Chapter Twelve: Craigslist ads targeting job seekers in the mid-Atlantic

The QuantumFilament hackers, or one of their customers, post fake job, real estate and car ads to Craigslist. These advertisements have the following common characteristics:

  • Target audience is in Virginia, Maryland, Pennsylvania or Washington, DC
  • Contains no hyperlink and no specific reply instructions
  • Registers with Hotmail or Yahoo e-mail addresses
  • 16 of the 20 unique Hotmail addresses ended in four digits
  • All Craigslist passwords were 10 characters in length, all lowercase, seemingly random letters

Many ads appear to be copies of ads from legitimate companies. The fake ad poster periodically logged into the associated webmail accounts to check for replies to his fake Craigslist ads. In the instances in which this could be verified, no replies were ever sent by the fake ad poster. The poster simply received whatever replies he could get, the replies often including personal information and resumes. I hypothesize whatever personal information is volunteered by responders is reviewed for information that could be sold or exploited in the dark web, such as phone numbers, e-mail addresses, postal addresses, and identity information.

Date Title Notes Craigslist registration Craigslist password

.NET custom Developer,SSRS Report Developer

2015-08-20 Full-Time Product Specialist – Worcester, PA A position at Grainger Industrial Supply, a real Fortune 500 company wriwriamou
2015-08-21 Accountant / Office Admin ueagaijeac
2015-08-21 Executive Assistant huwreslouc
2015-08-22 Microsoft Office Specialist/Quickbooks Instructor – PT A position at ASI Career Institute, a real organization wraiheathu
2015-08-24 Automotive Dealership Cashier wriwriamou
2015-08-25 Dining Services Captain wraiheathu
2015-08-25 Financial Crimes Lead A position at Barclaycard US, a large financial institution sofraicrio
2015-08-27 Kitchen Manager A position at Del Frisco’s Grille, a restaurant chain with 22 locations nationwide wriwriamou
2015-08-28 Client Services Specialist A position at Survivors, Inc., in Gettysburg, PA kianicifri
2015-08-28 Administrative Assistant I – Immediate ueagaijeac
2015-08-28 Spacious 1br Apartment, New Floor, Fresh Paint uaegurioth
2015-08-31 Legal Secretary-Northern Virginia ueagaijeac
2015-09-01 Front Desk Coordinator roclaithou
2015-09-02 CamRY SHiFtKSh 2000 toYotA
2015-09-04 Renovated Home For Rent/lease, A Quiet Community frephaecri
2015-09-04 Interior Specialist Sales Associate’s – Part Time A position at Arhaus Furniture, a real furniture store chain lotastiowr
2015-09-04 NICEgPrp HoNDa ciVIC LX 2005
2015-09-04 woRkSzCqAc CamrY 2000 sILVEr TOYotA
2015-09-06 Automotive Sales Consultant – Auto Sales Representative A position at Frankel, a chain of car dealerships in Maryland slacihaica
2015-09-06 20oo ford ranger lOwEUaXo
2015-09-06 98 jeep grand cherokee ownErzSoIT
2015-09-06 Administrative Support Specialist Needed!
2015-09-06 Senior Meeting Planner roclaithou
2015-09-07 Safe and quiet neighborhood, comprehensive list or homes jadaprouha
2015-09-08 Assisted Living Administrator A position at Asbury Methodist Community, a retirement community in Maryland pheacaeuou
2015-09-11 Payroll Specialist A position at paychex, Inc., a real company hiolabuvod
2015-09-12 Dining Server A position at Brightview Senior Living, a retirement community lotastiowr
2015-09-12 Technician / Automotive Mechanic A position at Mercedes Benz of Owings Mills, Maryland gelouuouci
2015-09-13 Finance & Insurance Manager / Automotive Finance Manager A position at MileOne, Herb Gordon Volvo Subaru, a car dealership in Maryland pheacaeuou

The following passwords were used to log into some of the webmail accounts. The characteristics of passwords can be used to profile the user behind the activity.

  • wgijzMD22
  • bmoy2Oic5e
  • audoiv19A
  • dyYkt3ca4
  • qLRgdR44lNE
  • wgertUD44
  • erE2fs7f
  • ik4gAg5u
  • vsum0uK4c
  • uckfpJT65

Chapter Eleven: Hackers using Ashley Madison passwords to hack Paypal accounts?

Update: 14.9%, or 8,643 of the 57,819 unique e-mail addresses observed logging into Paypal, were found on Ashley madison lists. It is clear that the QuantumFilament hackers have other sources of e-mails and passwords to try on Paypal, but the Ashley Madison data, with millions of e-mail addresses and passwords, is likely being used. Users who use the same password on Ashley Madison and Paypal, and have not changed their passwords, are particularly at risk.

Original post

I was reading Andrea Peterson’s article on Ashley Madison passwords, which led me to this Ars Technica article with the top 100 passwords used on the Ashley Madison website. That inspired me to look at my data for the approximately 60,282 login attempts to Paypal, the “financial service” discussed here. From the Ars Technica article, the top 20 passwords used on Ashley Madison are:

  • 123456
  • 12345
  • password
  • 123456789
  • qwerty
  • 12345678
  • abc123
  • pussy
  • 1234567
  • 696969
  • ashley
  • fuckme
  • football
  • baseball
  • fuckyou
  • 111111
  • 1234567890
  • ashleymadison
  • password1

If we marry (pun intended) the Ashley Madison data with the Paypal data, we get some interesting results.

Password Ashley Madison rank Paypal attempts rank
123456 1 1
12345 2 4
password 3 3
123456789 5 2
qwerty 6 6
12345678 7 5
abc123 8 15
pussy 9 1,473
1234567 10 10
696969 11 1,592
ashley 12 33
fuckme 13 164
football 14 11
baseball 15 38
fuckyou 16 62
111111 17 8
1234567890 18 13
ashleymadison 19 n/a
password1 20 24

Now let’s examine the rest of the top 20 passwords tried against Paypal accounts by the QuantumFilament hackers (or someone using their network of hacked routers).

Password Paypal attempts rank Ashley Madison rank
iloveyou 7 42
123123 9 27
1234 12 n/a
000000 14 30
654321 16 26
987654 17 53
princess 18 94
Exigent 19 n/a
hongkong 20 n/a

The results don’t correlate perfectly, but it does suggest one source for the attempted Paypal logins might be the e-mail addresses and passwords of Ashley Madison users.

Chapter Ten: Target Skype (updated)

The QuantumFilament network logged into Skype using stolen credentials to send instant messaging spam. The spam was written in the Cyrillic alphabet, and was most likely written in the Russian language.

Stat Count
Usernames 5,374
Compromised usernames with passwords 623
Contacts found 6,504
Spam messages attempted 6,340
Spam messages rejected due to rate limiting 240

From the perspective of the Skype administrators, the login attempts and instant messages would appear to originate from the IP addresses of QF’s hacked routers.

Here are the text of the Cyrillic alphabet instant messages:

Continue reading Chapter Ten: Target Skype (updated)

Chapter Nine: The Russian Connection (updated)

So far, this blog has established that a group of cyber operators breaks into home and office routers, and installs software on the routers. I will provide one example of what comes next.

One of the programs installed on the routers turns the routers into a proxy. A proxy is a service that can be used to disguise the original source of network traffic.

The QuantumFilament operators, or one of their customers using QuantumFilament’s network of hacked routers, tried to log into a financial service 16,991 times. The 16,991 attempted logins used 16,971 unique user IDs. The success rate was about 1.33%.

Status Count
DENIED 14,712

I have contacted the financial service offering to share my information about the hacked accounts.

The financial service has an Apple iOS mobile app, and the evidence indicates the QuantumFilament hackers or customers are using the same internal API calls as the iOS mobile app to try to log into the financial service accounts. When the hacker’s program tries to log into the financial service, it sends along information about an Apple iOS device. Most likely, the programmer who built the alternative login app copied the template of the real financial service app running on a real Apple iOS device. Here is some of the information sent by the hacker’s login app, common to all 16,991 login requests.

Information Value
Device Apple iPhone
Operating system Jailbreak iOS 9.1
Language setting ru (Russian)
Country ru (Russia)
Time zone Europe/Moscow
Wifi network ZHK_SU
iPhone name ZHK
LAN IP address
Proxy IP
Proxy port 8888

The original programmer who reverse engineered the internal API of the financial service likely copied the submission values from the legitimate Apple iOS app, and this iOS app was probably running on a jailbroken iPhone, located in Russia, in the Moscow time zone.

Chapter Eight: Really? A fourth Serverel data center IP hacked by QF?

Its true. IP, registered to Serverel, made a couple thousand connections to and from 16:13 UTC to 21:41 UTC 25 August. Time to tell the Serverel NOC.

Update: Serverel responds:

based on information from this customer, this server is not in use and he really forgot about him. i.e. server is 100% hacked, our customer will cancel this server in few hours and we will power it off next.

Hackers thrive on accessing neglected, abandoned or forgotten computers. With the space, CPU power and bandwidth of a server, without any accountability or expense, hackers can turn forgotten servers into anything–a launching pad for more hacks, storage space for data–anything.

