Malware Author Uses Same Skype ID to Run IoT Botnet and Apply for Jobs

In one of the most epic fails of epic fails, a malware dev used the same Skype ID to advertise his IoT botnet, but also to apply for jobs on freelancing portals.

Going by the nickname of DaddyL33T, this malware dev is the individual behind the DaddyHackingTeam portal, the home of a future soon-to-be-launched botnet control panel.

The service is under development, but the crook's website currently houses several repositories containing the source code of various malware families leaked or cracked during the past few years.

DaddyL33t wouldn't be a real hacker if he also didn't have a HackForums profile. His account is registered under the name of DaddyPvP, and in most of his posts he's either asking for help or peddling his botnet.

While most wannabe hackers asking for help on HackForums are harmless, DaddyL33t appears to have some technical skills, or at least the bare minimum to put out a fully functional botnet.

Crook behind a hybrid QBot-Gr1n IoT botnet

Ankit Anubhav, a Principal Researcher at NewSky Security, has tracked down DaddyL33t's botnet, which appears to be a modified version of the QBot botnet. On HackForums, DaddyL33t has asked fellow users for help with various QBot issues.

The researcher says DaddyL33t's botnet retrieves binary files used during the infection process from the DaddyHackingTeam portal.

Anubhav, who had a private Skype conversation with the malware dev, says DaddyL33t confessed that his botnet only managed to infect around 300 devices, a very small number when compared to other IoT botnets.

Furthermore, Anubhav says that after analyzing QBot samples, he found many similarities with the Gr1n IoT malware, also used for the creation of IoT botnets.

All in all, DaddyL33t's botnet appears to be a copy-paste job, and the hacker not as skilled as researchers initially believed.

DaddyL33t is a 13-year-old teen

A reason for this might be that DaddyL33t is just a 13-year-old, something that he confirmed in his private conversations with Anubhav.

His lack of experience in developing malware and operation security (OpSec) is evident as Anubhav says he found job applications on a freelancing portal where DaddyL33t used the same Skype ID that he previously used to advertise his botnet.

In addition, the hacker also stated in some job ads he was 13, confirming statements made to Anubhav.

Hacker: Can't touch this, ta-na-na-na!

Confronted by the researcher about his criminal activities, the young hacker boldly claimed he was immune because he was a juvenile, taking advantage of the fact that law enforcement agencies won't always seek charges against minors.

This is just evil from the hacker's side, but he's not the first one to do so. Speaking to Bleeping Computer, Anubhav pointed out that a hacker known as Houdini proactively gives his Skype ID in NJRat samples and Arab-speaking hacking forums because he believes Western authorities can't touch him in his country — believed to be Algeria.

Speaking from personal experience, Anubhav classifies hackers with poor OpSec in three categories: 1) My country is safe; 2) I am young and want fame; and 3) I messed up. The 13-year-old DaddyL33t obviously falls in the second category.

"What concerns me is that with a bit of copy-paste of available code, a kid of age 13 can start a botnet," Anubhav told Bleeping Computer in a private conversation.

"Such people should be encouraged more towards the white-hat side, and we must also include ethics 101 to mentor our young programmers," Anubhav added.

"His work is simple but given if he is 13, it's really impressive. Sadly in the wrong direction," the expert added.