sales@siconsult.com

Phone: +44 (0)20 332 70699

Visit Si Engineering

SiConsult Location SiConsult Location SiConsult Location

The Latest Cyber
Intelligence
from Si

Si Cyber Intel: Bat9hack Continues To Target Financial Organisations
Mar2019

Si Cyber Intel: Bat9hack Continues To Target Financial Organisations

Bat9hack is gaining popularity in the underground forums for its fraudulent cyber-antics primarily against large financial organisations. The cyber-criminal is a Russian-speaking hacker registered on a number of Russian and English-speaking dark forums. Bat9hack is a proficient carder who uses various strains of malware to target large financial organisations and users worldwide. 

Bat9hack’s primary mode of attack, most recently against the US, is money laundering and information fraud as well as other malicious financial fraud techniques.

Most recently Bat9hack disguised itself as the website federaltaxpay[.]com, which imitated an authorised United States Internal Revenue Service payment processor and lured users into using it by offering a whopping 50% discount.

Researchers at the Insikt Group believe that Bat9hack has teamed up with or operates within a cyber-criminal group on the dark web who maintain a number of forums.

The Bat9hack threat actor was referenced 7367 times in various forums. Out of those 741 references were in the last 60 days and 5015 references on various InfoSec sources.


Graph shows recent events involving bat9hack
Source: Recorded Future

Insikt Group made the following observations about bat9hack:

  • The actor’s primary modus operandi is fraudulent activities
  • The actor advertised the website federaltaxpay[.]com, which emulated an authorized United States Internal Revenue Service payment processor.
  • The actor operates within a cyber-criminal group that maintains multiple accounts on the dark web forums.
  • There are indicators that bat9hack or members of their criminal group reside in Russia and/or Ukraine.

The below timeline highlights the various fraudulent activities performed by this adversary.


Timeline of fraudulent activities
Source: Recorded Future

Key Indicators

Primary Alias

  • bat9hack

Secondary Alias

    • bat9user01, bat9user1s, blackuser01, bat9user, bat9ha, bat9hacks, bat9hacker, user01, user0133, miewjeg73hader, metyjiag4j6khepa, Topic by Taxess, xack, Identifiers.
    • Jabber:
      • bat9hack@jabber[.]ru
      • bat9hack@jabb[.]im
      • bat9hack@thesecure[.]biz
      • bat9hack@exploit[.]im
      • bat9user@jabbim[.]sk
    • Telegram:
      • @useritaliya
    • Website:
      • federaltaxpay[.]com (currently defunct)
    • Email address:
      • chekercc02@gmail[.]com
      • support@federaltaxpay[.]com
      • wnet_ua@mail[.]ru
      • federaltaxpay.com@regprivate[.]ru
    • Facebook:
      • facebook[.]com/federaltaxpay
    • Twitter:
      • https://twitter.com/federaltaxpay/ (currently defunct)
      • https://t.co/dzNL5vgQCM (currently defunct)
      • https://t(.)co/7o60aaenNA (currently defunct)
    • Twitch
      • twitch[.]tv/bat9hack
    • Skype:
      • Vasya Jjolika
    • IP addresses:
      • 37.48.117.247 (Netherlands)
      • 92.53.96.169 (Russia)
      • 23.218.156.35 (United States)
      • 172.217.1.35 (United States)
      • 23.111.9.35 (United States)
      • 216.58.194.78 (United States)
      • 95.211.16.66 (Netherlands)
    • eBay accounts:
      • https://www.ebay(.)com/usr/andr_id
      • https://www.ebay(.)com/usr/wnet_ua
    • Legal entity:
      • Federal Tax Pay LLC

    Risk Mitigation

    Taking into consideration multiple attack vectors of the actor, including financial and PII fraud, money laundering, malware utilization, Insikt Group recommends the following:

    • Update your security controls (Network and Endpoint) to block and alert on the above Indicators
    • Only file taxes via the official Internal Revenue Service website (irs.gov), or through reputable tax preparation services
    • Payment processors will never provide any discounts. Any service that does should be considered fraudulent
    • Always check suspicious domain URLs via antivirus software

    For information about Si Cyber’s services, please contact sales@siconsult.com.

 

All News

Register and stay up to date with Si’s Cyber Intelligence

By using this form you agree with the storage and handling of your data by this website.

Interested in our services?

Do you have a question or need more information?

We would like to hear from you! Please complete the form below and a representative from Si will follow up with you as soon as possible.

By using this form you agree with the storage and handling of your data by this website. Please view the terms of our policy here.
Close

Al Barsha Business Point, Office 501, Al Barsha One, P.O. Box 283996, Dubai, UAE

CALL OFFICE EMAIL OFFICE
Close

1st Floor, 6 Bevis Marks, London, EC3A 7BA

CALL OFFICE EMAIL OFFICE
Close

Supreme Headquarters Building, Office 807-810, Survey No. 36, Pune-Bangalore Highway, Baner, Pune 411045, India

CALL OFFICE EMAIL OFFICE
Close

Office 808, Tower II, The Gate Mall, West Bay, Doha, Qatar, PO Box 14023

CALL OFFICE EMAIL OFFICE

Thank you for your enquiry. We will be in touch shortly.

Thank you for signing up to Si news.

Thank you for your download request. We will email it shortly.

Thank you for your partner registration application. We will be in touch shortly.

Thank you for your enquiry. We will be in touch shortly.

Thank you for your download request. We will email it shortly.

Thank you – your request has been submitted and you will be contacted within 24 hours.

Thank you – your request has been submitted and you will be contacted within 24 hours.

Thank you – your interest in this event has been submitted and you will be contacted within 24 hours.