Chapter Seven: More trouble from the SERVEREL data centers

Today, August 25, from 1410 to 1446 UTC, an IP address registered to SERVEREL, a data center or hosting provider based in California, used the QuantumFilament proxy network to access the Tumblr blogging site. Most likely that IP address at SERVEREL,, is a third IP address at SERVEREL that has been compromised and used by the QF group. How many more IP addresses at SERVEREL have been hacked and are being abused? I could tell SERVEREL about this, but that doesn’t really solve their issue.

Update 1: Serverel has now been informed. I see activity from this Serverel IP going back to August 3. Even if QuantumFilament is kicked out of Serverel, they hhav hacked into additional data centers/hosting providers worldwide.

Update 2: Serverel writes back:

many thanks for your report. is used by our customer since June 2012 and i think this server could be compromised. This is 100% legitimate customer.

Serverel’s emphasis is that there is a live, legitimate customer using this IP, and they don’t want administrators around the Internet to block this IP, thereby blocking the real customer’s connectivity.

Update 3: More from Serverel:

looks like this server is really in use, we ask end user to escalate this issue and find what is a reason for this report.

Interlude: Finding bugs in Wireshark

There are many different areas of expertise in cyber security, each area is quite important and distinct. Some people write security policies or handle communications during an incident. Others examine a hard drive and recover lost, hidden or deleted files. Others examine a suspicious binary program and can reverse engineer that program, revealing its function, algorithms and communication protocols.

My particular expertise is the examination of the recordings of traffic traveling on or through a network. Practically all activities online (e-mail, web browsing, social media and voice-over-IP, to name just a few) involve one device communicating with another device, and this traffic can be recorded and analyzed. One of the most common open source software tools to analyze recorded network traffic is Wireshark, and its command line counterpart, TShark.

TShark is very powerful because, like Wireshark, it can parse protocols such as web and e-mail and display this information. In addition, TShark’s output can be easily saved to a file. This output can then be read and processed by additional programs or scripts.

This simplified example uses TShark to read a file called “traffic”, and instructs TShark to output information about any web, e-mail or proxy activity captured.

tshark -r traffic -T fields -e frame.number -e frame.time -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e socks.dst -e socks.remote_name -e socks.port -e http.request.full_uri -e ssl.handshake.extensions_server_name -e imf.from -e -e imf.subject

Wireshark and TShark are critical tools for this research, so it was frustrating when TShark routinely crashed. Wireshark understands hundreds of protocols and formats used on the Internet, but doing this is not simple, and software bugs are inevitable. Still, I was very frustrated. I could try to work around the crashes, but the situation was definitely not ideal.

Wireshark is open source software, which means any volunteer can modify and fix sourcecode. But first I had to report the bug. I examined the network traffic files that crashed Wireshark, and tried to look for commonalities. I wanted to tell the Wireshark team why I thought the program crashed. Being unsuccessful, I then constructed the smallest file I could that still crashed the program, and reported the bug to the Wireshark developers.

I was convinced the crashes were due to a bug in the interpretation of the network traffic. But instead, the bug was in something more fundamental. I had discovered a bug in the part of Wireshark that managed system memory. The bug was diagnosed and fixed on the same day, and the Wireshark team issued a security advisory for this memory management bug.

I later reported a more mundane bug that was caused by misinterpretation of Internet traffic. As a result of these fixes, I have to ensure all of my computers run Wireshark 1.12.7 or later.

Chapter Six: Human hands and human minds

Initially, all I could observe of the QuantumFilament group’s activities was the scanning for and hacking of Linksys and Asus routers. I wondered if the scanning was due to a worm, a program that spreads automatically without human intervention. The scanning and method of infection reminded me of the SQL Slammer worm of 2003.

But careful observation proves that QuantumFilament cyber operations are not just about scanning and infecting routers, and it is not accidental. There are human hands and human minds behind the activity.

  • Purpose. The group of hacked routers are used to do other things. A discussion on these “other things” is saved for a later chapter.
  • Long-term operation. The software programs run on the routers have internal version numbers and update mechanisms. The QF cyber operators built technical mechanisms in the code to check for and track different versions of the same program, and to report these version numbers to the command-and-control servers.
  • Adapts to setbacks. The QF cyber operators reacted to the takedown of their server by switching to different servers, more than once.
  • Redundant communication. The .nttpd loader binary version 14 was programmed to communicate to five different command-and-control servers. The QF group only needed one of the five servers to be accessible in order to fully control their hacked routers.

At minimum, the QF operation has “users” that make use of the anonymity and resources provided by the hacked routers; software developers that write and modify the binary programs run on the routers; and operators to maintain the servers and other hacking infrastructure.

