Unit 42 have been doing some really interesting research into TheBottle, the actor behind SquirtDanger.
As part of an investigation into the SquirtDanger malware, Unit 42 discovered that the code repository had been posted by Russian cybercriminal TheBottle. While the malware itself proved to be interesting, it was the actor behind it that provided a much more interesting story.
TheBottle has been active on global underground marketplaces for years, distributing, selling, and trading malware and source code. Unit 42’s research unearthed a confessional blog, social media accounts and a Telegram account of roughly 900 attackers co-ordinating their activity.
You can view the full report on SquirtDanger here, and a summary of the findings about TheBottle below.
Bad customer service – TheBottle has encountered several issues throughout his career as a malware author, according to Vitali Kremz of Business Risk Intelligence company Flashpoint, TheBottle has been banned by underground market places for multiple customer infractions, including not delivering adequate support for ongoing criminal activity.
Confessional posts – While investigating SquirtDanger, Unit 42 came across a confessional blog post claiming to be TheBottle. In the post, the individual claimed responsibility for creating several malware families, including Odysseus Project, Evrial, Ovidiy Stealer, and several others.
Dodging responsibility – After some online sleuthing, Unit 42 was able to find additional accounts across several social media sites TheBottle frequented. Across most of the social media sites they located, it was apparent TheBottle took his hacking persona seriously. TheBottle’s Twitter conversations helped shed some light on how TheBottle feels about individuals using their malware, “It’s written in my rules that I’m not responsible for using the program. Responsibility is borne by the buyer only”, for example.
Co-ordinating attacks – Looking closer at TheBottle’s blog posting revealed a Telegram channel exposing a group of roughly 900 individuals most of whom appear to be Russian. Here the channel members are coordinating attacks, developing code, and trading/selling access to several different botnets and builders.
Hacker hangout – Additionally, this Telegram group appears to be a common haunt of some interesting prolific actors, some with high-profile ties; such as foxovsky, an underground actor who is famous in underground communities for developing malware. Readers may recall foxovsky as being the author of a previously reported malware family called Rarog. Additionally, the ‘1MSORRY‘ actor was identified as being a member of this community, who is behind the 1MSORRY cryptocurrency botnet and other malware families being distributed around the globe.