Profiling the Linken Sphere Anti-Detection Browser

Profiling the Linken Sphere Anti-Detection Browser

Click here to download the complete analysis as a PDF.

This report includes a detailed analysis of the Linken Sphere anti-detection browser and is based on the Recorded Future® Platform, underground forums, Linken Sphere’s official website and forum, as well as OSINT. This profile will be of most interest to financial, e-commerce, and social media companies who are targeted by cybercriminals, organizations seeking to track illegal activities within the underground community, as well as to anyone looking to understand popular tools used by cybercriminals to bypass fraud detection systems. This report is the first part of the Insikt Group research devoted to the Tenebris team tools. An in-depth technical analysis will be provided in follow-up research.

Executive Summary

Multiple e-commerce and financial organizations around the world are targeted by cybercriminals attempting to bypass or disable their security mechanisms, in some cases by using tools that imitate the activities of legitimate users. Linken Sphere, an anti-detection browser, is one of the most popular tools of this kind at the moment.

Every web browser has a unique “fingerprint” used by other websites to verify its legitimacy. E-commerce companies and banks often use this type of fingerprinting to block transactions from browsers that have previously been recognized as insecure or involved in fraudulent activity. The practice by cybercriminals of using various virtual machines, proxies, and VPN servers is not so effective since the anti-fraud systems have capabilities to identify suspicious IP addresses and virtual machines. As a result, cybercriminals have developed anti-detection software, such as Linken Sphere, that allows them to change all web browser configurations dynamically and generate an unlimited number of new ones, imitating the activities of legitimate users.

Linken Sphere was first introduced on several Russian-speaking underground forums on July 4, 2017, by the threat actor “nevertheless.” Linken Sphere allows users to create multiple virtual accounts that imitate the activities of real users and provide unique device fingerprints. As a result, Linken Sphere has become popular among cybercriminals who seek to circumvent anti-fraud systems.

Key Judgments

Linken Sphere official logo.

Background

Linken Sphere (named “Сфера” in Russian) is a multi-functional and multi-purpose anti-detection browser and software that is widely used by cybercriminals to bypass the anti-fraud systems of financial organizations. It was first introduced on the dark web on July 4, 2017, by the Russian-speaking threat actor “nevertheless.” The threat actor is also one of the administrators of Tenebris Team forum, the official forum of Linken Sphere.

Other staff members of the Linken Sphere team are “dev.tenebris,” another administrator of Tenebris Team forum responsible for the technical development and support for the product, as well as the threat actors “S1neka,” “KirillGochan,” and “Zimbabve,” who are all moderators.

Though Linken Sphere is popular among cybercriminals, the creators claim that it was officially created for legitimate uses by groups such as the following:

Les auteurs du projet organisent ouvertement des conférences en Russie et en Ukraine, et créent des vidéos promotionnelles sur YouTube destinées à un public russophoneet anglophone.

According to Tenebris Team forum, there are three types of licenses for the latest Linken Sphere version, 7.996, introduced on September 13, 2019:

According to the rules, it is possible to transfer the licenses to a third party, but the buyer and the seller must contact the support service to confirm this transaction.

Linken Sphere offers three types of licenses: Light, PRO, and Premium.

Technical documentation for Linken Sphere is available in English, Russian, Spanish, German, and Chinese. The developers recommend that new users connect through Tor to create and configure new Linken Sphere accounts.

After authorizing a personal account, users obtain access to the functionality of the user panel. The primary options of the user panel are:

According to the developers, the software is compatible with various operating systems, including Windows (x64) versions 7, 8, and 10; macOS starting from Yosemite; and Linux OS: Ubuntu, Linux, Mint, Kali Linux, Gentoo (Calculate Linux), Fedora, Debian, OpenSUSE, Slackware, Mageia, PCLinux, and Kubuntu. Linken Sphere versions 7.99 and newer cannot be installed on Linux OS at the time of this writing. Linken Sphere can be installed on a local or remote computer, as well as on virtual machines such as VMWare or VirtualBox. PC system minimum requirements are as follows: 2xCore 1.7GHz, 2Gb RAM. Linken Sphere can be downloaded and installed on multiple devices; however, only one account is allowed at a time. User data is stored in the cloud storage of sessions and is also saved after uninstalling or reinstalling Linken Sphere.

