New BlackOS Software Package Sold In Underground Forums

We recently came across this particular post in an underground forum:

Figure 1. Underground forum post

This particular post in Russian was advertising a new product, known as “BlackOS”. Contrary to the name, it is not an operating system. However, it is definitely “black”, or malicious: it is used to manage and redirect Internet traffic from malicious/compromised websites to other malicious sites.

These types of products are not new in underground communities – for example, Brian Krebs talked about the similar iFrameservice.net site almost two years ago. Even BlackOS itself is not completely new. It is a new version of the earlier “Tale of the North” software, described by security researchers in September 2013.

Capabilities of BlackOS

BlackOS and other similar packages are designed to automate the process of managing and exploiting websites easier. This allows a cybercriminal to squeeze out the most profit from his victims. It has a web interface which is used to manage the web traffic and its different features. It can cope with high volumes of Internet traffic, and inject iframes and redirect traffic as specified by its user.

Here are some of the features of BlackOS, as stated in an advertisement in underground forums (as translated from the original Russian):

1) Implement the optimal model of converting traffic. Distribute and installs on geo user agent;
2) Get a unique opportunity to refuse to sell iframe traffic ;
3) Automatically detect PR domains , links and implement an effective impact on the issuance of search engines ;
4) Get a fast , stable and socks5 private lists for any of your software, requiring the use of proxy;
5) Sort the list of accounts as fast as possible ;
6) Upload any of your scripts with verification . Pour shells and mass execute commands on them set / code cleanup , eval (), system (), sendmail and check antiDDOS ;
7) Perform a vulnerability scan on your servers
8) Proccess the parsing Databases of remote CMS

New features for managing accounts, along with a powerful SEO tools and interface as intuitive novice webmasters and professionals allow us to hope that BlackOS take its rightful place on your work space.

BlackOS is not particularly cheap. It costs $3,800 a year; a reinstall/rebuild costs $100. For cybercriminals on a budget, basic configurations (16GB of RAM, octacore CPU, and SSD storage) can be rented for $100 a month. (The creators of BlackOS only accept payment in Bitcoin, Litecoin, or Perfect Money.)

One of the features of BlackOS is integration with online scanners that check if a website is already blocked by various security solutions, as seen below:

Figure 2. Online scanner
(Click image above to enlarge)

As we mentioned earlier, BlackOS appears to be an updated version of the previous Tale of the North package. One may ask why, then, is it being sold as “new” software? For that, we have to look into the Tale of the North and its author, Peter Severa.

Peter Severa and the Tale of the North

Peter Severa, who uses the handle Severa in various underground forums, began as a spammer as far back as 2003. He has used various spam botnets to send spam, including the Waledac and Kelihos botnets – in fact, he is currently facing criminal charges relating to his use of the latter. This has not scared him, though: to this day he is still active in the underground.

His ICQ and Jabber accounts are well-known to the underground community; he also had a Webmoney account at one time, although that account was banned. We believe that the now-banned account was used by another “handle”, which was actually Severa hiding his identity. We also believe that Severa has a new Webmoney account.

Severa wrote Tale of the North to manage the web traffic coming from users clicking links in his spam emails. For example, he could redirect users to various websites based on their geographic location.

Recently, however, there appears to have been a dispute between Severa and other people involved with Tale of the North. According to the following underground forum post, Severa left the project and the other “contributors” have continued under the BlackOS name:

Figure 3. Underground forum post
(Click image above to enlarge)

A partial translation of that post follows:

BlackOS previously sold as North Tale. We had a team and there was a conflict, and I closed the project. The system is now marketed under the name BlackOS, and I have nothing to do with it now. I make no claims to manager/BlackOS; all conflicts between us completely settled and I wish him success in his future development and sales of the software. It ‘s a really cool product that is unparalleled in the market, which required a decent number of man-years of development

We don’t know much about who’s selling BlackOS now. His Jabber account is publicly known (so would-be clients can contact him), and he also goes by the handle manager. Beyond that, his identity is unclear.

What about Severa? He hasn’t left the underground community. He is now running two active affiliate programs—both named partially after himself: SevPod and SevSka—that spread spambot malware.

In February, Severa was advertising SevPod in forum posts, like this one:

Figure 4. SevPod advertisement
(Click image above to enlarge)

A partial translation follows:

I want to introduce you to your new project – a private affiliate for substitution issue, {affiliate program URL}. I managed to make a really long-lived substitute, and your download will bring you income for many months, even after you stop shipping. Unlike other substitutions, I have bids for virtually all countries. Of course, miracles do not happen, and you will get the maximum revenue from the US, Canada, Australia, UK, Western Europe, but the third world countries will be bring you a steady income for a long time to! 95% of the money that I get for clicks from feed providers, I’m pay for your your ads.

The about page for SevPod goes on:

… is the latest revolutionary affiliate program by substitution SERPs. We get maximum bids from our feed providers, 95% of the funds we receive we give to our clients. Convert clicks from almost all countries of the world. We also use more modern methods of monetizing traffic, such as pay per user activity on the site, pay per view and interactions with different content. Unlike click bot traffic, we use live traffic, so our traffic is much more expensive, and will bring you income for a long time.

From these posts and sites, it is clear that Severa is still involved in the traffic redirection business and spam, although one could say he is focusing more on the “business” aspect of cybercrime than the technical aspects.

The information we gathered in this post was taken from various underground sources, although all of it was essentially public. We urge any law enforcement agencies investigating Severa or the creators of BlackOS to reach out to us, as we have additional information that is not part of this post.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

New BlackOS Software Package Sold In Underground Forums