Cybersixgill Report | OpenBullet: The Threat Actor’s New Magic Bullet

OPENBULLET: THE THREAT ACTOR'S

NEW MAGIC BULLET

EXECUTIVE SUMMARY

• OpenBullet is one of the most commonly used account cracking tools utilized by
thousands of threat actors across the deep and dark web. Three main features of
the tool – wordlists, configs, and proxies - make account cracking accessible to
threat actors of all maturity levels.
• In 2020 there were over 80,000 posts in the underground regarding combolists
and accounts that could be used with OpenBullet’s wordlists.
• Configs provide threat actors with the ability to automate their cracking attacks.
In 2020, a single hacking forum had nearly 50,000 mentions of configs, and
thousands more across other underground sources.
• Three industries – ecommerce, finance, and streaming services, were the most
frequently observed targets of OpenBullet configs. In 2020, there were over 68,000
mentions of configs for streaming platforms – Netflix, Hulu, and Disney. All three
industries saw a spike in chatter during the first half of 2020 – possibly correlated
with Covid-19 lockdowns.

This document is proprietary and confidential. No part of this document may be disclosed in any manner to a third party without prior written consent. © Cybersixgill 2021. All rights reserved. 1
Cybersixgill Report | OpenBullet: The Threat Actor’s New Magic Bullet

INTRODUCTION

The dark web hosts tons of threat actors with varying capabilities. Some of them build
hacking tools and share them for “educational purposes” – or so they claim – and deny
any responsibility or fault if used for malicious purposes (Figure 1).

Figure 1: Threat actor sharing a RAT for "educational purposes only".

Many of these tools are pentesting or cracking tools like Metasploit, Wireshark, or Brutus,
used to gain access to networks through vulnerabilities and compromised credentials.
Such tools often offer simple to use GUI interfaces, plenty of user guides available on
forums and YouTube, and even supporting files that are already programmed to perform
a specific function like credential stuffing, allowing the attacker to simply deploy or
activate the tool and reap the benefits.

This report will analyze one of the most-widely shared cracking tools on the deep and
dark web: OpenBullet.

This document is proprietary and confidential. No part of this document may be disclosed in any manner to a third party without prior written consent. © Cybersixgill 2021. All rights reserved. 2
Cybersixgill Report | OpenBullet: The Threat Actor’s New Magic Bullet

OPENBULLET

OpenBullet is a webtesting suite that allows attackers to perform a variety of attacks

through a single console.1 These attacks can target a webapp of the actor’s choice and
can scrape and parse data, automate pentesting functions, crack accounts, and more.
This report will focus on account cracking and the features that make cracking possible –
combolists, configs, and proxies.

Cybersixgill has collected several posts related to OpenBullet, the first being from April
2019 (Figure 2). However, this version of OpenBullet was a mod as identified in the
description. They did give credit to the original developer and provided a link to the official
Git project. This report will only focus on the original OpenBullet features.

Figure 2: OpenBullet mod.

1
https://github.com/openbullet/openbullet

This document is proprietary and confidential. No part of this document may be disclosed in any manner to a third party without prior written consent. © Cybersixgill 2021. All rights reserved. 3
Cybersixgill Report | OpenBullet: The Threat Actor’s New Magic Bullet

The official OpenBullet project released on May 29, 2019 and provided the tool’s source
code.2 Since then, the developers/contributors have grown to at least 11 people and have
provided many updates to the tool. It should be noted that Cybersixgill collected several
posts of OpenBullet config making services prior to the official Github repository release,
some as early as 1/2017, as observed in Figure 3 by a threat actor on an underground
forum. We will discuss configs in greater detail later in this report; however, this post
indicates that OpenBullet was available prior to its public release in 2019.

Figure 3: OpenBullet config service by threat actor from January 2017.

Since the official repository for OpenBullet was made available, Cybersixgill has collected
over 177,000 mentions of the program across deep and dark web sources (Figure 4). Of
those, over 11,000 were original forum posts or products on marketplaces. From January
to July 2020, there was a spike in references, which is likely the result of Covid-19 and
people spending a lot of their time online. It appears that threat actors are taking
advantage of the surge of accounts and the probability that many of them are not being
properly secured.

2
https://github.com/openbullet/openbullet/releases?after=1.1.3%23231

This document is proprietary and confidential. No part of this document may be disclosed in any manner to a third party without prior written consent. © Cybersixgill 2021. All rights reserved. 4
Cybersixgill Report | OpenBullet: The Threat Actor’s New Magic Bullet

Figure 4: OpenBullet chatter on the deep and dark web since May 2019.

ACCOUNT CRACKING WITH OPENBULLET

ACCOUNT CRACKING WITH OPENBULLET - WORDLISTS

Cracking accounts with OpenBullet is the most frequently used feature of the program,
accessible by even the least experienced threat actors. This is because other than the
tool itself, cracking accounts requires two files, a config file – a file consisting of
executable code to automate a task such as logging into an application, and a combolist
– a CSV or text file of leaked credentials. Additionally, threat actors can choose to use
proxies to remain anonymous during their attacks.

Figure 5: OpenBullet wordlists tab to insert credential combos.

As seen in Figure 5, the wordlists manager allows the user to upload any
username/password combo that they want to check or crack. This is meant to be used
with a config file which consists of the code for OpenBullet to execute.

Both configs and combolists are widely available in the underground, often for free. A
threat actor can obtain a combo list for free or by buying it from any of the popular
underground forums. In the past year, Cybersixgill has collected over 80,000 posts, paste
dumps, messages, and products for combos and accounts in the deep and dark web. Of
those, over 40,000 come from just three forums (Figure 6).

This document is proprietary and confidential. No part of this document may be disclosed in any manner to a third party without prior written consent. © Cybersixgill 2021. All rights reserved. 5
Cybersixgill Report | OpenBullet: The Threat Actor’s New Magic Bullet

Figure 6: Mentions of combos or accounts in 2020 from three forums.

Streaming services such as Hulu, Spotify, and Netflix are frequently observed as being
the intended target for many cracking attempts; however, any organization can be
targeted. In the past year, Cybersixgill has observed over 43,000 mentions of Netflix
combos, over 13,000 for Hulu, and over 30,000 for Spotify (Figure 7).

Figure 7: Mentions of combos for streaming services in 2020.

This document is proprietary and confidential. No part of this document may be disclosed in any manner to a third party without prior written consent. © Cybersixgill 2021. All rights reserved. 6
Cybersixgill Report | OpenBullet: The Threat Actor’s New Magic Bullet

Threat actors typically provide a text or CSV file with two columns, username and
password, which can either be used in its current state or reformatted if needed so that
it can be properly uploaded to OpenBullet.

ACCOUNT CRACKING WITH OPENBULLET - CONFIGS

Now that the threat actor has a file full of credential combos they want to check or brute
force into, the next step is to create or obtain a config file – a file consisting of code for
OpenBullet to execute. These configs are often built with the python module Selenium, a
tool that allows one to directly control the browser by programmatically clicking links and
filling in forms with automation, such as login information. Thus, the config will
automatically attempt to log into each credential within the word list and record the
successful logins to OpenBullet’s Hits DB.

Figure 8: Config for Oberlo, obtained from the underground.

Figure 8 is an example of a config for Shopify’s Oberlo ecommerce site. The program
enters credentials from the wordlist and if successful, records the authorization token for
each one. This config was obtained from the threat actor in the following post (Figure 9).

This document is proprietary and confidential. No part of this document may be disclosed in any manner to a third party without prior written consent. © Cybersixgill 2021. All rights reserved. 7
Cybersixgill Report | OpenBullet: The Threat Actor’s New Magic Bullet

Figure 9: Config for Oberlo obtained from the underground.

At Cybersixgill, we observe many threat actors looking to obtain these configs from
others rather than build one themselves. In the past year, Cybersixgill observed over
85,000 posts related to configs shared on forum categories dedicated to cracking
accounts and pentesting. Three of the frequent watering holes in the underground
accounted for most of the results for configs (Figure 10).

60000

50000

40000

30000

20000

10000

0
Source 1 Source 2 Source 3

Figure 10: Mentions of configs in cracking and pentesting forum categories.

As mentioned earlier, it is much more commonly observed that threat actors are posting
requests for free configs or config services, indicating that many of them might not be
the developer type. For example, this threat actor politely requested a config on an
underground forum (Figure 11).

This document is proprietary and confidential. No part of this document may be disclosed in any manner to a third party without prior written consent. © Cybersixgill 2021. All rights reserved. 8
Cybersixgill Report | OpenBullet: The Threat Actor’s New Magic Bullet

Figure 11: Threat actor requesting config for Amazon.

In the past year, Cybersixgill observed over 12,000 “Want to Buy” (WTB) posts in the
underground, many of them observed in messaging platforms. Although 12,000 is still
high, it is low compared to the amount of config service/sale posts we observed during
the same time frame – over 36,000. It could be that there are so many services available
that most threat actors do not feel the need to post a request for one or even learn how
to build one on their own. Below is an example of a threat actor selling a config for
Walmart (Figure 12).

Figure 12: Threat actor selling a config for Walmart.

One should not ignore how easy it is for threat actors to obtain both combo lists and
configs. Whether through forums, marketplaces, or messaging platforms, there are a
variety of options to obtain these items. Even popular gaming platforms like Discord that
is easily accessible has servers that are dedicated to requesting, building, and selling

This document is proprietary and confidential. No part of this document may be disclosed in any manner to a third party without prior written consent. © Cybersixgill 2021. All rights reserved. 9
Cybersixgill Report | OpenBullet: The Threat Actor’s New Magic Bullet

configs. For example, the following server has hundreds of users and specific channels
where threat actors can connect with config builders and sellers (Figure 13).

Figure 13: Config Discord Server.

The server also identifies the builders and sellers to make it easy for those looking to
request a config or ask about ones that are already built and ready for production (Figure
14).

Figure 14: Config builders and sellers.

PROXIES - REMAINING ANONYMOUS WITH OPENBULLET

Since most threat actors using OpenBullet are going to utilize combo lists with hundreds
or thousands of credentials to crack, they need to make sure their actual IP is not used
repeatedly in each request made to a website. Thus, OpenBullet allows users to import
proxies to remain anonymous and avoid being blocked from a site while they conduct
their cracking activities (Figure 15).

This document is proprietary and confidential. No part of this document may be disclosed in any manner to a third party without prior written consent. © Cybersixgill 2021. All rights reserved. 10
Cybersixgill Report | OpenBullet: The Threat Actor’s New Magic Bullet

Figure 15: OpenBullet Proxy Manager.

There are both free and paid services where threat actors can obtain proxies to import
into OpenBullet and mask their identities. Services like Stormproxies.com, Oxylabs.io, and
Luminati.io offer quick and easy access to proxies. Proxies are also available in a large
volume in the underground. In the past year, there were over 97,000 references to free
proxy services such as the example in Figure 16.

This document is proprietary and confidential. No part of this document may be disclosed in any manner to a third party without prior written consent. © Cybersixgill 2021. All rights reserved. 11
Cybersixgill Report | OpenBullet: The Threat Actor’s New Magic Bullet

Figure 16: Threat actor sharing proxy services.

The above example is directing threat actors to a Telegram channel where they claim to
provide free proxies every 20 minutes. Figure 17 is an example of how Telegram users
are greeted upon entering the channel.

Figure 17: Proxy service Telegram channel.

Once a threat actor enters the channel and clicks on the proxy list link, they will download
a txt file containing the proxies they can import to OpenBullet (Figure 18).

This document is proprietary and confidential. No part of this document may be disclosed in any manner to a third party without prior written consent. © Cybersixgill 2021. All rights reserved. 12
Cybersixgill Report | OpenBullet: The Threat Actor’s New Magic Bullet

Figure 18: Proxy list from Telegram Channel.

TARGET ACQUIRED - INDUSTRY ANALYSIS

No industry or organization appears to be safe from threat actors and the arsenal of
credential stuffing/account cracking tools. Chances are that there is a threat actor that
was or is interested in attacking your organization and has compiled a combo list or
developed a config to target your webpage. While it is possible to find any of these
examples through Cybersixgill’s Portal, this report will focus on compiling stats for three
industries – ecommerce, finance, and streaming services – by looking at several popular
companies.

Additionally, since just about any threat actor can create their own combo list through
the endless amount of dumps found in the underground, the upcoming analysis will only
focus on configs found in the underground.

This document is proprietary and confidential. No part of this document may be disclosed in any manner to a third party without prior written consent. © Cybersixgill 2021. All rights reserved. 13
Cybersixgill Report | OpenBullet: The Threat Actor’s New Magic Bullet

ECOMMERCE

For the ecommerce industry we looked at a few of the largest and most recognizable
companies: Amazon, eBay, and Walmart. In the past year, Amazon had the most
mentions of configs targeting their services (24,000+). eBay came in second with just
over 15,000, while Walmart came in third at 4,900+. Figure 19 below shows that February
– May 2020 accounted for a significant amount of mentions for all three companies, right
around the timeframe that Covid-19 restrictions rolled out across the globe.

Figure 19: Trend analysis for Ecommerce industry.

FINANCIAL

The financial industry saw a similar trend with many of their config mentions for Chase,
Bank of America, and Wells Fargo. However, when directly compared to the ecommerce
industry, these financial institutions had far fewer configs offered in the underground.
This is not surprising, as the focus for this industry is typically compromised payment
cards through CVV and dumps.

Bank of America had the most mentions with just over 4,300 in a year. Chase came in
second with 2,200+, while Wells Fargo only had 298 for the entire year. Overall, the

This document is proprietary and confidential. No part of this document may be disclosed in any manner to a third party without prior written consent. © Cybersixgill 2021. All rights reserved. 14
Cybersixgill Report | OpenBullet: The Threat Actor’s New Magic Bullet

financial institutions had more than 37,000 fewer mentions than Amazon, eBay, and
Walmart.

Figure 20: Trend analysis for Financial industry.

STREAMING SERVICES

Lastly, we observed some of the leading video streaming services such as Netflix, Hulu,
and Disney. These services had the most mentions (68,000+) in the past year when
compared to the previous two industries. Still, the industry shared a similar trend analysis
with most mentions during the first half of 2020 (Figure 21). Netflix led the pack with
43,600+ mentions. Hulu came in a distant second with 14,500+ and Disney with 9,800+.

Level of security could possibly explain why streaming services account for the most
config mentions in the underground as they typically do not require 2FA by default. Thus,
they are easier to crack into and use for personal viewing or sell in the underground.

This document is proprietary and confidential. No part of this document may be disclosed in any manner to a third party without prior written consent. © Cybersixgill 2021. All rights reserved. 15
Cybersixgill Report | OpenBullet: The Threat Actor’s New Magic Bullet

Figure 21: Trend analysis for streaming services.

In all three of these industries analyzed, mentions of configs spiked during the first half
of the year and tapered off towards the second half of the year. It is possible that Covid-
19 initiated the spike by many threat actors all trying to take advantage of increased
online activity due to stay-at-home orders and lockdowns. The flood of configs,
combolists, and services may have outpaced the demand and caused the decline in
activity.

This document is proprietary and confidential. No part of this document may be disclosed in any manner to a third party without prior written consent. © Cybersixgill 2021. All rights reserved. 16
Cybersixgill Report | OpenBullet: The Threat Actor’s New Magic Bullet

CONCLUSION

Security practitioners should monitor the underground for combo lists and configs
targeting their organization. OpenBullet provides threat actors of all maturity levels to
automate the account cracking process and check a high volume of credentials with just
a few clicks of their mouse. Once checked and successfully cracked into, these threat
actors can then use these accounts for personal use and commit further malicious
activities or sell them to others in the underground.

Furthermore, it is possible that these threat actors can take down webpages through this
automated process if they have large enough combo lists and continue to hit the site with
requests. This will not only cause frustration for other visitors but can disrupt one’s
business and even potentially expose vulnerabilities.

Cybersixgill recommends the following to help prevent threat actors from breaking into
accounts. These recommendations include but are not limited to:

- Monitor for combo lists and configs targeting your organization in the
underground.
- Monitor network traffic for spikes in requests made and failed login attempts.
- Monitor network traffic for suspicious IPs.
- Require users to frequently update passwords to enhance security.
- Require users to utilize 2FA.

This document is proprietary and confidential. No part of this document may be disclosed in any manner to a third party without prior written consent. © Cybersixgill 2021. All rights reserved. 17