The Underground Economist: Volume 1, Issue 3

4 minute read

Welcome back to The Underground Economist, an intelligence focused blog series illuminating Dark Web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the Dark Web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the Dark Web and criminal underground. Here’s the latest for the week of November 1st, 2021.

New Botnet Malware Takes Aim at Android Devices

Well-regarded threat actor “sovenok” announced a new shop selling Android malware logs and access to Android devices compromised by the actor’s malware strain dubbed “S.O.V.A.” on the Russian language Deep Web forum exploit[.]in. The shop is still in beta version, much like the malware itself; “S.O.V.A.” has been under development since at least September 2021. The malware is alleged to contain data exfiltration similar to other strains like “Anubis” or “Cerberus”, while also boasting expansive injection techniques to steal a victim’s session cookies. This is likely aimed at increasing the chances of bypassing multi-factor authentication.

Original post from threat actor “sovenok” announcing new “S.O.V.A.” Android malware 

Additionally, “S.O.V.A.” will allow a threat actor to control an infected device remotely without the need for escalated permissions. Threat actors will also be able to reconnect to inactive devices from the command and control (C&C) server, as long as the malicious APK file is still present on the device.

Screenshot of the shop panel for new sova-shoplog[.]com store

After purchase, a threat actor will receive the following information about a compromised device:

  • The initial IP octet 
  • Android version
  • Geolocation (to a country level)
  • Runtime 
  • Features the malware can use on a particular device
  • Login credentials and session cookies

ZeroFox researchers note that this marketplace could become the Genesis Market of compromised Android devices if it continues to gain popularity from threat actors.

Sale Of Code Signing Certificates Continues To Grow On The Deep Web

The sale of code signing certificates continues to grow on the Russian Deep Web, which is aimed at increasing chances of launching successful malware distribution campaigns. One individual at the forefront of this trend is threat actor “certscodes”, who advertised Organization Validation (OV) level certificates on the Russian language Deep Web forum exploit[.]in. 

Code signing certificates are intended to prove the authenticity and integrity of files published online. Threat actors are increasingly abusing certificates to sign their malicious software as legitimate. Since early 2021, ZeroFox has observed this actor routinely post to the forum to provide monthly updates about their latest service offerings, which recently included newly added code signing certificates valid in European countries. Prices for the OV certificates start at $400 USD.

Ransomware Specialist Resurfaces On Deep Web After Forum Ban

Threat actor and ransomware specialist “Signature” has resurfaced on the English language Deep Web forum known as “KickAss” a few months after being banned from the Russian language Deep Web forum exploit[.]in. Researchers note the actor’s re-emergence will almost certainly increase the chances of new ransomware attacks being launched in the coming months, judging from the uptick in cadence of this actor being observed attempting to broker agreements between ransomware groups and insiders at large corporations.

In mid-October, “Signature” replied to a thread posted by the threat actor “ElGr1ngo” seeking coders to build a new obfuscation software. The actor expressed interest in the project and requested that “ElGr1ngo” contact them directly on the forum.

Threat actor “Signature” replies to original post seeking  coders to build new obfuscation software

“Signature” was previously known to researchers for outsourcing a service to negotiate and engage with insiders at targeted companies to facilitate payments to ransomware operators. The actor was banned from the exploit[.]in forum after accusing Conti and REvil ransomware operators of misbehaving during a payment negotiation that ultimately led to financial losses for “Signature” and their team. 

About the Writers of The Underground Economist: The ZeroFox Dark Ops Team

ZeroFox’s Dark Ops team operates amongst the criminal underground community. Our global threat hunting and Dark Web intelligence team extends the reach of your security resources by engaging with the underground community, bolstering your capabilities in an effort to give you an advantage over emerging threats and stop active or future attacks before damage can be done. Embedded into hundreds of Dark Web communities where few possess the cultural or language expertise to infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to your threat intelligence requirements. Engage directly with the team here.

See ZeroFox in action