A security firm hacked malware operators, locking them out of their own C&C servers

This’ll put a smile on your face: We love hearing stories of bad actors getting their comeuppance. This one is great, though, because not only did a bunch of hacker wannabes get served (literally), several of them infected themselves with malware due to misconfiguring their own equipment.

Cybersecurity startup Buguard has been hard at work hacking hackers. Using an exploit it found, it has disrupted malware and ransomware servers, locking out their operators. TechCrunch notes that the firm has effectively taken five command-and-control (C&C) servers offline, four of which have gone entirely dark.

The counterattacks were made possible after the source code of a malware called Mars Stealer leaked online. Mars Stealer is a malware-as-a-service platform where hackers can rent server time to conduct attacks. Once the source code leaked, hackers started setting up servers independently rather than paying.

Before Buguard even got ahold of the code, inept hackers were already doing a decent job borking their servers on their own because of faulty installation instructions leaked with the code.

Victim logs and stolen data were entirely wide-open to the internet. According to Morphisec, wannabe malware operators following the flawed instructions wound up configuring their C&C servers to inadvertently grant “full access (777)” to the world. In some instances, the would-be hackers’ ineptitude left “critical assets” exposed.

Then Buguard came along and looked at the Mars Stealer source code and found a vulnerability. The researchers developed an exploit for the flaw that allowed them to break into the C&C servers, including ones that operators configured correctly, and take them over.

Once in the system, Buguard deleted the victim logs and stolen data and severed the infected computers’ connection to the C&C server. To add insult to injury, the researchers scrambled the Mars Stealer’s dashboard passwords so that the operators were locked out of their systems. The counterstrikes effectively put five servers out of commission since operators had to start over entirely from scratch reconfiguring their servers and reinfecting their victims. Of the five C&C systems Buguard took down, only one came back online.

While it is great to hear about hackers getting a taste of their own medicine, what Buguard did was not entirely legal, shifting its white hat to gray. Technically, it is illegal to break into any computer system, regardless of its use, unless you are in law enforcement and have a warrant. The general rule of thumb in security research is to look, document, and report, but do not touch.

However, Buguard plans to involve authorities and help them take down more servers. In the meantime, it is not publishing any details of the vulnerability, which also exists in a similar malware called “Erbium,” so the black hats don’t know what to patch.