Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Your One Stop Shopping For A New Identity in the Darknet

leave a comment »

 

I was surfing the high digital seas of the darknet the other day and came across a couple sites that I thought were interesting and would share with you all. The first site is an emporium that sells a little of everything but mostly drugs but in their “forgeries and counterfeit” section I came across some goodies in their internal search engine. Primarily what I am going to bring you today kids is how you too can buy forged documents in the darknet to start a new life somewhere in the world. Watch now as I unfold to you this tale of tradecraft and OPSEC….

PSA: Ok ok, yeah buying this stuff in the darknet is likely to have one of three outcomes..

1) You pay and you get nothing.

2) You pay and you get arrested when you pick up the package.

3) You pay, you get the package, and then are arrested trying to use the documents.

SO DON’T TRY THIS AT HOME KIDS!

Right, back to the whole buying fake documents and how to use them thing! So if you do want to have an alternate identification you can attempt to use the documents being sold in the darknet but you have to do your leg work too. See, if you want a real and lasting identity (other than your own) then you have to do this slowly and carefully. Much of this really relies on the quality of the documents as well as the backstopping you will need to do in order to have at least a chance of using them effectively. The first thing you will want to do is get an SSN that is clean and with the way things are now so interconnected, it may be harder today than it was in the almost recent past to get a clean one that is age appropriate to you.

Yes, they are tagged by age you know…

Used to be a day when you could go all “Day of the Jackal” and find someone who was approximately your age in a cemetery who had died young. You could then get the birth certificate (buy it) and then use that to start the process. Now, today that may be harder but if you are like me, it may be something that they did not digitize yet (old) so you could either get a new SSN card by paying for that one as well, with the birth cert and likely another ID like a drivers license (which you can purchase in the darknet too) and you have a real one. Or, you could get this person’s SSN number and just have that used on the fake card you want to buy in the darknet. Either way, you are backstopping the identity by doing this and thus may even pass a cursory investigation by the likes of the police.

An alternative to this would be to just pick someone out that you have their data and start there with their SSN on a new card along with a drivers license and such. It really depends on how deeply you want to go though. See, what is being sold on this particular site is really geared more to creating a quick ID to use for fraud (carding, creating new bank accounts, etc) which to me is less of a challenge than actually having a backstopped and living second identity that you can use to just disappear with if need be. But to have such a thing you have to maintain it all as well as get the right documentation and quality of product.

If you are going to create a second or even a tertiary identity then you will need all these kinds of documents as well as the odd ones shown above such as bills with your name and address on it to start accounts. Those accounts, should include a residence, an apartment say, and should be maintained with actual mail and traffic that can be actually verified as existing if you are going long term. Bank accounts with actual funds should be created as well as credit accounts that should be maintained and used to show a past history too. Basically you have to live that identity to some extent yourself to keep it alive and functional. I know, it’s a pain in the ass but if you want to really do it, well, you gotta have some responsibility here. This all would also include creating your own legend and potentially more paper trail such as some W2’s etc if you are going for the full Monty.

Some of you I can tell are thinking “fuck that” … Ok, well, up to you.

Anyway, there is a lot to this that I am not going to lay it all out for you as that might be bad. Suffice to say that you get what you paid for in the darknet so be careful and remember Caveat Emptor. There are many places to buy this stuff but just as many that are either federal fronts or scammers looking to just take your bitcoin and run.

Be careful out there… and you never saw me.

K.

 

PS.. If you are good at Graphic design you can likely just make some of this stuff yourself.

Just sayin.

Written by Krypt3ia

2017/12/15 at 20:59

The 2017 Krampus List!

leave a comment »

 

A personal note from Krampus

HELLO children, It’s that time of the year again where Uncle Krampus comes to from a long whiskey induced somnambulist coma to bring you all the beatings you all deserve! This year while I slept you all managed to continue to stoke the fuckery fires, so much so that Krampus feels a little singed from the white hot stupid you all have wrought. Whether it be the INFOSEC community at large or the government and corporate entities, you all have managed to fuck things up pretty god damned epically! So sit down and prepare for a CAT5 cat-o-nine cable flailing for your INFOSEC SINS!

I know I will enjoy it…

*Takes out flask and takes a long pull of 12 year old Whiskey*

Cheers fuckers!

