Void Balaur – Cybercrooks For Hire Target High-Profile Individuals And Organizations

by | November 20, 2021 | Cybersecurity News

A presumably Russia-based cybercriminal group, called Void Balaur, is available for hire and steals sensitive data on organizations, political leaders, activists, and any other high-profile target.

The Russian-language threat gang, also tracked as Rockethack, is a prolific cyber-mercenary group available for hire to hack into email and social media accounts of high-profile targets worldwide.

Countries in which Void Balaur email targets were located (companies were targeted via corporate email addresses; individuals were targeted via private email addresses). Credit: Trend Micro

After keeping an eye on Void Balaur for more than a year, Trend Micro has published a report that found over 3,500 of the group’s targets.

“Our research revealed a clear picture: Void Balaur goes after the most private and personal data of businesses and individuals then sells that data to whomever wants to pay for it,” the Trend Micro report wrote.

Researchers reported that the group could often provide total copies of mailboxes stolen without the assistance of the targeted user for an additional premium fee.

Void Balaur’s Malicious Activities Date Back To 2015

The analysis explained that the hacker group was first spotted in 2015 and, by 2019, it was selling highly personal information harvested on Russian citizens, such as criminal records, credit history, flight records, account balances, and SMS text messages printouts.

Researchers said that the cyber-mercenary gang usually targets media and political news websites, journalists, and human rights activists.

“Void Balaur is not averse to going after more high-profile targets either, as the group also launched attacks the former head of an intelligence agency, active government ministers, members of the national parliament in an Eastern European country, and even presidential candidates,” they added.

Trend Micro found that the group currently advertises its services on Russian underground forums Darkmoney and Probiv.

Void Balaur are advertising their services on underground forums.
Void Balaur advertising their services. Credit: Trend Micro

“Void Balaur seems to be highly respected in these underground forums, as the feedback for their services is almost unanimously positive, with their customers pointing out the threat actor’s ability to deliver the requested information on time, as well as the quality of the data being provided,” the report said.

According to the report, the group uses malware tools like the Z*Stealer credential stealer and DroidWatcher, which steal data and have tracking and spying features. The analysis also offered a list of the gang’s indicators of compromise.

Targeting Valuable Data Troves

The group also targeted cryptocurrency exchanges such as EMXO multiple times.

Void Balaur phishing site masquerading as an EXMO login page. Credit: Trend Micro

In September, they targeted the intelligence agency head, government ministers, and two Eastern European Parliament members, Trend Micro reported. But the attacks targeting government officials started in 2020 and were unleashed in several countries, including Armenia, Belarus, France, Italy, Kazakhstan, Norway, Russia, and Ukraine. Countries outside the EU aren’t safe either, as experts found that Void Balaur is also active in the U.S., Israel, and Japan.

Over the course of last year, the hacking group continuously attacked one Russian conglomerate, further demonstrating its patience and persistence. It targeted executives, but also family members of the company owner.

Trend Micro found that Void Balaur doesn’t shy away from any sector, as long as it holds troves of valuable data they can steal and sell. The list of industries hit by the gang’s attacks includes everything you can think of – telecom, radio and satellite communications, banking, aviation, and medical insurance; and even in-vitro fertilization (IVF) clinics in Russia, biotech, and genetic testing.

“What makes Void Balaur stand out from most cybercriminal groups is the sheer number of different types of criminal activity they’re involved in,” Archie Agarwal, CEO of ThreatModeler, said. “It would seem that they operate in almost every industrial sector, type of data and even target high profile individuals. They certainly don’t appear to discriminate.”

Cyber-Mercenary Activity On The Rise

Trend Micro concluded that global governments’ interest in using these malicious groups as part of their national cybersecurity strategies is bolstering the evolution of the cyber-mercenary landscape.

“First, the services and tools of cyber-mercenaries can be used in offensive attacks against terrorism and organized crime, and for targeting foreign assets,” the researchers warned. “Second, they can also be sold to other countries and used as an economic or political tool in foreign policy. Though this might benefit some countries, it also poses a tremendous risk of possible backlash when malicious elements use these tools. Even worse, tools that have been sold overseas might end up being used against citizens of the country that originally exported these tools.”


Threatpost Cyber-Mercenary Group Void Balaur Attacks High-Profile Targets for Cash

Trend Micro The Far-Reaching Attacks of the Void Balaur Cybermercenary Group

by Diana Panduru

Content writer for Attack Simulator. Passionate about all things writing and cybersecurity, and obsessed with driving. I sometimes indulge in pencil drawing, poetry, and cooking for fun.

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.