Interlude: Balancing defense and investigation

When I first read the Internet Storm Center post revealing the malware program and IP addresses of the QuantumFilament group, I was concerned. This research depends on the QF group’s continued activities, and I was concerned that such a public disclosure would cause the cyber operators to modify or suspend their activities. As it happened, two times over the next week the servers used by QF were shut down, and both times QF migrated to use different IP addresses.

There are pros and cons to disclosing information about an ongoing cyber operation.

Pros to disclosure

  • Provides technical information to system administrators, who can use the information to prevent or detect attacks against their systems.
  • Educates the professional cyber community on offensive tactics and techniques.
  • Creates the possibility for disperate investigators tracking the same threat group to communicate and collaborate.
  • Makes the cyber threat group work harder, as they have to spend time changing their programs, behavior or network addresses.

Cons to disclosure

  • Puts future investigation at risk, because disclosure puts the threat group on notice they are being monitored. The cyber threat group could modify their methods and operations to make future investigation more difficult and costly. Generally any setbacks–and disclosure is a setback–makes the cyber threat group smarter. Smarter bad guys are harder to investigate and catch.
  • Disclosure often does not protect average Internet users. Shutting down compromised servers is usually just a brief inconvenience, because most professional cyber groups have a practically unlimited supply of systems and IP addresses they can break into, and use to initiate their operations.

Most professional cyber operations have one of two goals: to steal money or to steal information. Relative to the physical world,, stealing money or information in cyberspace has a few distinct advantages:

  • First, the landscape of cyberspace is truly flat. I can just as easily cause trouble around the block as I can cause trouble halfway around the world.
  • Second, the cyber universe is not just flat, but fast too. All computers and devices on the planet that are connected to the Internet can be reached within seconds.
  • Third, its far easier to be anonymous in cyberspace. At minimum it requires some paperwork (through a subpoena) to link a cyber identity to a real world identity. If a person takes steps to mask his cyber identity, it can take a lot more work than that to find his physical identity.
  • And fourth, there is no one unified set of laws, let alone people to enforce these laws, in cyberspace. If I find that computers in China and Bangladesh are stealing my company’s information, I may have a hard time finding the authority and expertise, along with the language expertise and political will, to investigate the case.

Basically if someone is bent on doing bad in cyberspace, he or she can do it quickly, do it to a lot more people at once, and do it anonymously. Stealing money and stealing information over the Internet is actually easy, especially if one doesn’t have a specific target in mind. Given this, there are a lot more criminals and professionals doing bad, than there are professionals and investigators investigating. For most researchers, who have no legal authorities, public disclosure of what they observe is often the only action they can take.

The Internet Storm Center disclosure ended up giving me, the investigator, a unique look at QF’s reaction to a setback, namely the disclosure and elimination of two of the five IP addresses programmed into the loader binary version 14. In the next chapter, I will use this and other behavior to sketch a profile of this group.

Chapter Five: Disclosure, takedown, and dead like a zombie

The SANS Internet Storm Center is a group of cyber security professionals who volunteer their time, monitors security logs, and publishes information to the Internet community. On August 4, Johannes Ullrich published this post discussing the noisy Linksys router scanning of the QuantumFilament (QF) group. It is important to note that the security bug used by QF to break in was disclosed in February 2014, and that anyone can download a copy of some sourcecode over the Internet and try to break in using the same security vulnerability. The QF operations of 2015 may, or may not, be conducted by the same people distributing the Moon worm in 2014.

But software is more unique. I knew Johannes was talking about the group I was tracking because his post mentioned the same iptables firewall rules I found in the .nttpd loader binary. Johannes also identified one of the IP addresses,, as being an active facilitator in the activity. Further, Johannes reported this address to the responsible administrators, who “shut down the affected server shortly after being notified”.

My logs indicate the IP address was online and facilitating QF operations until August 4 at 12:17 UTC. Interestingly, this IP briefly made a zombie appearance and was active for 19 minutes the next day, from 11:02 to 11:21 UTC on August 5.

QuantumFilament was not done with this hosting company, Serverel, quite yet. A second IP address,, was in the group of five IP addresses programmed into the .nttpd version 14 binary, which was first submitted to VirusTotal in April. This strongly suggests the QF cyber operators have had access to servers at Serverel since April. Beginning at 09:15 UTC August 6, this second IP began to facilitate QF cyber operations, both sending out command and control packets via UDP, and fulfilling download request of additional QF tools over TCP. I made the Internet Storm Center aware of this, and QF cyber operations from ceased at 10:27 UTC on August 10.

In the next post, I will explore the pros and cons of publishing information about ongoing hacking and cyber operations.