“Krober.biz” Is Helping Malware Authors Debug Their Code

• A malware code analysis platform is offering “thorough checking” services for people who need them.
• This includes the identification of flaws, the removal of backdoors, and the fixing of vulnerabilities.
• There are rumors and some evidence about former members of the Krober.biz team being behind GandCrab and REvil.

There is an abundance of cyber-crime operations and services offered on the dark web today, which can be seen as a sign of the field's economic size. KrebsOnSecurity focuses its latest report on “Krober.biz,” a Russian-language malware security site (on clearnet) that’s operated by “Redbear.” Redbear offers to help malware creators fix flaws in their code, remove any backdoors that may be present on a tool that was bought from somewhere else, or simply find and remove vulnerabilities that can result in reverse engineering or takeover from white-hat hackers.

Redbear’s team can examine the code of the following things:

• bot admin panels
• code injection panels
• shell control panels
• payment card sniffers
• traffic direction services
• exchange services
• spamming software
• doorway generators
• scam pages

Most of the time, crooks who create and sell malware tools are planting a backdoor in them to keep track of how and where their creation is used. In many cases, they intervene in the most critical time, taking control of the malware remotely and reaping the fruits of their buyers’ “hard work.” Redbear can find these backdoors and unroot them from the code so that the person who has bought something on the dark web can be sure that it’s clean.

As proof of what they can do, the platform has published several blog posts analyzing popular malware tools, such as the Anubis banking trojan. Redbear presents multiple errors the panel code of the widely used Android malware and makes a point about the importance of using robust exploit tools, no matter if they're free or paid.

As Krebs details, there are rumors about former members of the Krober.biz analysts being the actors who eventually went on to create the GandCrab and REvil ransomware strains and RaaS programs. The researcher mentions the nicknames “UNKN,” “Vivalamuerte,” “Lebron,” and “upO.” The last two nicks were connected with the operation of “exploit[.]in” between 2013 and 2016 - a popular Russian cybercrime forum. Some monikers and identities may overlap, but the anonymous sources of this information have declined to share any actual details with the researcher since they were involved in the initial funding of the GandCrab ransomware as well. That said, the above is somewhere between substantially based suspicions and unattributed claims.

As for the “Krober.biz,” the website is holding a controversial role right now. If paid by research firms or entities that want to protect against malicious software, it could help them uncover exploitable flaws in the code of malware tools. If paid by threat actors, it would help them make their tools invincible and harder to stop. Usually, the case is the latter.