Linken Sphere advertised on the dark web between 2017 and 2019. (Source: Recorded Future)

Threat Analysis

The general technical specifications of Linken Sphere, as outlined on Tenebris Team forum by the threat actor “nevertheless” and on the official website ls.tenebris[.]cc, are provided below:

Web Emulator module for automated harvesting cookie files.

Linken Sphere allows users to deliberately leak a fake IP through WebRTC. The function is enabled during the whole session and misleads targeted organizations by leaking fake IP addresses and masquerading as legitimate users. It also allows connection through Proxifier, Bitvise, and Plink.

WebEmulator provides touch screen, mobile device, manual, and automated input emulation when copying text while visiting websites in the background mode, imitating the behavior of real users, and increasing the level of trust for such accounts.

On June 1, 2019, Tenebris Team forum developers announced Linken Sphere v. 7.99. The new version is likely meant to address the increased complaints by users that the previous versions did not provide sufficient anonymity, among other issues. The developers stated that the previous release was modified with new features, including:

“Simple” — a new user interface that increases the speed of Linken Sphere operation while using remote devices

Automator module for bypassing website CAPTCHA.

Network Connection

Linken Sphere can connect multiple users simultaneously to the internet in what are referred to as “sessions.” Each session can be named individually. Linken Sphere allows working on multiple devices and is not tied to particular hardware. Users can have the browser on different devices with various operating systems, but can only work with one username and password at a time. The developers stated that cloud access allows users to launch Linken Sphere from any device.

Each session connection can be configured individually in the following ways:

Session setup interface allows users to select an appropriate connection through various protocols.

Fingerprints

According to the developers, Linken Sphere includes approximately 50,000 device fingerprints and a config generator to create additional custom fingerprints. The users of the PRO and Premium licenses have access to approximately 150,000 fingerprints and 13,000 user agents on Tenebris Team forum, which are regularly updated.

Linken Sphere can modify the following fingerprints:

According to the developers, the fingerprints listed above depend on the hardware. If the user transfers the same fingerprints from one machine to another, then the final fingerprints will be different. Some of the fingerprints, such as WebGL, Fonts, and Plugins, are included in the configs, while others like Canvas, Audio, and ClientRects are not, but are generated when the session is created.

Linken Sphere ‘Configshop’ Browser Configurations

According to the offer, the developers provide individual high-quality configs with the combination of the fingerprints emulating real devices. The average price per config is $3.

Interface Configshop avec la possibilité d'acheter et d'importer de nouvelles configurations.
Les utilisateurs de licences PRO et Premium qui préfèrent configurer manuellement les sessions peuvent obtenir gratuitement de nouveaux agents utilisateurs pour divers appareils dans cette section. La liste des agents utilisateurs disponibles est mise à jour régulièrement.

Free user agents available for PRO and Premium licenses.

Users with the PRO and Premium licenses can import configs in bulk, but not more than 100 configs per one time.

Risk Mitigation

Recorded Future will continue to monitor the development of the Linken Sphere anti-detection browser and will inform its clients of software updates and new functionalities to help clients incorporate them into anti-fraud systems in order to identify potentially fraudulent activities.

Insikt Group recommends the following general measures to protect against the targeting of organization websites and networks:

Outlook

Linken Sphere has been one of the primary anti-detection browsers on the dark web since its release in 2017 due to extensive functionality, high-quality technical support, and a successful business model. In 2019, Linken Sphere was updated with the new version 7.99 and described as a new product with all new functionality. It is likely that the developers decided to significantly overhaul the product in order to not lose a competitive advantage on the dark web against anti-detection browsers like AntiDetect and FraudFox. The low price of $100 per license is affordable for most cybercriminals and contributes to the influx of new users.