Trend Micro reveals 'Void Balaur' cybermercenary group

For more than five years a cybermercenary group has seemingly flown under the radar, successfully hacking prominent targets, according to new research by Trend Micro.

In a research paper published Wednesday, Feike Hacquebord, senior threat researcher at Trend Micro, detailed the activities of the group, which he dubbed "Void Balaur." Those activities primarily consisted of cyberespionage and data theft across a variety of countries. While the hackers-for-hire primarily utilized conventional phishing attacks and "seemingly simple" malware such as Z*Stealer and DroidWatcher, they were successful in targeting more than 3,500 victims.

Trend Micro was the first to reveal a more comprehensive picture of this cybermercenary group, which it suspects has been active since 2015. However, Amnesty International released a report last year, as did Deflect Labs in 2019; both reported incidents in Uzbekistan against reporters and civil rights activists.

Following a year-long investigation, Trend Micro researchers discovered an even broader group of targets, including Russian medical insurance organizations and in-vitro fertilization clinics, ATM vendors and mobile telecom companies. The medical targets came as no surprise, Hacquebord said, due to the amount of money and personally identifiable information involved.

While the group includes a Russian-speaking threat actor known as "Rockethack," Hacquebord said it's unlikely Void Balaur is a nation-state threat group. Because the targets are distributed across numerous countries including Russia, Trend Micro attributed the activity to cybermercenaries.

Regarding the attacks on Uzbek-related media and civil rights activists, which began in 2016, Trend Micro researchers found a client was able to buy the mercenary group's services even before they started actively advertising in underground forums. "This shows that Void Balaur is being hired for long-term campaigns, something we have seen for other targets as well," Hacquebord wrote.

Even more alarming was the discovery of Void Balaur's main objective. "Void Balaur goes after the most private and personal data of businesses and individuals then sells that data to whomever wants to pay for it," Hacquebord wrote.

Trend Micro has not determined how the group managed to "gather such an extensive array of information, especially with regards to telecom data." With that data, Void Balaur could sell phone call records with cell tower locations that could reveal who a person had called, the duration of the calls and the approximate location of where they were placed. They suspect telecom engineers, or even the telecom systems themselves, were compromised.

Hacquebord told SearchSecurity it's difficult to calculate the group's exact success rate, but he said client reviews that he observed in underground forums are very positive.

One factor he attributed to that success, despite unsophisticated methods, was their use of social engineering. He did not observe the use of zero-day vulnerabilities, but mainly studied the group's phishing campaigns. The research paper cited the use of hacking into email providers' mailboxes and social media accounts. In some cases, Hacquebord found Void Balaur could "provide complete copies of mailboxes that were stolen without any user interaction for a higher price."

"The latter is particularly interesting, since it would take unusual circumstances such as an insider threat or the compromise of an email provider's system to be able to offer private data without user interaction," Trend Micro wrote in a separate blog post.

Hacquebord said another hallmark of Void Balaur is the group's targeting time, which can last very long. Additionally, he said there were some days when Void Balaur wouldn't target anyone, which could be why no other vendors have reported on it.

Discovering details of Void Balaur was no easy task for Trend Micro researchers, either.

Initially, they were tipped off by a long-term Pawn Storm target, another name for the Russian cyberespionage group Fancy Bear. The target's wife received a dozen or so phishing emails on her Gmail account. Because there were no Fancy Bear indicators, Trend Micro was able to link it to the cybermercenary group.

However, Hacquebord said the only insight they gathered in the first six months was four to five indicators; through monitoring in their own feedback they discovered some targets among their users and customers.

"But we weren't able to go beyond that to get really deep information," Hacquebord told SearchSecurity. "But then in October of last year, somebody used a customer device to access panels that were being used by Void Balaur to send emails to add targets, to delete targets, to access log files, to test phishing links. And then in December, they did it again. They weren't protected by any application, so we could access them as well."

With the vendor becoming more knowledgeable about Void Balaur, it determined the group possesses the necessary tools and resources to attack "high-profile targets."

Trend Micro urged organizations to implement mitigations against Void Balaur. In addition to actionable steps such as two-factor authorization, deleting older messages and employing drive encryption for all machines, Hacquebord said Trend Micro lists more than 4,000 indicators of compromise on its site that enterprises can download.