Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

MuslimCrypt and Clickbait

leave a comment »

MEMRI talked up a report on a new “steg” program being offered and “used” by da’esh that was then picked up on by Wired (or more to the point someone called from MEMRI offering a story because slow news day at Wired) touting the new scareware booga booga booga that jihadi’s are using STEGO ERMEGERD! Of course this type of encryption has been around all along and in fact, as Wired alludes to, it has even been used by UBL back in the day as well. The fact that there is stego out there is nothing new but this alleged program is, maybe. You see, the problems I have with this assessment and the Wired story sold to them is that there is no real penetration of this software being used as far as can be seen and in fact nowhere on the net can the actual software be found to download.

So yeah, it is not in every da’esh cyber toolbox kids and if anything, it may be an OP trying to pop some of them on Telegram.

Telegram Accounts:

The Telegram accounts involved in this drop also seem to lack some history as well. I looked them up on Telegram and there isn’t much to see at all. Of course it could be that one needs to engage with them to see more but I am not going to do that for this so suffice to say that Google searches of these accounts, the names in them, and iterations thereof come up with nothing useful. In essence what I am saying here is they have “no history” and thus to me should be looked at as cutout accounts to drop this software from and nothing more. This is an important piece of the puzzle too but it seems MEMRI is more interested in selling subscriptions and getting on Wired than they are at being thorough in investigating things like this.

MuslimCrypt.zip and .exe:

Meanwhile one cannot find the software at all nor the zip file anywhere on the net. Not one download link anywhere. No uploads to MEGA, nor any of the other places that you would think that these guys would want to put it so that the jihadi masses can securely talk right?

Nopesauce.

The staggering lack of the file only leads me to believe that it was a drop to entice people to download in-line on Telegram in hopes that the account (MuslimTec) would be a form of watering hole attack. We see this kind of thing all the time in the hacking world and many of those kinds of attacks are carried out by more sophisticated actors. In this case the only place that the file can be seen is on Hybrid Analysis and on VirusTotal and even there there are only one to two drops of the file for testing. In all of these cases the files are not available for download so only one source has uploaded them.

Interesting huh?

So what do we have here so far… One source (MEMRI) sharing a story with Wired about a software package no one really has except MEMRI? How odd is this? Well, kinda odd and to me smacks of two things;

  1. MEMRI got played
  2. This was an OP by a nation state actor looking to own some jihadi’s

I will go into these ideas in some more detail below. Just remember that it is odd that these files are not out there in the forums nor being saved and uploaded for more penetration of use.

Reversal of the binary:

I found that the zip file had been uploaded to Hybrid in January as well as March 4th 2018. The VT upload happened in February 2018 so this has been around and about a bit. Remember though, these are the only instances of the files that I could find, and I REALLY wanted to find a copy. So whoever had the files to upload (assuming it was MEMRI) are the only ones to do so. I looked at the whole sandbox report of the zip and the executable and came up with some interesting factoids for you all.

  1. The language set is German
  2. The language of some of the re-used code snippets are in German, so, I could go either way on this one. Could be a German who did the coding or just someone who knows some and worked on re-used code to make this program
  3. This was cobbled together by someone with some skills
  4. The software does have what seems to be a keystroke recorder built in but it has nothing really to do in sandbox because it is a sandbox and no actual keystrokes are made
  5. Whoever compiled this has a pc name or a folder name on their system of “SultanEasy” with “SultanEasy-2” which, ya know, kinda sounds all code wordy to me

I scoured the internet for “SultanEasy” and “SultanEasy-2” to no avail. Now with that in mind consider that this was a slip up on the part of the coder and that this folder in projects is a code name.

Ponder ponder ponder… A piece of software magically dropped on Telegram by accounts with no history and a binary that has a keystroke logger embedded in it?

Hmmmmmmmmm…..

Oh, by the way MEMRI, your reversal skills suck.

An Op?

Overall, this smells bad and MEMRI seems to have fallen for it or is unable to read a reversal report and strings well enough to see things in perspective.

Could this be an operation by a nation state? Sure.

Could it be another group like Anonymous or some other vigilante group? Sure.

Could it be a serious attempt at making steagnography the go to encryption for jihadi’s today? Yeah no.

Nice clickbait though.

Derp.

K.

 

UPDATE: I was sent this by <REDACTED> this is from a paste of conversation screenshots from the MuslimTec Telegram channel…

Screenshot from 2018-04-02 14-45-24

So yeah, there are many comments in there about spies and even at one point claims of being hacked by dissension…

Just sayin.

Written by Krypt3ia

2018/04/02 at 18:06

Posted in Da'esh, jihad, Jihobbyists

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: