Shadow Brokers Now Selling Windows, AV Exploits in New ZeroNet Marketplace

The group calling itself “Shadow Brokers” has apparently decided to start selling Windows exploits and what appear to be anti-virus bypass tools on a BitTorrent-powered ZeroNet peer to peer web platform.

Last year, the mysterious group leaked a series of firewall exploits, implants and other tools that they supposedly had stolen from the NSA-linked Equation Group. In an attempt to cash in on a set of other exploits, vulnerabilities, RATs, persistence mechanisms and data collection tools, the group announced an all-pay auction, but failed to reach the targeted goal.

The group also tried to make money through crowdfunding, setting a goal at 10,000 Bitcoins (rougly $7.8 million at the time), but later decided to sell the exploits directly, for a total of only 1,000 Bitcoins (currently ~$805,000). The group also offered interested parties the option of buying individual exploits. In October, the group released a batch of files supposedly linked to the Equation Group.

Starting last month, the group began directing interested buyers to a website hosted on ZeroNet, where the stolen exploits were put up for sale priced between 1 and 100 Bitcoins (BTC) each (or 1,000 BTC for the entire batch). Files were sorted by type, and buyers were encouraged to contact a Shadow Brokers member to make a purchase.

The group is now advertising what they claim to be Windows exploits and toolkits, including a series of tools that appear to have been designed specifically for anti-virus bypass purposes, Jacob Williams has discovered. This is the first time the group has advertised the Windows exploits, with only UNIX-targeting hacking tools released before.

Screenshots the group posted on Twitter suggest the tools were split into two packages, with one of them, called FuzzBunch, containing what appear to be remote code execution (RCE) exploits for IIS servers, the RDP, RPC, and SMB (Server Message Block) protocols, along with supposedly a zero-day exploit for SMB.

The entire batch is advertised for 750 BTC (~ $600,000), while the FuzzBunch package can be bought separately for 650 BTC. The exploits can be bought for 250 BTC. The zero-day for SMB is priced at 250 BTC as well.

Additionally, the group also appears to be selling bypass tools for “Personal Security Products” from leading anti-virus vendors, including Avast, Avira, ESET, Kaspersky Lab, McAfee, Microsoft, Panda, and Symantec, among others. These, however, haven’t been confirmed as of now.

Previously, the group had released some working tools, which suggests that their claims could be true. According to a Flashpoint report released in December last year, the data was stolen in July 2013, although timestamps have been modified, most likely to hinder analysis.

The security researchers also suggested that the files have been copied from an internal system or a code repository, based on the extensive use of Markdown, a markup language commonly used in code repositories. Flashpoint said it had “medium confidence” that a rogue insider was involved in the theft.

“Insiders with access to sensitive information can cause extensive damage, as Edward Snowden proved in June 2013. While the timeline of events shows that this is not directly related to Snowden, the close proximity of events raises the question if there were multiple insiders acting independently during 2013,” Flashpoint said last month.

Related: “Shadow Brokers” Put NSA Exploits Up for Direct Sale

Related: Over 840,000 Cisco Devices Affected by NSA-Linked Flaw

Related: Industry Reactions to Shadow Brokers Leak

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags: