Pazar, Aralık 22, 2024

TheCthulhus EGM Dump Fraud

Hello to everyone,
According to turkey time 05.02 PM, An English security activist @TheCthulhu published data that he claims from EGM (Turkish National Police) as torrent.

He write his webpage on this:

leakgorsel1
I have been asked to release the following files by ROR[RG], who is responsible for collecting them.
The material was taken from the EGM which is the Turkey National Police.
The source has had persistent access to various parts of the Turkish Government infrastructure for the past 2 years and
in light of various government abuses in the past few months, has decided to take action against corruption by releasing this.

As with everything I share, I do not make any claims for the data. However, please note you may require some knowledge
of databases to be able to properly extrapolate information from this data set. If anyone can make a more accessible
version for the less technically inclined, ping it over to me and I will add it here.

Tweet about he said dump it:

We download and examine this leaked data from his torrent but we found big similarities between another leaked data from December 2014. data from 2014 was sold 250 TRY in some illegal hack forums. It was popular since 03.08.2015 and some forum admins banned threads but someone could send this data to Cthulhu.

Firstly we want compare this two data. We found hardly 2014 data from some private cloud accounts that shared in underground deepweb pages.

First of all I would like to specify that the data is not of Mernis systems are fully accrued in the year 2009 and 26 years later, but not necessarily all of the data to anyone.There is no indication that it was stolen from EGM
We don’t found any hints from Turkish Police (EGM) and “Mernis system” in this data.

countgorsel

Total number of records : 46.859.466 This mean’s that actually 26 years and older persons living or dead that are kept in the SQL file. But Mernis system has data also younger than 18 age old.
But we look at records, rows and column names encrypted with some speacial string encrypt algorithms.

egmleakgorsel1

So, data and its query software (Sorgu.exe) hardened by encryption but we see some duplicated entries as hint. But for fully decryption we must reverse the sorgu.exe and get its algorithm.

sifrelemealgoritma

Also, sorgu.exe has license protection. Our 2014 data has some installation waste like this:

icerikgorsel

We scan sorgu.exe with VirusTotal and Comodo found some trojan like shits. It could be false-possitive1 but we don’t think so.

Also according to our research this software communicate with 89.19.19.210 when licensing progress:

Screenshot_2016-02-16_12-09-42

When we do a more detailed review we found a phone number in strings. It could be software corporation sell this software to lawyers.

11855449_886336491421499_398067300_n