The xDedic marketplace is selling over 70,000 hacked Servers

Share this…

Over the last two years, deep in the slums of the Internet, a different kind of underground market has flourished.

The short, cryptic name perhaps doesn’t say much about it: xDedic. However, on this obscure marketplace anyone can purchase more than 70,000 hacked servers from all around the Internet.

dedicblog_eng_1

xDedic forum login

From government networks to corporations, from web servers to databases, xDedic provides a marketplace for buyers to find anything. And the best thing about it – it’s cheap! Purchasing access to a server located in a European Union country government network can cost as little as $6.

The one-time cost gives a malicious buyer access to all the data on the server and the possibility to use this access to launch further attacks. It is a hacker’s dream, simplifying access to victims, making it cheaper and faster, and opening up new possibilities for both cybercriminals and advanced threat actors.

xDedic - the shady world of hacked servers for sale

Server purchase forum

To investigate xDedic, Kaspersky Lab teamed up with a European ISP. The research allowed us to collect data about the victims and the way the marketplace operates.

In May 2016, we counted 70,624 servers available for purchase, from 416 unique sellers in 173 affected countries. In March 2016, the number was about 55,000, a clear indication that the database of users and servers is carefully maintained and updated.

xDedic - the shady world of hacked servers for sale

Top countries with servers on sale

Interestingly, the developers of xDedic are not selling anything themselves – instead, they have created a marketplace where a network of affiliates can sell access to compromised servers. If the truth be told, the people behind xDedic have created what appears to be a “quality” service – the forum even includes live technical support, special tools to patch hacked servers to allow multiple RDP sessions and profiling tools that upload information about the hacked servers into the xDedic database.

xDedic - the shady world of hacked servers for sale

Top 10 sellers – May 2016

So who are the xDedic sellers listed above? We have been able to identify a very specific piece of malware (SCCLIENT) which is used by one of them, and to sinkhole its C&Cs. This provided a glimpse into the operations of one of these entities, which, based on the number of victims, we suspect is either Narko, xLeon or sirr.

xDedic - the shady world of hacked servers for sale

SCCLIENT Trojan: victims’ information from sinkholing (first 12 hours)

The profiling software created by the xDedic developers also collects information about the software installed on the server, such as online gambling, trading and payments.

Apparently, there is strong interest in accounting, tax reporting and point-of -sale (PoS) software which open up many opportunities for fraudsters:

Spam and Attacking Tools Gambling and Financial Software POS Software
Advanced Mass Sender
Bitvise Tunnelier
DU Brute
LexisNexis Spam Soft
LexisNexis Proxifier
Proxifier
Spam Soft
Full Tilt Poker
iPoker Network
UltraTax 2010 (2011,..,2015)
Abacus Tax Software
CCH tax14 (tax15)
CCH Small Firm Services
ChoicePoint
ProSeries TAX (2014,2015)
ProSystem fx Tax
TAX Software
2015 Tax Praparation
Tax Management Inc.
Lacerte Tax
PosWindows
BrasilPOS
POS AccuPOS
POS Active-Charge
POS Amigo
POS Catapult
POS Firefly
POS ePOS
POS EasiPos
POS Revel
POS Software (Generic)
POS Toast
POS QBPOS
PosTerminal
POS kiosk.exe
POS roi.exe
POS PTService.exe
POS pxpp.exe
POS w3wp.exe
POS DpsEftX.ocx
POS AxUpdatePortal.exe
POS callerIdserver.exe
POS PURCHASE.exe
POS XPS.exe
POS XChgrSrv.exe

During our research, we counted 453 servers from 67 countries with PoS software installed:

xDedic - the shady world of hacked servers for sale

Servers for sale with Point-of-Sale software – May 2016

For instance, a malicious user could go to the xDedic forum, register an account, top it up with Bitcoins and then purchase a number of servers which have PoS software installed. Then, they can install PoS malware, such as Backoff to harvest credit card numbers. The possibilities are truly endless.

Kaspersky Lab has reported this issue with the appropriate law enforcement agencies and is cooperating in an ongoing investigation.

To read our full report on xDedic which includes IOCs, download the xDedic Marketplace Analysis PDFhere.