The Wolf in Sheep's Clothing – Undressed
Despite the breach of both Hacking Team and FinFisher, the government malware industry remains a shady market. Due to the amount of secrecy involved, it becomes increasingly more complicated to follow the technologies utilized by these companies and their modus operandi. The lack of transparency can be beneficial when one works with government-related operations. However, it can also be of benefit to any profit-driven actor, who will notice the potential for easy income in such conditions of the market.
During our daily monitoring, we have managed to find a fake “Google Chrome Update” landing page, which we believe is used by Wolf Research in their spyware campaigns. The page was designed for infection of Windows, iOS and Android devices. Soon, we were surprised to find a publicly open control panel server. This open C&C has given us the opportunity to collect a variety of precious data: details about the malware, photos and audio recordings from the testing phones, victims’ data and a storage of database backups of the said control server. After analysis of the findings, we have figured out that this company appears to be reselling commercial spyware as a government espionage spyware.
Despite the surprisingly poor quality of company behind these products, we have seen them do business with serious companies of the legal malware market and even with a government-related institution. While oblivious of the state of their operational security, the company relies on simply making a good impression on potential customers.
This presentation will disclose some of the work and the achievements of a peculiar German company.
Peter Kruse, Head of CSIS eCrime Unit, CSIS security Group A/S