Mysterious hacker has been selling Windows 0-days to APT groups for three years


For the past three years, a mysterious hacker has been selling Windows zero-days to at least three cyber-espionage groups, as well as cyber-crime gangs, researchers from Kaspersky Lab have told ZDNet.

The hacker’s activity reinforces recent assessments that some government-backed cyber-espionage groups –also known as APTs (advanced persistent threats)– will regularly buy zero-day exploits from third-party entities, besides developing their own in-house tools.

APT groups believed to be operating out of Russia and the Middle East have often been spotted using zero-days developed by real-world companies that act as sellers of surveillance software and exploit brokers for government agencies.

However, Kaspersky’s recent revelations show that APT groups won’t shy away from dipping their toes in the underground hacking scene to acquire exploits initially developed by lone hackers for cyber-crime groups, if ever necessary.

What happened to BuggiCorp?

The hacker that Kaspersky Lab experts say has been one of the most prolific vendor of zero-days is known as Volodya, but some of our readers will recognize him from a previous nickname the threat actor used circa 2016.

Back then, using the nickname BuggiCorp, the hacker made heaadlines across tech news sites after putting up for sale a Windows zero-day on the infamous cyber-crime forum.

At the time, the ad was a shocker because you’d rarely see a hacker advertise Windows zero-days on such a public forum, with most of these transactions happening in private.


Image: Trustwave

While BuggiCorp had to drop his initial asking price several times, from $95,000 to $85,000, he eventually sold the zero-day to a cyber-crime group, and the ad helped the developer establish a reputation.

BuggiCorp used this reputation to set up a dedicated clientele and continue to sell other zero-days in private, some with prices going as far as $200,000, according to Costin Raiu, Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab, the company’s elite APT tracking unit.

Since then, Kaspersky’s GReAT team has been tracking the hacker under the codename of “Volodya,” a nickname the hacker sometimes left behind in their exploit code.

Hacker sold zero-days to at least three APTs

“Volodya is a prolific exploit developer and zero-day seller that we have been tracking since 2015,” Raiu told ZDNet in an email conversation last week.

“Volodya is short for ‘Volodimir,’ which is the nickname that appears in some of his work,” Raiu said. “Our observations indicate Volodya is fluent in Russian, although likely of Ukrainian origin. Volodimir is also not a Russian name, but Ukrainian.”

“Volodya appears to be the author of the exploit for CVE-2019-0859, that we reported to Microsoft in March 2019,” the Kaspersky researcher added.

This zero-day, now patched, was abused by at least two APTs –namely FruityArmor and SandCat– according to fellow GReAT team member Vicente Diaz, who also touched on Volodya’s history of selling zero-days in a recent webinar.

While most of these shady dealings have most likely taken place in private, Diaz said the Kaspersky team has been tracking Volodya by analyzing exploit code they’ve seen during recent attacks.

“[FruityArmor and SandCat] are different groups because we see them with different targeting, different goals, different interests,” Diaz said in a Kaspersky webinar on 2019 Q1 APT trends yesterday.

“But it looks like they have the same provider. Our hypothesis here is that probably they are getting their resources from the same vendor [i.e., Volodya],” Diaz said.

But CVE-2019-0859 is just the latest zero-day that Kaspersky has pinned on Volodya. Another one is CVE-2016-7255, also a Windows vulnerability, which both Raiu and Trend Micro researchers linked to the activities of the the infamous Fancy Bear Russian APT (also known as APT28, Pawn Storm, Sednit, Sofacy, or Strontium), mostly known for being one of the two Russian hacking groups that perpetrated the 2016 DNC hack.

Raiu tells ZDNet that CVE-2016-7255 is just one of the several other zero-days that Volodya has sold over the years to APT groups, but that the hacker has also continued to work with low-end cybercrime groups, which have, too, been buying and using some of these zero-days as well.

Volodya linked to one-day exploits as well

Furthermore, Raiu said that “in addition to zero days, Volodya is also developing exploits for patched vulnerabilities, such as one-days, or exploits for older vulnerabilities, that are considered stable and reliable and could still work for unpatched machines.”

For all intents and purposes, Volodya appears to have made from zero-day and exploit development a career choice and has attached quite the portfolio to his name already.

Furthermore, with a price tag of $200,000 for a Windows local privilege escalation zero-day and an established list of clients ranging from government intelligence agencies and cyber-crime gangs, Volodya could very well be in charge of his very own team of developers or exploit-brokering company, a theory that cannot be dismissed at this point, in the lack of more palpable details.

Related malware and cybercrime coverage:

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *