Researchers from Sophos have found a hacker, who has been infecting other hackers with his own malware

Experts from Sophos company have told about an interesting case, which they have observed. During the monitoring of various hackers’ forums, researchers noted user, hiding under the nickname Pahan (aka Pahan12, Pahan123 or Pahann), who has been distributing various malware. As it turned out, he was sharing a variety of hacking tools in open access not as an act of kindness. Pahan intentionally infected those tools with his own malware and has been “hunting” other hackers.

It’s not a secret that the hacker resources of all kinds exist not only in the darknet, but in the normal Internet as well. On these sites and forums public exchanges their experiences, discussing not too legal tools and attack techniques (usually under the close supervision of law enforcement, because the resources are available in Google search, and for anyone who wishes to join). On one of these resources (LeakForums) experts from Sophos firstly noticed pahan12 user who offered to all to buy from him his remote access Trojan SLICK RAT. As shown by subsequent analysis, those who have acquired SLICK RAT, eventually became infected with KeyBase malware, which pahan12 put in the code. KeyBase stole passwords of unlucky hackers and sent to the attacker’s website. Experts believe that this is not a coincidence, because the link contains the text “pahan123”. Researchers believe that the attacker then used the stolen credentials of accounts on various hacker forums to enhance his own reputation.

Intrigued by this opportunity, experts continued to investigate and soon discovered that Pahan deals not only with the distribution of SLICK RAT and works not only on the aforementioned website.

It turned out that in November 2015 Pahan has been spreading Aegis Crypter tool for obfuscation and hiding the code of malware from antiviruses. But the attacker’s version also included the “undocumented” Trojan RxBot. Another case happened in March 2016, under the name Pahann attacker has been selling one of the versions of KeyBase keylogger, that infected customers with COM Surrogate malware, and then with Trojans RxBot and Cyborg.

The most recent hacker’s activity has been detected on the already mentioned LeakForums, spreading SLICK RAT attacker began in June 2016. Experts write that it is impossible to determine exactly how many people were infected by Pahan attacks, but note, that there is certainly no honor among thieves.