UBER:

Oh Uber, it seems when you are not fucking over your non employee “drivers” you found the time to cover up a hack and pay a ransom to boot! WOW you fuckers are a real bunch of assholes aren’t you!? Krampus has a special place in the DATA LAKE OF FIRE for you all to spend eternity in! I mean it takes a special kind of company and corporate governance to do all these things AND to steal IP from another company!!

WOW… Just WOW.

I suppose I may have to fight my cousin Lucifer to have custody of you but I think he will understand I have primacy on this one because INFOSEC.

 EQUIFAX:

Equifax…. Oh Equifax… YOU HIRED A MUSIC MAJOR WITH NOT ONE LICK OF SECURITY EXPERIENCE TO BE THE CISO?

REALLY?

YOU GOTTA BE FUCKING KIDDING ME!

HOLY FUCK you guys are going to the DATA LAKE OF FIRE too! What kind of special finishing school does the CEO have I wonder? YOU FUCKS ARE RESPONSIBLE FOR ALL OUR WOES TODAY!

Ok ok ok, I can’t hang “President Trump” on you but JESUS FUCK! I mean come on! YOUR WHOLE BUSINESS IS PREDICATED ON PROTECTING THE PCI AND PII DATA YOU FUCKERS AND YOU HAD ADMIN/ADMIN AS THE PASSWORD TO THE FUCKING DMZ BOX THAT THE HACKERS USED TO GET TO THE BACK END! FUCK THAT THEY DIDN’T EVEN NEED THE BACK END BECAUSE YOU WERE SAVING ALL THAT DATA IN THE FUCKING DMZ UNENCRYPTED!

An abattoir is too good for you you fucking asshats…

 DOD:

*squints and looks balefully*

The Department of Defense.. You do know that you are responsible for the “defense” of things right? WELL WHAT THE FUCK ARE YOU DOING PUTTING THE INTEL IN THE S3 BUCKET UNSECURED???

DO YOU EVEN INTERNET BRO?

I am sure though the Russkies and the Chinese thank you for your “efforts” and laugh as they plumb the depths of the RED DISK

Fuckwits.

 THE NSA:

*sigh*

The “National Security Agency” … Krampus isn’t feeling too secure this year with all the shit you guys lost. I mean Krampus has watched in horror as your shit was used to attack EVERYONE because you were all too busy getting hard on’s and masturbating to pwning shit while NOT PAYING THE FUCK ATTENTION TO YOUR OWN SIX!

Ok ok ok, there may be a mole but JESUS FUCK with that contractor who took a METRIC SHIT TON OF CLASSIFIED DATA HOME AND SNOWDEN WHAT THE FUCK ARE YOU GUYS DOING IN COUNTER INTEL?

SPEND SOME FUCKING CYCLES ON SECURING YOUR OWN SHIT AND STOP FUCKING US ALL OVER!

 THE CIA:

*peers at the Wikileaks VAULT 7*

WHAT THE FUCK IS WRONG  WITH YOU PEOPLE AND ALL THESE FUCKING SILLY CODE NAMES!

CUT IT THE FUCK OUT!

Oh, and stop losing shit too! Do some counter intelligence shit guys!

 WIKILEAKS:

Jules.. Baby.. I AM GONNA FUCKING COME OVER THERE AT 4 THE FUCK IN THE MORNING AND PULL THAT FUCKING FIRE ALARM MYSELF YOU RUSSIAN APPARATCHIK!

 THE INFOSEC COMMUNITY:

Here’s where Krampus is gonna make the children in the community moan and wail… Giggity.

LOBBYCON:

Right, ok, let Krampus get this straight.. You go to a security conference just to hang around the lobby because you couldn’t get a ticket and even if you did, the con sucks anyway but you wanna hang around the lobby and fuck around getting stupid drunk…

WHAT THE FUCK IS WRONG WITH YOU PEOPLE?

Look, if you want to go to a conference great. If you get bored, fine go hang out in the lobby or for fucks sake go explore the city you are in! But FOR FUCKS SAKE DON’T BUY A HOTEL ROOM AND AIRFARE TO JUST GO SIT IN A FUCKING LOBBY LIKE A HOOKER YOU IDIOTS!

READ A BOOK!

GO OUTSIDE!

DO SOMETHING ELSE THAN BE A FUCKING POSER IN THE LOBBY!

It’s just sad…

 The CULT OF SECURITY PERSONALITY:

Security Rock Stars…. You people are just fucking deluded. The height of this shit came this last summer I hear when someone got popped by the FBI and suddenly everyone was fighting “the man” because this guy couldn’t have done anything because he is an INTERNATIONAL SECURITY ROCK STAR HERO NEWLY MINTED!

