The Shadow Brokers, a notorious hacking group that leaked several hacking tools from the NSA, is once again making headlines for releasing another NSA exploit—but only to its “monthly dump service” subscribers.
Dubbed UNITEDRAKE, the implant is a “fully extensible remote collection system” that comes with a number of “plug-ins,” enabling attackers to remotely take full control over targeted Windows computers.
In its latest post, the hacking group announced a few changes to its monthly dump service and released encrypted files from the previous months as well.
Notably, the September dump also includes an unencrypted PDF file, which is a user manual for the UNITEDRAKE (United Rake) exploit developed by the NSA.
According to the leaked user manual, UNITEDRAKE is a customizable modular malware with the ability to capture webcam and microphone output, log keystrokes, access external drives and more in order to spy on its targets.
The tool consists of five components—server (a Listening Post), the system management interface (SMI), the database (to store and manage stolen information), the plug-in modules (allow the system capabilities to be extended), and the client (the implant).
Snowden Leak Also Mentions UNITEDRAKE
UNITEDRAKE initially came to light in 2014 as a part of NSA’s classified documents leaked by its former contractor Edward Snowden.
The Snowden documents suggested the agency used the tool alongside other pieces of malware, including CAPTIVATEDAUDIENCE, GUMFISH, FOGGYBOTTOM, GROK, and SALVAGERABBIT, to infect millions of computers around the world.
- CAPTIVATEDAUDIENCE is for recording conversations via the infected computer’s microphone
- GUMFISH is for covertly taking control over a computer’s webcam and snap photographs
- FOGGYBOTTOM for exfiltrating Internet data like browsing histories, login details and passwords
- GROK is a Keylogger Trojan for capturing keystrokes.
- SALVAGERABBIT is for accessing data on removable flash drives that connect to the infected computer.
New Terms for Shadow Brokers Monthly Dump Service
The Shadow Brokers is now only accepting payments in ZCash (ZEC) from its monthly subscribers, rather than Monero since it uses clear text email for delivery, and has also raised the rates for exploits, demanding nearly $4 Million.
The group demanded 100 ZEC when it started its first monthly dump service in June, but now the hackers are demanding 16,000 ZEC (which costs $3,914,080 in total) for all NSA dumps. Zcash currently trades at $248 per unit.
Those who want to gain access only to the September dump that includes the new NSA malware files need to pay hackers 500 ZEC.
The Shadow Brokers gained popularity after leaking the SMB zero-day exploit, called Eternalblue, that powered Wannacry ransomware attack that crippled large businesses and services around the world in May.
After that, the mysterious hacking group announced a monthly data dump service for those who want to get exclusive access to the NSA arsenal, which they claim to have stolen from the agency last year.