-hire campaigns globally through 2022, continuing to adapt its operations despite disruptions to its advertising personas. The group targets a broad mix of individuals and organizations, focusing on access to email and social media services (Gmail, Outlook, Telegram, Facebook, Instagram) and even hints at a potential link to the Russian FSO. #VoidBalaur #Hacknet #RocketHack #FSO #Gmail #Outlook #Telegram #Facebook #Instagram
Keypoints
- Void Balaur is described as a highly active hack-for-hire/cyber mercenary group with a long history of offering private data access and targeting email and social media services.
- New 2022 activity includes a broad set of targets across the US, Russia, Ukraine, and beyond, with particular interest in players tied to Russia.
- Attacks tend to be generic or opportunistic and often account for targets using multi-factor authentication; the group aims at major providers (Gmail, Outlook, Yahoo), social media (Facebook, Instagram), messaging (Telegram), and corporate emails.
- A low-confidence link is noted between Void Balaur infrastructure and the Russian FSO, suggesting a possible customer relationship or resource sharing.
- The hack-for-hire infrastructure relies on thousands of attacker-controlled domains with recurring patterns (e.g., mail-my-accounts-gmail[.]com, accounts-oauth-gmail[.]com).
- Voids Balaur marketed services on Hacknet and RocketHack, offering remote access, content modifications, and online reputation/manipulation services, with activity expanding onto dark web forums by 2019.
MITRE Techniques
- [T1566.002] Spearphishing Link – Phishing emails used to lure targets into providing credentials or visiting forged login pages. ‘phishing emails to lure targets into providing account credentials’ and phishing domains are used to harvest access.
- [T1021.001] Remote Services – Attacks include ‘Remote access or perform requested actions on target PCs’, indicating use of remote access capabilities to operate on victims’ devices.
- [T1078] Valid Accounts – Access to ‘Gmail, Outlook, Yahoo, Telegram’ and other services through stolen or misused credentials, described as the ‘collection of private data and access to specific online email and social media services’ (credential usage to access accounts).
Indicators of Compromise
- [Domain] – account-mail-passport[.]ru, account-my-mail-gmail[.]com, accounts-oauth-gmail[.]com
- [Domain] – accounts-my-mail-gmail[.]com, cloud-accounts-goglemail[.]com, cloud-myaccount-mail[.]ru
- [IP] – 95.173.132[.]1 – observed resolving to the Russian FSO network briefly, then moving back to Void Balaur infrastructure
Read more: https://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/