Then you look into his history and you say one fucking word that maybe he did it and JESUS FUCK YOU ARE A BAD BAD PERSON AND OMG YOU SHOULD BE EXCOMMUNICATED!

Fuck you all.

Very much.

WAKE UP AND GROW UP YOU FACILE MINDED FUCKWITS!

COMMUNITY SEXUAL PREDATORS:

Krampus has a special place for all you fuckers. You know who you are…. And now so does the general public!

 AJIT PAI:

YOU YOU FUCKING TRUMP TOADIE FUCK! YOU NEED TO EAT A BAG OF IoT DILDO’S AND CHOKE ON IT YOU FUCKING CHOAD!

Krampus is watching you and all your little corporate friends who are gonna wreck Net Neutrality you fucks.

A reckoning will come.

 EUGENE:

DA! YOU KGB FUCKER! 

So, lost that market share yet? Krampus can’t wait until you are finally caught “red handed” with data you guys were mining with your AV product in the Shadowbrokers shit.

TWITTER:

Krampus has a special place in his BLACK BLACK HEART for you Twitter and especially you @Jack. Your fuckery around the whole POTUS account especially deserves a special room of ass poking with a rather large IoT dildo which has a special API to the internet for all the kids to control and abuse.

Fuck you.

Oh and for all the NAZI apologist shit too.

 FACEBOOK:

Zuck, Zuuuuuuuck, YOU FUCKER! You win the asshole prize every god damned day. THANK YOU FOR FUCKING UP THE ELECTION WITH YOUR SHITTY ALGO’S AND FUCKED UP SALES IN RUBLES, IN FUCKING RUBLES! TO THE TROLL FACTORIES THAT FUCKED THE ELECTION.

ASSHOLE.

I hope those Hawaiian’s you are fucking out of their land rise up and slay you.

 VERIZON:

Krampus looks forward to the next breach report with you in it!

“Trusted source”

BAAAAHAHAHAHAHAHAAHAHAHAHAHAHAHAHA

DELOITTE:

2FA or GTFO you idiots! COME ON!

 

 

Welp, that’s it kids… I am sure the lamentations from the community section will be sufficiently amusing. Krampus could have gone on more but really, there isn’t enough whiskey in the world to make that happen.

Till next year.

K.

Written by Krypt3ia

2017/12/05 at 19:54

Posted in KRAMPUS

Halloware Ransomware On Sale Now

leave a comment »

 

I was paging through the new sites on the darknet from the spider and this page popped up. Upon opening it I saw the evil clown and thought RED ROOM but instead it’s a site offering a new-ish ransomware package by a person(s) calling themselves TNCYBERSQUAD or as I later found out a Turk with the handle of LUC1F3R. So the site says you can buy this new and undetected malware for a mere 40 bucks lifetime! They even give a scan on nodistribute that shows the executable not being detected by any of the AV vendors out there now. I poked around the site and checked the page listed in the clown image and found that their landing page for collection on their ransom is not fully operational. I could not get the link to their bitcoin system to work nor would the site render all the images either.

I expanded my search to see if I could use the hash from the nodistribute session and got no love at all on this. Of course the exe and the hash are brand new with the actual dates on the testing and the offerings for this malware being from 11/30 to today. The only problem I have with this is that I cannot verify the sample as something that would not be seen as clean because the hash, when searched turns up absolutely nothing and the executable is not on offer unless you pay them as well as email them. So, this file could be just a lot of nothing in an attempt to scam people into dropping 40 bucks and getting nada.

MD5 HASH: b01230be6e42bf7210ce244ca493a697

I actually put a cutout address into the email on the page and hit send and as yet I have nothing back from luc1f3r at all. In the interim though, I started looking outside the darknet for more and I found some interesting tidbits. First of which is that when you start looking for Halloware you come up with some YouTube videos and links to a site that this seems to have first been posted as a free download. The file downloaded is not the same as the one offered in the darknet and when run in VT comes up as a trojan.

This site is pretty open to just giving up contacts and the malware so I think this is just proof of concept and now they have moved on to application and monetization. I may go down the rabbit hole more on the email addresses and other details there but for now I don’t see this ransomware as a real threat to much of anybody unless the sample gets out and is then used by the masses. When I began looking at the code of the darknet site and links in other places I came up with another site outside the darknet that mirrors the hidden site but has some interesting code.

