He calls himself Triangulum, and with his partner-in-crime, he is a shining example of how rogue communities network, collaborate and innovate.

Have you ever heard of the Triangulum galaxy? According to Wikipedia, it can be spotted under exceptionally good viewing conditions with no light pollution and perfect eyesight. Its light spreads across a little more than a pinprick in the unmagnified sky.

Back on earth, another type of Triangulum (latin for “triangle”) is also difficult to spot: a threat actor who goes by the same name in several dark net forums and who has, over the past two years, demonstrated an impressive track record for developing a network of partnerships, made investments and distributed malware to potential buyers.

Triangulum started his journey at the beginning of 2017 by joining hack forums in the dark net. Initially, he exhibited some technical skills by reverse engineering malware, but closer analysis of these initial efforts revealed his amateur origins.

Journey into the Triangulum galaxy

According to the dogged researchers at Check Point, Triangulum released his first work on June 10, 2017: a mobile remote access trojan (RAT) targeting Android devices and capable of exfiltration of sensitive data from a command-and-control server, destroying local data, and at times even deleting the entire OS.

Four months later, Triangulum offered his first malware for sale. He then vanished for approximately a year and a half, with no evident signs of activity on the dark net, only to re-surface on April 6, 2019 with another product for sale.

From this point on, he had been very active, advertising different products over a six-month span. During his time in hibernation, it appeared that Triangulum had set up a high-functioning production line for the development and distribution of malware upon reentry in the dark net.

Further investigations found evidence that Triangulum was collaborating with another threat actor named HexaGoN Dev who specialized in the development of Android OS malware products—in particular, RATs.

From merely customers, Triangulum and HeXaGoN Dev became collaborators tapping on their potent combination of programming/hacking skills and social marketing expertise. The two subsequently produced and distributed multiple malware variants for Android, including cryptominers, keyloggers, and sophisticated P2P (Phone to Phone) MRATs.

Introducing a brand new malware

Next up was the pair’s next creation: a malware called Rogue that became part of the MRAT family (Mobile Remote Access Trojan). This type of malware can gain control over the host device and exfiltrate any kind of data such as photos, location, contacts, and messages, to modify the files on the device and download additional malicious payloads.

When Rogue malware successfully gains all of the required permissions on the targeted device, it hides its icon from the device’s user to ensure it will not be easy to eliminate. If all of the required permissions are not granted, it will repeatedly ask the user to grant them.

The malware then registers itself as a device administrator. If the user tries to revoke the admin permission, an onscreen message designed to strike terror in the hearts of users appears: “Are you sure to wipe all the data?”

Rogue malware adopts the services of the Firebase platform (a Google service for apps) to disguise its malicious intentions and masquerade as a legitimate Google service. The Firebase services are used as a command-and -control server, so that all of the commands that control the malware and all of the information stolen by the malware are delivered using Firebase’s infrastructure.

The story of the Rogue malware is an example of how mobile devices can be exploited. In this particular research by Check Point, a fully-active market of malicious mobile malware has been found to thrive on the dark net and other related web forums.

DarkMarket takedown

Similar to Triangulum and his partner, other threat actors are perfecting their craft and selling mobile malware across the dark web. However, the authorities have had their eyes on these cybercriminals for some time, too. Only recently, DarkMarket—the world’s largest illegal marketplace, was taken down by Europo

According to Paul Prudhomme, Cyber Threat Intelligence Advisor, IntSights, such sites are key enablers that facilitate networking, collaboration and trades. “Such exchanges are critical to cybercriminal operations because few criminals rely exclusively on their own resources, and many do not actually use the data that they steal. Most cyber criminals rely to varying degrees on tools and infrastructure that they acquire from other criminals, and many earn their money by selling the results of their attacks to other criminals, rather than using it themselves. It is unclear to what extent the shutdown of this dark market will impact cybercriminal operations, beyond the near-term disruption to its current users.”

Rest assured, new dark web marketplaces WILL eventually emerge to replace those that have been shut down, and the sophisticated hackers simply migrate over to these and other forums. Nevertheless, the arrest of one of the DarkMarket website’s operators and the seizure of its infrastructure may yield useful investigative leads for law enforcement to use for ensnaring the site’s individual users—something that may have more enduring impact going forward.

“The website’s use of infrastructure in Ukraine and Moldova is not surprising, as many criminals prefer to host infrastructure in those two countries that they perceive to be relatively safe from law enforcement.” Prudhomme noted.