Malware creation has been a quasi-industrial process for years, where some develop software modules and others integrate them according to the planned hacking campaign. It has become a well-established business, where everyone has their place. However, this industrialization has its limits and, as the security researchers at Check Point have just observed, the hallmark of a hacker sometimes shines through his code.
By analyzing samples of malware, these experts have succeeded in creating the profile of a particularly prolific author, specialized in exploiting vulnerabilities in the Windows kernel. By researching a number of key points – the cryptography used, the declaration of constants, the implementation of functions, the structure of the code, etc. – they found the trace of this hacker in the malware of a dozen very different hacker groups. An illustrious clientele, because there are state cyber-spies such as APT28 or Turla, as well as top-flight cybercriminals such as GandCrab or FIN8.
In reality, this author is not totally unknown. He has been noticed several times in Russian cybercriminal forums, where he calls himself Volodya, Volodimir or BuggiCorp. It is not uncommon for him to offer 0-day vulnerabilities on these sites for several hundred thousand dollars. These are moreover found more in the malware of state hackers than in those of cybercrime. It’s probably a question of budget.
In any case, this analysis shows that it is possible to trace a malware developer simply by looking at their style. And therefore to get an idea of the groups he is dealing with. An interesting prospect for specialists in “cyber threat intelligence”, these experts who seek to identify and understand the different actors of computer hacking.
Source: Check Point