These guys are collecting IP addresses too

Aanyway, I watched all the YouTube videos and basically Luc1fer shows how you can hide the malware as a file etc in broken english on a text pad. He show’s an IP address too and generally has crappy OPSEC.

 

 

All of this stuff seems predicated on a python script and some manipulation so I am not sure how they claim there is no programming knowledge needed to create the malware but ok dude. I know that ransomware is all the rage but honestly this one seems kinda weak and maybe just a scam. I will keep an eye out for another sample though. Until then you may all want to take that hashes from VT I pasted in above and add it to your systems to detect it. Luc1fer made the rounds today offering the malware and the darknet link on a bunch of shops so maybe people will take em up on it and send out a blast.

I will update if I see more.

Have fun!

K.

Written by Krypt3ia

2017/12/01 at 18:16

Posted in Malware, Ransomware

Art Forgeries Sold In The Darknet

leave a comment »

Stolen Forgeries:

Surfing the Darknet, as one does, I came across a new site that finally settled a prediction I made a few years ago. The site, “Fisher Shop” claims to be selling forged artworks as well as gold and diamonds. Now, I don’t really care about the diamonds and the gold bullion, but the art is the thing that enthuses me. I think I even once posted a blog about how I thought the Darknet could be used in art forgery, theft, and other machinations to sell stolen or forged artworks. This day has come to pass and I thought I would share it with you all.

The site itself is kinda poorly put together, or renders poorly on my browser for some reason and thus the text is all messed up pagination wise and makes it harder to read. Security wise the site is secure enough, an onion scan produced no vulnerabilities or leaks of data save for the email addresses that they are providing for contact. Both of the emails are easily obtainable sites like protonmail and sigaint so there isn’t much there unless you start talking to them and they slip up somehow OPSEC wise so at least this seems somewhat professional at the least.

The artwork though is what interests me most of all but I also will be taking a look below at the bitcoin acct they are using and those who have transfered money to it in the past. First though, the art…

The art works for sale range from old masters to Picasso. Two of the paintings on offer are missing pieces that have been stolen and not recovered yet. The one that intrigues me the most is the Rembrandt piece “Christ In The Storm On The Lake of Galilee” which was stolen from the Isabella Stewart Gardner museum in 1990 and recently was being searched for just a few miles from where I live a year or two ago. This work has been missing since 1990 but was claimed to have been seen by a reporter who was taken blindfolded to an unknown location and shown the work unrolled lit by a flashlight.

Scan of original from Isabella Stewart Gardner Museum of Rembrandt Van Rijn Christ on Sea of Galilee

Image from darknet site. Not whole image of the painting

Now in looking at the image provided by the darknet site along side the image presented by the Isabella Stewart Museum of the lost work itself, you can see variance in the image already. The colors are not the same and there are subtle differences in the work itself. Also the image that is provided on the darknet is not the whole canvas that was lost in the theft in 1990. The image has no real EXIF data to work with either so I cannot tell if this was a copy from elsewhere on the net easily. I have hashed the image and will do a bit more searching to see if I can lock it to a specific sample. However, when using image search for this hosted image we get a plethora of hits that are very much like it.

By looking all of these you can see a great variance in the colors but most of them have the same cropped image to show you. all of this is just stuff to go down the rabbit hole on but my main concern here is that this site is offering forgeries, and in some cases forgeries of lost art …Which makes you wonder just who might buy it? In the case of the Rembrandt the cost of the painting for purchase in bitcoins is 7,000 Euro’s which as of today is $8.331.00 ! Eight grand for a forgery of a stolen painting! Oh and this guy claims that he has been doing this for years and not been caught all the while admonishing the buyer about the security around packages and shipping.

Anyway, the original Rembrandt that was stolen has a 3.2 million dollar reward on it so I guess eight grand for a forgery of it is a steal huh? Speaking of steal, I started looking through the image search engine for the other paintings on offer and low and behold the Raphael on offer was stolen in 1945 and the Picasso went missing in October 2012! So, looking for a forgery of a stolen work? Look no further than Fisher on the Darknet it seems.

Picasso Harlequin Head

 

Raphael: Portrait of a Young Man

 

Now where the searches got interesting on the images was from the two listed paintings with original photos; the Frederick H. Clark painting of a cottage in Martha’s Vineyard and the John Bunyon River School pieces both it turns out are photos that originated from PlayTheMove.com where one can sell artwork and other things. If you look closely at the photos from the darknet forgery site and the images from playthemove they are identical. You can see that there has been some manipulation of the tones (contrast shift) but by looking at the background you can see that the backdrops are the same. So, the forgery site is using these images to show you “forged” paintings on offer. Now the playthemove site claims that these are original paintings for sale. So, either these images were cribbed from playthemove and used on the darknet (which I cannot prove as the images have been manipulated and metadata stamped out) or the same people at playthemove have taken second sets of these photos sans the time stamp that we see on playthemove.

Notice identical background folds and lack of time stamp on darknet sample (bottom)

Implies it is an original…

 

Same folds from playthemove but lacks the time stamp and has been edited (timestamp and curves)

 

Curiouser and curiouser no? Now the question becomes are the people selling these works on playthemove also trying to sell forgeries of the paintings in the darknet? Or was this just conveniently found online so they decided to use these because really, when you pay for them you will get nothing back? Which at this point one has to ask the question “Will you get anything from these guys?” I mean, caveat emptor in the darknet right? But what if you did get a copy? What if it really came? These two paintings are fairly odd in that they are not commonly known works that people are looking for so it begs the question, did someone have the original and decided to maximize their returns by making copies?

Interesting…. Oh and one more fun fact, they are wanting just a bit more for the fakes than the original sold for on playthemove!

Bitcoins and Wallets:

Next I looked at the bitcoin wallet that they are using on this darknet forgery site. The wallet (1DEKexRrsUadfiLF3gvzMCSMoBkmMHjRhV ) has 70 transactions on it and held about 8.10093985 BTC or the equivalent of $77,201.92 which is a pretty penny indeed. Of course the wallet is empty presently but that is quite the bit of traffic through there up to Oct 17 2017. The transactions spread out to numerous addresses and I started to go down that rabbit hole with Maltego but after a while it just became a morass. I may pick at this later on but the largest set of transactions happened in September of this year;

Overall I have not been able to see this wallet used on other darknet sites and I have yet to run into anything that could tip me off as to who may own the wallet or where else on the darknet it has been used with other entities. So we are back again to the whole idea of forgeries being sold as “forgeries” on the darknet. One has to ask are these being sold to people who will put them in their house or, do you think perhaps the goal here might be to sell these on to those who may try to pass them off as real to unsuspecting buyers in the art world?

This is an interesting conundrum for me because who would you sell a hot forged Rembrandt to? I mean, wow, you would have to then claim you are part of the cabal who stole it and entice someone to buy this highly known piece, stolen in a highly known robbery that the FBI and everyone else is looking for. Now that takes some major balls! Though, in the art theft world and grifter verse, I can see some of them trying to pull this one off. I mean if there were the mythical “collector” who was offered a painting like this, would they take the offer? Ok ok ok, so look at it this way, if you even got the painting in the first place from this site, to be able to turn that eight thousand dollar investment into say, five hundred thousand dollars to an unscrupulous buyer… WIN right?

Interesting… Very interesting.

I will keep an eye on this site and maybe send them an email asking some questions. If I see anything else I will update this piece.

Ciao

K.

Written by Krypt3ia

2017/11/27 at 19:59

Trump Domains Hacked and Shadow Subdomains

leave a comment »

Well now, the worm is turning on our old friend trunip ain’t it? It seems that something I was playing with back last April should have dug deeper I guess because today Mother Jones put up a post on how Donny’s domains had shadow subdomains that all pointed to Russia! Of course in the interim since the post went public two things happened. One, Donny and his people said “We ain’t been hacked! We have the BEST security! Nothing to see here!” and then rather rapidly. some of the domains started to go down and be unreachable on the tubes today! Well, I did some more digging after reading this Mother Jones post and while I was not seeing the same IP addresses used in the stuff that was posted today, the malware I was seeing back in April still had some commonalities to ranges in the same region of the world.

Back in 2014 Trump was hacked and credit cards were stolen by the attackers. It seems though that perhaps it wasn’t only credit cards that were hacked but also a persistence to the network may have occurred as well as access to the Trump domains registrar as well. In the Mother Jones piece they show how sub domains or “shadow” domains had been created with interesting domain names that usually involved random letters. These domains, once you start looking at them show a couple of things. First off, that these domains were all created under the Trump umbrella’s account and second the IP’s that these pointed to resided in Russia. In looking at these domains myself I noted a few other interesting factoids that I will share here for context.

