The Underground Economist: Volume 2, Issue 1

5 minute read

Welcome back to The Underground Economist, Volume 2, Issue 1, an intelligence focused blog series illuminating Dark Web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the Dark Web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the Dark Web and criminal underground. Here’s the latest for the week of February 4, 2022.

New Ransomware Variant Targets Systems Running Windows 11

New and untested threat actor “Cod_Fish” announced one of the first new ransomware variants that ZeroFox researchers have observed targeting Windows 11 on the Russian language Dark Web forum “RAMP”. The actor shared various articles, indicating this is likely a new version of Thanos ransomware. Features include:

  • Works with systems that run Windows XP through Windows 11
  • Erases backup copies of files and Recycle Bin
  • Terminates database-related processes to prevent accessing backups
  • Automatically enables network discovery and file sharing
  • Spreads to remote systems connected to same network
  • Mimics explorer.exe process
  • Contains anti-sniffer to detect systems monitoring network traffic for sensitive data

The actor also claimed that their service includes obfuscation of the payload. However, the actor specified that the ransomware is not native and has .NET 4 software dependencies. 

Pricing varies, depending on the length of the license:

  • $4,000 USD for six-months
  • $8,000 USD for one-year
  • $12,000 USD for a lifetime

ZeroFox researchers highlight this finding to demonstrate recent ransomware activity in the underground. Although this post seems more credible than the Groove ransomware announced on RAMP (a hoax by threat actors) researchers cannot rule out the possibility that this is also a hoax.

Translated post from threat actor “Cod_Fish” announcing new ransomware variant.

New Shop Selling Access To Bots To Distribute Malware

Threat actor “GreatSupport” is advertising a new shop selling access to malware infected gaming computers (AKA bots) on a Dark Web forum. Threat actors may purchase access to compromised machines to infect with additional malware. 

The actor claimed that malware can be loaded onto 200-300 gaming computers per day. The actor specified that most of their bots were located in the U.S. or EU countries. Unlike similar services, a threat actor who purchased a bot from this shop would obtain exclusive access to it and not have to share the access with other threat actors who purchased the same resource.

Even though the actor claims access to negate the User Account Control (UAC) on the infected gaming computers, they specified that buyers would still need to obfuscate their own payloads to avoid being detected as malicious by most antivirus products.

The actor had a minimum order of 100 downloads for $50 USD.

Original post from threat actor “GreatSupport” advertising their new shop selling access to bots that can be used to distribute malware

Internal Network Access To Unnamed U.S. Financial Services Company For Sale

Threat actor “vespa” (AKA “wasp” in English) is selling internal network access to compromised systems of an unnamed U.S. financial services company on the Russian language Deep Web forum exploit[.]in. This is significant as U.S. targets have fallen off most public network access listings since the DarkSide ransomware gang was accused of attacking the Colonial Pipeline last year, shutting down the largest gas pipeline in the U.S. for several days in May 2021. The actor claimed to have administrator access to various databases and customer relationship management (CRM) systems containing the PII of more than 22,000 clients and 6,400 payment cards. 

The actor shared scanned copies of sensitive documents as proof, including:

  • Social Security cards
  • Passports
  • Driver’s licenses

Additionally, the actor claimed to have access to client email and password combinations for Equifax and two other CRM portals. 

The actor is auctioning this access, with an initial bid of $20,000 USD, a minimum bid of $1,000 USD, and an instant purchase price of $30,000 USD.

Since network access deals of this price are typically only exploitable by more experienced threat actor groups, ZeroFox researchers assess this deal is intended for existing, successful ransomware operators.

Original post from threat actor “vespa”(AKA “wasp” in English), who is selling internal network access to compromised systems owned by an unnamed U.S. financial services company.

Actor Seeks Partner To Provide Ransomware To Their Team Of Insiders

New and untested threat actor “EricJapier”, on the Russian language Deep Web forum exploit[.]in, is seeking a partner to help them carry out ransomware attacks against various companies in France, where they claim to have insiders working. The actor claims that their insiders span different industries, including:

  • Banking
  • Insurance
  • Real estate
  • Automotive

The actor offered to split any funds they earned 50-50 with a partner who could provide them with ransomware. They specified that they would pass the malware along to their insiders, who the actor claims are willing to infect machines within the target companies by walking up to their boss’ computers and plugging in USB drives armed with malware.

Depending on the outcome of their first job together, the actor states that they would be open to a long-term partnership. If successful, the actor indicated that they would turn their attention to companies in Spain and Switzerland.

Original post from threat actor “EricJapier” seeking partner to provide their team of insiders with ransomware
See ZeroFox in action