Get to know “man”, the person behind the phishing attacks in Azerbaijan

17 February 2020

One month after the release of our forensics report “Fishing phishers in Azerbaijan“, that linked targeted phishing attacks against regime critical journalists to infrastructure under the control of the Ministry of Interior, Azerbaijan, we are releasing updates on the person and the network behind the attacks.

Learn about “man’s” attempt to erase online evidence, his requests for help in hacker forums, and his GitHub account linking him to the very same tools used in the phishing attacks.

Erasing evidence – deleting postings in hacker Forum

On the morning of the 16th of January 2020, the attacker had learned about our forensics report and started to delete all his posts in the Antichat hacking forum. This is a typical reaction for a hacker or attacker that just got caught. That’s why crawling suspects’ social media and forum accounts is so important to gather evidence that later might be deleted.

Man474019 had almost 300 postings in the forum, a few of them mentioning his victims and the techniques that he was using. Most of the postings advertised tools and methods or asked for help when he could not succeed in his attempts to attack websites.

Written in Russian and or poor English, man474019 asked to the community for help. Many messages included the questions “What is wrong? Can u advice?“

“Man” spent several hours on January 16th deleting his postings. Unfortunately for him, the forum did not allow him to delete the 4 message threads that he created so he had to edit the messages instead.

For example, in the thread below, he asked how to exploit “nginx < 1.4.7 SPDY Heap Buffer Overflow”.

In this posting, he has replaced the original content with “aaaa”.

This caption shows that man474019 has posted no less than 292 messages in the forum.

Some of his postings included the URLs he was attacking: contact.az. aztelekom.net, moderator.az etc

Contact.az is an Azerbaijani independent media.

man474019 is also active in other forums

In May 2016, Nulled, a forum used by cyber criminals to trade and purchase leaked or hacked information, was compromised and 599K user accounts were leaked. The compromised data included email and IP addresses, weak salted MD5 password hashes and hundreds of thousands of private messages between members. Thanks to the leaked data, we could see that “man” was also active on Nulled. On this forum he used the nick “mehran1234“, with e-mail recovery man474019[@]gmail.com, connecting from IP address 85.132.24.77. Remember that IP address, we will take a closer look on it soon.

In a posting on Nulled, mehran1234 asks for help using “sqlmap” and uploads the error to the website pastebin.com.

In the leaked user database of Nulled, we can link the nick mehran1234 with the email address man474019@gmail.com.

The error uploaded to pastebin the 13th of December 2018

The payload was uploaded to pastebin on the 13th of December 2018.

The error reported by mehran1234 (man474019) was also reported as a “Issue” in GitHub a few days after.

sandman4812av was found

The relationship between our attacker and the GitHub account became even more obvious when we found out that “sandman” was asking the developer of the project Technowlogy-Pushpender for support. This GitHub project was used to build the phishing attacks against Azeri journalists and human rights defenders that were launched on January 6th, 2020.

man474910 = sandman4812av asking for help to build his attacks.

Hobby or professional work?

By analyzing more than 200 events in GitHub from sandman4812av, shows that he works from 7 AM to 17 PM (Baku time) and never works on Sundays. For most people, that is the description of a fix employment, not a side-hobby.

What is sandman4812av interested in?

For the past two years, sandman4812 has been collecting (forking) almost 200 repositories related to pen-testing, hacking tools and denial of service.

A full list of what he is interested is available here

Customs Committee recruits pentesters

In May 2019, an announcement for a job position for the Information Security Department of the Customs Committee (customs.gov.az) was made public. The announcement that was posted in several recruitment websites, was also posted in Facebook.

The job announcement is interesting as it specifies which tools the candidate should master, such as metasploit framework, pentestbox, burp, sqlmap, dirbuster, acunetix and netsparker. The job description is rather unusual as it provides a full list of tools that are commonly used in “offensive security”.

The 85.132.24.7x network

Recall the IP address that “man” was using to connect to the hacker forum Nulled? The IP address he used was 85.132.24.77, belonging to the subnet 85.132.24.7X. Let’s take a closer look on what malicious activities we can find from that network.

Since 2016, Qurium has been collecting malicious events targeting out infrastructure coming from the network 85.132.24.74-78. Thanks to our logs and leaked information from hacker forums and Wikileaks, we can link the IP network to the Department of Ministry of Internal Affairs in Azerbaijan, carrying out DDoS attacks against regime critical media, and targeted phishing attacks against dissidents. Furthermore, this IP range has been blocked by Wikipedia for breaking the rule of reporting from a “neutral point of view” regarding Azerbaijani history and politics.

Below follows a summary of the malicious activity traced to the network.

July 2014: Orkhan SHABANOV from the Main Information Department of Ministry of Internal Affairs asks the Hacking Team for information about their products from 85.132.24.75. Source: Wikileaks-hacking team leaked mails.
May 2016: man474019 connects to nulled.to forum from 85.132.24.77
November 2016: Denial of services from 85.132.24.74 and 85.132.24.77 report
January 2017: Pentesting from 85.132.24.77 (Acunetix, netsparker)
February 2017: AutoIT spyware links 85.132.78.164 with 85.132.24.74, reported here and here The IP 78.164 later on hosted www.pilot.e-xidmet.mia.gov.az
May-November 2019: Multiple edits in AZ wikipedia about the Police and the Nagorno-Karabakh War. Currently 85.132.0.0/17 is banned in wikipedia from posting articles from 85.132.24.78.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.