First off, the hackers used the same registrar as Donny did (more likely his minions) using the “Trump General Counsel” moniker as the owner of the domains;

These domains were registered with Godaddy and then pointed to other IP addresses later on. Also, the sample I just pulled randomly show both being created in 2009 on 5/22/2009 to be precise. So the question for me is this, were these created by the trump org themselves as a means of stopping domain squatting or were they owned (Trump networks) earlier than we assumed from the article by Mother Jones? It is kinda of hard for me to think that Trump and his org would have been creating such domains as donaldtrumppyramidscheme.com to prevent squatting. Trump ain’t the sharpest marble on the internets and certainly Barron wasn’t an uber hacker back then right? Curiouser and Curiouser, but maybe they were being overly litigious and decided to take up all the permutations right?

So, looking at the IP addresses that the domains were pointing to also adds some interesting context here…

When the domains were created they sat on Godaddy from 2009 to 2013 when the IP changes. In the case of both of these domains on GoDaddy, the IP has a long storied history of having bad actors attached to it.

…But that is GoDaddy for ya right? They aren’t the cleanest of the orgs out there so meh. However, in 2013 the IP was redirected as Mother Jones showed to another IP; 184.168.221.41 which is also a GoDaddy IP. Now, looking at this IP in VT and in ThreatCrowd, you can see it also has a pretty dirty history as well.

So was the change made by Trump or Godaddy? Or was this change made by the actors in 2013 to a host they owned in Godaddy? Now historically I am not able to see the malware history for the IP or the domain name for 2013, which would be a nice feature for VT and Threatcrowd to offer right? Anyway, the point is not all of the addresses were pointed to the Russian addresses in the Mother Jones piece. Over the whole of the domain space it is likely that the IP’s used by the actors who had access to the Trump registrar account were not only focused on the Russia space as C2’s go. In fact the second sample I pulled also was changed to another GoDaddy IP as well that has some dirty history as well.

So maybe these were moves by the trump org or maybe it was the attackers moving these around per their needs for each campaign? Inasmuch as I can tell many of these domains never had sites attached to them and were in fact just parked domains. However, in the case of donaldtrumprealty.com I see a lot of action moving this around the globe for IP pointers over the years. So what is the deal with that? Looking at the Wayback Machine for this domain shows the following activity over the years.

It’s been parked since inception but that parked page has some redirects and popups to potential scams. What does this all mean? Well, that Trump has not been paying attention to his domains and that what has been laid out is exactly the case. The only thing I can maybe say is that the activities have been going on longer than we are led to believe in the Mother Jones piece from the samples of IP changes I have seen in Domain Tools. If that is the case what else has been going on with Trump domains and perhaps their internal networks?

See, this is the question that the Trump admin will not want to touch with a very long poll but it may also lend credence to the DNS stuff that was happening with the Alpha servers as well. If there was traffic going on that was amiss, and it was perhaps as others suggest, spam traffic, then maybe it was indeed the same actor using their domains and network systems to route traffic and not a secret plot against America huh? We do know that Trump Hotels had been popped back in 2014/2015 as they have admitted it. What we really don’t have any idea of was the level of compromise that occurred and just whether or not they were able to get them out of the network. What I am seeing here is that maybe they did not and in fact the adversaries used them for even more things.. And it may still be going on.

Imagine that kids… Trumps networks owned and he may still be using them for things while in the White House?

*shudder*

Just remember that Ivanka and Jarred were using that secret email server on that personal domain too!

Anyway, there are over 3k domains and I am not spending all that time on all of them to track the IP changes over the years. Others can do all that leg work if they want to. For me, this just shows that there may be much more that has happened with Trump networks and domains than we are aware of. Russian IP space does not imply KGB or GRU access but let’s just spin it this way; We know that the Russians use the criminal hacker groups to do their work as well as the actual operators from KGB and GRU so there is that. If the actors using these shadow domains for malware deployment, they may also have used them for other activities right? Maybe propaganda spam? Other stuff? Who really knows right?

As for the malware involved with the cited IP’s and urls we see .zip files that only are seen by one or two vendors on VT (Kaspersky being the one continually) I am told that the files were in fact not zip files but jar files and java infrastructure to deploy malware. Which malware? Well, no one really knows at the present time that I am ware of. I could not get a sample of the alleged zip files and all the domains were non responsive and not in Wayback Machine to gather so there is that. It could be that these guys were using this infrastructure for Locky or they could have been passing out RAT’s so until we have some solid telemetry and samples it is once again, hard to say what went down. The interesting bit is that most of the RU I space I looked at all had stuff going on last August.

