OffensiveWare Sold on Hacking Forums as Exploit Builder and Next-Gen Keylogger

Share this…

New hacking tools arrive on underground hacking forums. The latest addition to the malware scene is a new set of hacking tools advertised under the OffensiveWare brand, available as rentable MaaS (Malware-as-a-Service) toolkits, and sold on hacking forums by the same crook who developed the Aaron Remote Installable Keylogger (ARIK) and Ancalog Exploit Builder.

First signs of this new service appeared at the end of August when the hacker behind these tools started posting ads about his new product on HackForums, a popular destination for wannabe hackers.

The ads, which also included presentational YouTube videos, led buyers back to the OffensiveWare website, where they could buy several types of tools advertised under the OffensiveWare brand.

OffensiveWare’s remote keylogger

This list of tools included several variations of an exploit builder for weaponizing Office files (priced at $49, $99, $290) and a remote keylogger that also included a password dumper and screenshot-taking features (priced at $80).

While the OffensiveWare author tried to boost his product by posting screenshots of good reviews he received from previous HackForums buyers, the OffensiveWare Remote Keylogger (ORK) was inferior to many spyware applications currently available on the same HackForum.

ORK currently includes the ability to steal passwords from email applications, browsers, social networks, and IM clients. Other keyloggers we wrote about in the past supported a larger number of targeted applications compared to ORK, and also supported several other application types, such as Bitcoin wallets and FTP clients.

OffensiveWare’s exploit builder

Nevertheless, putting aside the inferior keylogger, the exploit builder the crook was selling, the OffensiveWare Multi-Exploit Builder (OMEB), provided malware authors with a more useful tool.

According to the OffensiveWare dev, malware authors can use OMEB to create weaponized DOC, JS, HTA, VBS, or CHM documents, which in turn could leverage macros, UAC bypasses, and silent exploits to deliver and install the hacker’s desired malware payload.

OMEB interface

OMEB interface

Platforms such as HackForums are mostly populated with low-quality hackers, and you rarely see an exploit builder sold on the site, which is mostly filled with for-hire DDoS services, RATs, and keyloggers.

While OMEB is more unique than advanced, the builder is simplistic, and rather unsophisticated. The same opinion is also shared by Fortinet researchers, who didn’t take long to identify various slip-ups in the malware’s mode of operation.

“An inspection of the binary’s strings reveals that this malware [generated via OMEB] has been provided through the OffensiveWare platform,” Fortinet’s Joie Salvio writes. “This assertion is further supported by the fact that the IP address of the package download site is the same as the platform’s official website.”

This means that a sysadmin could block access to the OffensiveWare website and prevent the malware from working altogether.

Professional MaaS services would have never been caught downloading malicious packages from the same server they host their website on. A simple DDoS attack on this server, or a well-placed firewall rule, can sabotage the entire OffesinveWare operation.