A Russian national accused of developing the NLBrute brute-force hacking tool has made his first court appearance this week in Florida over accusations he used the tool to spawn a criminal empire.
Dariy Pankov, also known as “dpxaker,” created the NLBrute malware that cracked the Windows credentials of improperly secured Remote Desktop Protocol (RDP) systems through the brute-force technique of throwing massive numbers of password guesses at them, according to the US Department of Justice. He was arrested in the country of Georgia four months ago and extradited to the US recently.
Between 2016 and 2019, Pankov allegedly made hundreds of thousands of dollars by selling NLBrute to other miscreants and by allowing some to resell the tool. He also, the documents claim, had a sideline selling stolen login credentials on a dark web marketplace for criminals to use in further attacks.
In total, Pankov put more the credentials of more than 35,000 compromised systems from around the world up for sale, generating more than $350,000 in ill-gotten gain for himself, according to the US Attorney’s Office for the Middle District of Florida.
Pankov faces conspiracy, access device fraud, and computer fraud charges, which prosecutors said could land him in jail for up to 47 years. US authorities also plan to seize $358,437 that they have linked to Pankov’s offenses. He is being held at Pinellas County Jail near Tampa until his trial.
In the indictment handed up in April 2019, Pankov is accused of creating NLBrute in 2016 and began working with unnamed people to sell the tool on the dark web for $250 in Bitcoin. He began advertising the tool in June 2016 and two months later told a conspirator that he had the login credentials to 3,000 computers in the US, UK, France, Italy, and Australia and could get more, the Feds say.
In November 2016 on an online hacking forum, Pankov said he had developed NLBrute and allowed a conspirator to sell it, according to the indictment. From then until 2018 he allegedly ran his operations – including selling the credentials to compromised systems – for $1,000 or more.Two unnamed US law firms in Florida were cited as being among the victims.
NLBrute was making a name for itself during that time, when brute-force attacks were on the rise. In a 2017 researchers at Sophos reported that NLBrute was a key tool in ransomware attacks that year that were using Microsoft’s RDP as a way into vulnerable systems.
NLBrute has also been linked to ransomware groups like REvil and Netwalker.
In 2018, The Register covered a report by McAfee about the growth of so-called “RDP shops” on the dark web selling accessed to compromised systems for as little as $10 each, with the miscreants using NLBrute and other brute-force tools like Hydra and RDP Forcer to gain access.
Analysts with cybersecurity firm CloudSEK in 2021 said they found a dark web forum advertising a NLBrute tool that runs on the NLBrute 1.2 version, and it looks like the use of the malware won’t be ending soon. ®