Just in the middle of the election huh?

Hmmmm….

Welp, I am done looking at this for now. You kids have a look and lemme know what you all see. Just remember to ask this one question; “Just how compromised are Donny’s networks today?”

K.

Written by Krypt3ia

2017/11/03 at 15:12

Posted in Malware, TRUMP

The Philosophy of Rick & Morty: Szechuan Ricksauce

leave a comment »

Recent events with McDonald’s and Mulan Szechuan sauce have steered me down the philosophical path and I feel that a post on these events might be in order. I myself have been feeling like Rick Sanchez C-137 lately and I think a lot of that has to do with the state of the world today. Another reason is really kind of encapsulated in Rick’s comments to Beth in SE03E09 of The Adventures of Rick & Morty. To wit my “I drink and know things, because I know things I drink” moment.

Beth:Am I evil?

Rick:Worse. – You’re smart. – When you know nothing matters, the universe is yours. – And I’ve never met a universe that was into it. – The universe is basically an animal. – It grazes on the ordinary. – It creates infinite idiots just to eat them, not unlike your friend Timmy.

Beth:Tommy.

Rick:Yeah, it hardly matters now, sweetie. – You know, smart people get a chance to climb on top, take reality for a ride, but it’ll never stop trying to throw you. – And, eventually, it will. – There’s no other way off.

The whole kerfuffle with McDonald’s and the McNugget sauce being in scare quantity while not even being connected to the show formally kinda rides on the whole Nihilist precepts that Rick holds himself. What’s even more interesting is that most of those who were flocking to Mcee Dee’s to get the sauce had no clue about the meanings behind the whole first season three first episode of Rick and Morty at all because, and this is my Rickian opinion here, they are all the idiots that the universe grazes on.

You see kids, I tend to ascribe to Nihilism/Absurdism/Existentialism myself and lately, oh, since about January 2017, have been sucking on that Nihilist teet tenaciously JUST to survive each fucking day in this universe. My worst fear of late is that I would invent a portal gun and find that in every universe Trump is actually president! But I digress …Ok so yeah, the show, Rick & Morty is densely populated not only with scifi and humor but also philosophy and the kids who are watching it by and large I fear just aren’t hip enough to get that. I could be wrong though, I mean storming the McDonalds for Mulan Rick & Morty sauce only to be told that there is none is kinda really absurdist poetry to me. I somehow doubt though that Mcdonald’s marketing folks really grokked that when they pulled this stunt though.

When the masses of zombie like Rick & Morty fans began to get violent over their lack of Mulan Szechuan sauce and everyone began to pile on McDonald’s it became clear that too many people are just mindlessly watching Rick & Morty not getting the whole cosmic joke that there is no sauce to be had really and that it was not on offer everywhere. I personally would have just laughed and given a hearty belch at the whole thing but then again, I drink and know things right? What the whole episode did for me was finally push that one small piece of belief from my gray matter into a complete state of nihilistic bliss.

If you watch and actually pay attention to S03E01 at the end you see that Rick say’s it all:

 

Nothing matters, so I did it for the sauce.

Nothing will change.

Entropy will win out.

The universe is an absurdist play and you can all play your parts.

Or more like Morty…

“Nobody exists on purpose. Nobody belongs anywhere. Everybody‘s gonna die.

Enjoy the fuckery kids.

Dr. K C-137

Written by Krypt3ia

2017/10/16 at 13:06

Posted in Philosophy

Bluebox2600: It’s Time

leave a comment »

So the other day I posted about some puzzle sites linked together in the darknet by someone calling themselves BlueBox2600. Today I am bringing you their new game site and the creepy imagery and puzzles that are there. Check the site out for yourselves but I thought it appropriate to pull apart some of the stuff that is there and having copied the site totally locally I have posted the videos for you on YouTube if you don’t want to dare go to the darknets. Inasmuch as this site is supposed to be a puzzle box of sorts, I will tell you know on the surface of it I am kinda meh. The only really interesting bits are Doors one and four but you decide for yourselves. The site just went up this week and is fresh so this may be virgin territory for the Reddit set.

Let’s begin….

