The Underground Economist: Volume 1, Issue 4

3 minute read

Welcome back to The Underground Economist, an intelligence focused blog series illuminating Dark Web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the Dark Web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the Dark Web and criminal underground. Here’s the latest for the week of November 15th, 2021.

Threat Actor Touts Script To Detect RDP Sessions 

Threat actor “donaldtrump1” advertised a script to automatically detect active RDP sessions that are vulnerable to the “BlueKeep” vulnerability tracked as CVE-2019-0708 on the Russian language Deep Web forum exploit[.]in. “BlueKeep” has been used aggressively in recent years by ransomware groups to gain access to the internal networks of major U.S. corporations to launch costly ransom attacks. 

The script is alleged to identify VMware instances running Windows 7, as the RDP connection port (TCP port 3389) for this unpatched and outdated system version is open by default. A single copy of the script is being sold at auction, with a starting bid of $10,000 USD or can be purchased outright for $25,000.

Che Browser Gains Popularity Within Carding Circles

New and untested threat actor “CheBrowser” advertised their namesake anti-detect browser Che Browser, which is positively trending amongst actors who specialize in carding and financial fraud. The browser rental service is available on English language Dark Web forum “KickAss” and is being praised for being able to create and manage large numbers of profiles, which minimizes the likelihood of a website stepping up security challenges when attempting to access a victim’s account. The actor explained that “Che Browser” sends the cookies and browser information of real victims to target sites, instead of using generated or synthetic profiles.

Additional features that help the browser to evade anti-fraud systems include:

  • Changes the IP address using a SOCKS5 proxy
  • Changes geolocation
  • Changes time zone
  • Disables local port scanning  websites

The “Che Browser” is only available to rent, with prices ranging by license length, including:

  • $5 per day
  • $14 per week
  • $30 per month

ZeroFox Threat Intelligence noted that the browser has received positive feedback since it was first announced in September 2021 and could soon challenge “Linken Sphere” as the preferred anti-detect browser of choice for threat actors.

Original post from threat actor “CheBrowser”

Saudi Government, Military Documents Disclosed on Deep Web Forum

In early November 2021, well-regarded threat actor and longstanding intelligence broker “Spectre” (AKA “spectre123”) leaked sensitive Saudi government documents detailing what they claimed to be the inner workings and activities of the country’s government and military. This disclosure continues the trend of cyber actors inserting themselves into complicated political situations seemingly at random and risks further widening the trust gap between citizens and its government or a government and its partners. 

The actor first announced the leak on the English language Deep Web forum “Raidforums” sharing a link to the documents posted on their website “Intel Repository”, which regularly features leaks, databases, and dumps of sensitive information related to various governments. 

Original post from threat actor “spectre123”

The actor claimed the leak was meant to bring about change by shedding light on the so-called human rights violations they believe the Saudi Arabian government has committed, which again is highlighting a wedge issue meant to exacerbate tensions, a common tactic in misinformation operations.  

About the Writers of The Underground Economist: The ZeroFox Dark Ops Team

ZeroFox’s Dark Ops team operates amongst the criminal underground community. Our global threat hunting and Dark Web intelligence team extends the reach of your security resources by engaging with the underground community, bolstering your capabilities in an effort to give you an advantage over emerging threats and stop active or future attacks before damage can be done. Embedded into hundreds of Dark Web communities where few possess the cultural or language expertise to infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to your threat intelligence requirements. Engage directly with the team here.

See ZeroFox in action