Earlier this week I wrote about the Styx Pack, an extremely sophisticated and increasingly popular crimeware kit that is being sold to help miscreants booby-trap compromised Web sites with malware. Today, I’ll be following a trail of breadcrumbs that leads back to central Ukraine and to a trio of friends who appear to be responsible for marketing (if not also making) this crimeware-as-a-service.
As I noted in Monday’s story, what’s remarkable about Styx is that while most exploit kits are sold on private and semi-private underground forums, Styx has been marketed and sold via a regular Web site: styx-crypt[dot]com. The peddlers of this service took down their site just hours after my story ran, but versions of the site cached by archive.org hold some important clues about who’s responsible for selling this product.
At the bottom of the archived styx-crypt homepage, we can see two clickable banners for an account at virtual currency Webmoney to which potential customers of Styx will need to send money in order to purchase a license for the software. The Webmoney account #268711559579 belongs to a Webmoney Purse number Z268711559579. Follow that link and you’ll see that the registered username attached to that purse is “Ikar.” If we look closer we can see that Ikar’s Webmoney purse is connected to another purse at Webmoney account 317426476957, which is this purse belonging to a user named “Nazar.” (Update: July 11, 10:14 p.m.: Both Ikar and Nazar changed the names on their Webmoney accounts after this story ran. Thankfully, archive.org cached the old data. The links to the purses above have been changed accordingly.)
Both Ikar and Nazar are nicknames that were used in Styx sales threads on several underground forums, including damagelab[dot]org, secnull[dot]cc and antichat[dot]ru. In these threads, Ikar used the contact address “firstname.lastname@example.org“, while Nazar listed “email@example.com“. Both addresses are associated with forum accounts named “Ikar” and “Renzor” (for examples, see this cached, Google-Translated page from Renzor’s account on antichat.ru, and this cached page from secnull[dot]cc). Nazar’s address is linked to a “Max Lighter” profile on Facebook, but not much more information is available on that profile.
Ikar@core.im doesn’t appear to be connected to anything special, but Nazar’s address was used as the point-of-contact in registering two very interesting domains: reality7solutions.com and uptimer.biz. Looking at the familiar wormhole-like squiggly at the top of reality7solutions.com, I noticed it was very similar to the rotating icon (youtube.com video) used by the Styx pack.
Reality7solutions.com’s homepage lists an address in the United States for a company called EPAM Systems, which according to the business directory maintained by Hoovers is a public company that specializes in IT outsourcing. Hoovers says the company provides “software development and other IT services to US and European customers primarily from development centers in Russia, Belarus, Hungary, Ukraine, Kazakhstan and Poland.”
The ICQ number listed on the homepage of reality7solutions.com belongs to a Website design professional from Khmelnitsky, Ukraine named Stanislav Shangin. If we look at Schangin’s personal page where he lists all of the Web sites he’s been hired to create, we can see he designed both styx-crypt[dot]com and reality7solutions.com, among dozens of other sites. Shangin did not respond to requests for comment.
I felt like I’d hit a dead end with Shangin, so I had a look at the other domain registered to firstname.lastname@example.org — uptimer.biz. This is a site designed to help companies monitor if and when their sites go offline for any reason. Its homepage features a clickable icon that takes you to Nazar’s aforementioned Webmoney account, Z317426476957. The site is registered to a Nazar Stodolya in Ukraine. A pair of job ads posted at free-lancer.net by a Nazar Stodolya using that same email@example.com address appear to have been seeking someone to help with the uptimer.biz site. But I suspect that Nazar Stodolya is just a pseudonym (taken from an old Soviet-era film by the same name).
Digging deeper on the contact page of uptimer.biz revealed an ICQ number – 102566867. According to the profile page for that ICQ address, the account belongs to a “Maxim,” a self-professed computer-addicted, xtreme programmer” who uses the nickname “FonMax,” and lists fonmax.km.ua as his homepage.
The “KM” in Km.ua is the subdomain used by the Khmelnitsky region of central Ukraine (where our developer friend Shangin is from). Fonmax.km.ua is registered to a Maxim Gavryuk from Khmelnitksy. Max’s Livejournal blog, fonmax.livejournal.com, includes several photographs of him, and almost 100 blog posts spanning several years. Likewise, an account for “FonMax” at Russian developer forum ecomstation.ru lists a Maxim Gavryuk as its owner.
It turns out that Maxim and Stanislav Shangin (the designer of styx-crypt[dot]com) hang out socially and are friends; check out the following screen shot, from a post on Max’s LiveJournal blog from June 14, 2009 entitled, “Essay on How I Spent My Weekend, or Birthday Report.”
But what about Nazar? I didn’t see a user named “Nazar” on Maxim’s LiveJournal friends list, so I checked out Shangin’s friends. Sure enough, a LiveJournal account by the name “Nazar” was among Shangin’s 198 friends.
Nazar’s profile page doesn’t list his real name, but says he lives in Kiev, Ukraine and uses the email address firstname.lastname@example.org, and the ICQ account 21205001. As it happens, that same yandex email address was used to create a Facebook profile for one Alexander Nazarenko. Apparentlly, Nazar is also an experienced Web designer.
Back to Maxim (Ikar?) for a second: One of Max’s LiveJournal posts (via Google Translate) is particularly interesting. In Aug. 2011, Max posted about the Livejournal.com domain getting knocked offline from a denial-of-service attack (recall that uptimer.biz — one of two sites registered to Shangin’s buddy Nazar is a service designed to let you know if your site is offline). The post begins with the picture of a large security guard who looks like a bouncer. At the end of that blog entry, Max suggests that perhaps Livejournal should consider hiring someone to protect them from distributed denial-of-service (DDoS) attacks, and he mentions one operation in particular: antiddos.biz. He even offers to provide invite codes for those who are interested in the service.
If you didn’t take a look at the Renzor/Ikar’s post at antichat.ru that I linked to above, look at it here. Notice that the post was published around the same time as Maxim’s 2011 post about the LiveJournal outage, and begins with the same photo of the beefy security guard. In it, the poster is advertising “Reality Guard,” a “bulletproof hosting” service designed to protect companies from denial-of-service attacks.