Cybercriminals are selling custom Raspberry Pi software called ‘GEOBOX’ on Telegram, which allows inexperienced hackers to turn mini-computers into anonymous cyberattack tools.
GEOBOX is sold on Telegram channels for a monthly subscription of $80 or $700 for a lifetime license, paid in cryptocurrency.
Resecurity analysts discovered the tool during an investigation into a high-profile bank heist that affected a Fortune 100 company.
“This discovery led to the purchase of the GEOBOX for further analysis. The malicious individuals used several GEOBOX devices, each connected to the Internet and strategically placed in different remote locations,” Resecurity explained.
“These devices served as proxies, significantly increasing their anonymity. This approach complicated the investigation and monitoring process, especially since by default GEOBOX devices do not store any records.”
The researchers obtained the GEOBOX software for analysis and warned in a report today that it is a highly capable tool that can complicate law enforcement monitoring and investigation.
Source: Resecurity
Features of GEOBOX
The Raspberry Pi is an inexpensive but capable system that can be purchased for as little as $35, making it an excellent one-time tool for cyberattacks.
The device is extremely small and light, which makes it very portable. This allows cybercriminals to easily move to different locations, connect to various Internet access points, and cover their tracks.
Small dimensions also facilitate concealment, ideal in attack scenarios that require close proximity to a target without arousing suspicion.
The GEOBOX Raspberry Pi software discovered by Resecurity acts as a suite of cybercrime applications that focus on fraud and anonymization, making it a powerful tool for illicit online activity.
Source: Resecurity
Security lists the following main features:
- GPS spoofing even on devices without a receiver, allowing users to spoof their geographic location and bypass location-based security or engage in location-specific fraud.
- It emulates specific network settings and Wi-Fi access points to disguise illicit activity as legitimate network traffic.
- Fraud circumvention to support activities such as financial fraud and identity theft.
- Routing traffic through anonymous proxies to disguise the location of the threat actor.
- WebRTC IP masking and Wi-Fi MAC address masking to hide the user’s real IP address and mimic Wi-Fi network identifiers, complicating fingerprint tracking.
- Extensive support for VPN protocols, including location-specific DNS configurations to prevent data leaks.
- Support for LTE modems for mobile Internet connectivity, adding another layer of anonymity.
What is most appealing is that the above tools are packaged in an environment that is easy to use even by low-skilled threat actors, who are given clear and detailed instructions in the accompanying user manual.
Source: Resecurity
Resecurity believes that GEOBOX can enable a wide range of cybercrimes, primarily by helping users remain anonymous and difficult to trace.
Examples include coordinating cyberattacks, operating or accessing darknet markets, financial fraud, credential spoofing, malware distribution, and disinformation campaigns.
Although GEOBOX does not introduce any functionality that is not already available in standalone tools or specialized Linux distributions, such as Kali Linux, its comprehensive and user-friendly package makes it ideal for users who want to quickly deploy new, disposable hacking devices.
Furthermore, its affordability and ease of use make it particularly attractive to novice or low-skilled cybercriminals entering the space for the first time.