Introduction
In this blog, as Cyberthint threat hunters, we have shared with you as our esteemed readers, the results of our analysis of the leaked source code of the “Bayraktar TB2” model, which was offered for sale on a popular darkweb forum and allegedly belonged to the “Bayraktar TB2” model, which is an unmanned aerial vehicle belonging to the “Baykar Technology” company, and the results we obtained as a result of a social engineering-based operation against the threat actor.
Cyber Threat Intelligence
Cyberthint threat hunters detected a topic posted on July 31st on a popular darkweb forum with the title “Bayraktar TB2 Turkish UAV | Open Source Code” by a threat actor with the username “zikkail“. When the topic is examined, the threat actor says (claims) that s/he gained access to the SMTP mail server of baykartech.com and gained unauthorized access to several computers as a result of phishing a macro Word document containing a trojan with FUD. S/He mentions that one of these compromised computers was a machine belonging to the IT department, from which he scanned the entire network and obtained the unprotected source code in such manner. And in the post, he shares a small piece of source code as a sample.
After examining the shared source code, our analysts determined through a simple OSINT study using some code patterns that the source code belongs to a Flappy Bird-like game called “TB-2MAN” on GitHub.
A screenshot of the relevant game app:
GitHub Repo: https://github.com/Ahmet-Arvas/pygame-tb2man
Social Engineering Ops
Cyberthint threat hunters obtained new samples by using social engineering methods by contacting the threat actor via Telegram, masked as the “shopper“.
In the new obtained samples , it was observed that the threat actor used the MS Windows operating system in Turkish language with the user named “z1kkail“. When the newly obtained relevant code snippet was investigated with OSINT methods, it was determined that the threat actor took this code snippet from the source code of a Telegram Client application on GitHub and made it this way by editing the variable names.
GitHub Link: https://github.com/procxx/kepka/tree/4b6f700470f82bb9abb9673d2b34a3365d11e82c/Telegram/SourceFiles
Following the social engineering activities, an agreement was concluded with the threat actor to purchase 670GB of alleged data for $3900. The threat actor’s IP address and BTC Wallet address (bc1qnuf5w25vwfu2sgszluk27qkds9ez9k3mdu95ks) were obtained as a result of the threat actor clicking on a fake payment receipt link we prepared specifically for the operation and containing an IP logger. In addition, it was determined that the threat actor used the cold wallet named “Exodus” in the screenshot taken from an IOS phone sent by the threat actor.
When the IP address of the threat actor was investigated, it was understood that s/he was using the Cloudflare WARP service.
In addition, in the researches conducted on the individual, it was found that he also has memberships in some Turkish forum sites.
Other known usernames: “z1kkail, zikkail, onlyzikkail“
Conclusion
At the end of research and analyses’, Cyberthint threat hunters have confirmed that the data allegedly belonging to Baykar Teknoloji – Bayraktar TB2 Unmanned Aerial Vehicle and offered for sale is fake and that the threat actor is Turkish and resides in Turkey, as the threat actor uses Turkish as the Windows language, has user accounts on Turkish forum sites, writes a Turkish description on his Telegram account, and the CloudFlare WARP service connects its users to the server in the nearest location and this server is a server in Izmir.
It has been understood that this incident is a fraud and defamatory activity. Hence, it has been concluded that it is baseless and false. It is presented to the Turkish and World public.
Note: Before publishing this blog post, the findings obtained as a result of research and analysis were shared with the relevant official authorities.