Entrance

The entrance has a video that shows what looks to be some hooded figure who brings in a small body and begins to dissect it or gut it. Within the imagery you get a quick flash of the following text below…

I have tried to string this together into a sentence but have yet to make it work. I will say that there are two capitalized letters “On” and “I” and either could start a sentence. I will play with this some more….

Choose your door

Once you enter the “game” you are presented with four doors to choose from…. Below are the videos behind each.

Door One

This starts with a pan of an outdoor scene and a song by Billie Holiday but starts to skip and break up. The scene goes blank and words start to appear on the screen…

 

Mortus

Dead Man!

The screen clears to the sight of what I liken to Batman’s Scarecrow villain…

It’s at this point that the figure begins to talk and it is garbled at first but clears up. The scarecrow starts talking about stalking a woman…

I saw you with your true love…

I saw you with your child….

I have watched the child…

I have watched your child but some day I may decide to do more…

One day I merely may decide not to follow, not to watch…

I may decide something needs to be done…

Something more vicious…

Whether it be with you or your child….

The face of Scarecrow

So far this is the creepiest and longest of the videos on the site but amazingly the hidden code in the HTML says that it is not the right door. As far as I am concerned it is in fact the right door for creeptastic imagery and sound.

All in all, this video has the most interest for me with the imagery and the strange details it is putting out there for us all to parse. Is this some kind of scary footage you would see on YouTube that would lead to other sites or some kind of creepypasta? I have yet to see anything in the footage to show a link anywhere but I have yet to look at the file itself to see if there is something else there. Are there more things interlaced into the video that you cannot see with the naked eye? Basically the story line of some crazy scarecrow like figure hunting/stalking some poor woman and her kid is disconcerting.

Door Two

Door two is a bit strange…

KITTY CANDY!

Strange shots of a mannequin and yelling about feeding the kitty….

Go watch it… But it is not the right door according to the hidden text in the HTML

Door Three

Door three’s video is just plain boring to me and the fact that the hidden text in the HTML is telling you that it is the right door kinda makes me wonder what I am missing here. I will see if I can take a look at the file itself and look for interlaced things you can’t see with the naked eye but all this is some rando images of a hokey mask like figure and nothing more.

Door Four

Now, here at door four we have something interesting.. Actually some “things” that are interesting. The footage is a staged scene of a devil or Baphomet figure who is holding some woman in a chair hostage… Poorly. She breaks free of the chair easily all the while screaming about feeling gross from being in the chair and unwashed. However, once this cuts away we have the Baphomet figure holding a giant fan open and this has some interesting things on it in handwritten text…

So once again, the most interesting content is marked as not important but yet here we have all this stuff on the fan. You are sleeping is the clearest thing to see but under it are esoteric symbols again and names like David Kelly and Steve Mostow and Ian langford. Now once you start to Google those names you get some interesting things popping up;

Steven Mostow is either a character on Grey’s Anatomy or it is this guy, I am gonna go with this guy because the other name above him is David Kelly..

David Kelly refers to another scientist who was killed which is in turn connected to Ian Langford, yes, another scientist who got whacked. One of 24 scientists alleged to have been killed by some cabal…

 

Right! So all of these names lead back to conspiracy theories surrounding these doctors deaths! Interesting and yet NOT the door we want? Something is out of whack here I think.

You can also make out three Bible verses scrawled on the fan;

Genesis 5 3:1 When Adam had lived 130 years, he had a son in his own likeness, in his own image; and he named him Seth.

Revelation 12:9 And the great dragon was cast out, that old serpent, called the Devil, and Satan, which deceiveth the whole world: he was cast out into the earth, and his angels were cast out with him.

Revelation 20:2 And he laid hold on the dragon, that old serpent, which is the Devil, and Satan, and bound him a thousand years,

All of this is tied back to the esoterica of previous puzzles by BlueBox2600 (oh and yeah, for all you hackers out there BlueBox 2600 come on!) All of this seems to be pointing in the general direction of esoteric beliefs, conspiracy theories and general creepypasta action on the darknet. Hell, there’s even a Fibonacci Sequence on the fan as well!

Mostly I find this stuff to be kind of muddled and not really leading me in any one direction. Maybe there are clues within clues I haven’t seen yet and I will keep looking for a bit. I thought though that this site was worth a gander for you all. If you are in the darknet feel free to slide on over and check it out yourselves… And if you find something new let me know.

K.

 

Written by Krypt3ia

2017/10/13 at 19:11

Posted in DARKNET, Esoterica