The Underground Economist: Volume 1, Issue 6

The Underground Economist: Volume 1, Issue 6
6 minute read

Welcome back to The Underground Economist, an intelligence focused blog series illuminating Dark Web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the Dark Web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the Dark Web and criminal underground. Here’s the latest for the week of January 5th, 2022.

New “Snowflake” Stealer Emerges As Several Botnet Logs Markets Shut Down

New and untested threat actor “SnowFlake” announced a new stealer malware dubbed “Snowflake” on the Russian language Deep Web forum xss[.]is. ZeroFox researchers note that this stealer hit the underground market after several major Deep Web marketplaces that broker botnet logs shut down in November and December. These now defunct marketplaces, including Russian Market (November 2021) and Amigos (December 2021), often obtained botnet logs from stealer feeds, like from the Redline or Raccoon stealer variants. Researchers asses that this new stealer will likely breathe new life into the underground market of malware logs because these marketplaces are closing their proverbial doors and options to monetize malware logs are running thin. 

The new “Snowflake” stealer has basic functionalities to collect the browser information of victims, including their login credentials and cookies. The stealer can also be used to gather cryptocurrency from various crypto wallets. Other features include: 

  • Does not have any software dependencies
  • Works with systems running older versions of Windows that are no longer supported
  • Collects system information of target machine
  • Prevents malware from running in VMs and sandboxes hindering analysis and reverse engineering efforts

Additionally, threat actors can use the stealer’s administrator panel to keep track of compromised machines and sort the stolen data by country, IP address, or date of compromise.

The actor charges USD $150 for a single administrator account to operate the stealer. They offered a slight discount to threat actors willing to purchase two administrator accounts for $250.

Service Performs Reconnaissance On Targets Using Corporate Email Addresses

Untested threat actor “badsoft” advertised a service to provide reconnaissance on a target based on their corporate email address on the Russian language Deep Web forum xss[.]is, which is likely to lead to an increase in spam, phishing, or credential stuffing attacks against entities in the future. The actor claimed the service leverages various open-source tools and licensed products to collect information about companies, including:

  • Mail server
  • Country
  • Number of employees
  • Revenue

In a smaller number of cases, the actor claimed the service can also be used to identify information about employees, including:

  • Full name
  • Job title
  • Employer
  • LinkedIn profile

A license for the service costs approximately USD $2,000 per month. The actor also offered to investigate a list of 10,000 corporate emails provided by a customer for $300.

Automated Spam Tool Abuses Viber VoIP & Instant Messaging Service

In December 2021, untested threat actor “Leviathan” announced a new spam tool dubbed “Viber Multi Bot” that automatically creates new Viber accounts for spam or phishing attacks on the Russian language Deep Web forum xss[.]is. The actor claimed the tool is designed to bypass Viber spam filters to send unsolicited text, photos, videos, or files to victims via private message or group chat. 

Additional features of the tool include:

  • Sends mass invites to victims to join group chats
  • Contains “24/7 mode” to spam continuously
  • Configurable with different sets of answers to automatically respond to messages based on certain keywords or phrases
  • Generates reports logging information about spam messages sent

Additionally, the tool contains checker functionality to determine if phone numbers are associated with active Viber accounts. This information can be used to build a database of new victims to target for spam or phishing attacks.

The actor charged USD $190 (RUB 14,000₽) for a license to use the tool. 

Threat Actor Purports To Have CDC-Registered COVID-19 Vaccine Cards For Sale

Threat actor “Novateam” advertised what they alleged to be CDC registered COVID-19 vaccination record cards on their private Dark Web shop. The actor specified that the vaccination cards are the same size and made with the same materials as legitimate vaccine cards. Additionally, the actor claimed to have capabilities to provide proof of vaccination through any CVS pharmacy in the U.S.

To do this, the actor requested PII from customers, including:

  • Full name
  • Date of birth
  • Mailing address

The actor charges $250 for a single CDC registered certificate. 

The actor also claimed to have vaccine cards registered with doctors and pharmacies in other countries, including Australia, Canada, Ireland, and the United Kingdom. The actor further states that all sales are shipped locally, indicating the threat actor is part of a team and likely has a presence in each country. 

About the Writers of The Underground Economist: The ZeroFox Dark Ops Team

ZeroFox’s Dark Ops team operates amongst the criminal underground community. Our global threat hunting and Dark Web intelligence team extends the reach of your security resources by engaging with the underground community, bolstering your capabilities in an effort to give you an advantage over emerging threats and stop active or future attacks before damage can be done. Embedded into hundreds of Dark Web communities where few possess the cultural or language expertise to infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to your threat intelligence requirements. Engage directly with the team here.

See ZeroFox in action