The Underground Economist: Volume 2, Issue 10

5 minute read

Welcome back to The Underground Economist, Volume 2, Issue 10, an intelligence focused blog series illuminating Dark Web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the Dark Web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the Dark Web and criminal underground. Here’s the latest for the week of June 10, 2022.

New Ransomware Project Open To Affiliates

New and untested threat actor “misteryghost” announced a new ransomware-as-a-service (RaaS) project on the Russian language Dark Web forum “RAMP”. This is the first time since November 2021 that ZeroFox researchers have observed a ransomware group open an affiliate program to the public. The actor dubbed the new program “Luna”, which is said to target machines running different operating systems and hypervisors, including:

  • Windows
  • Unix
  • ESXI

Additional features of the ransomware include:

  • Written in Rust
  • Encrypts files using Advanced Encryption Standard (AES)
  • Most antivirus products do not detect it as malicious 

The actor claims that project developers will also provide affiliates with the necessary infrastructure to carry out ransomware attacks, including cryptocurrency wallets, email addresses, and communication channels.

The actor specified that they are only willing to work with Russian-speaking threat actors. Profits from any successful ransom payments will be split 85/15 in favor of project developers. ZeroFox researchers note this is a drastic shift, as other RaaS affiliates typically earn a larger share of the spoils.

Original post from threat actor “misteryghost” announcing a new ransomware-as-a-service (RaaS) project dubbed “Luna”.

New SMS Spamming Service Announced

New and untested threat actor “BetaGateway” announced a new SMS spamming service, named “Beta Route”, on the Russian language Deep Web forum exploit[.]in. The service features a web-based GUI where users can easily launch spam campaigns by sending SMS messages to mobile phones in various countries, including:

  • U.S.
  • U.K.
  • Germany
  • Australia

Additional features of the service include:

  • Automatically refills account’s balance
  • Sends fake alerts from financial institutions
  • Test routes for fastest delivery rate
  • Specify routes to prioritize messages

The actor also claims to have leads, or lists containing victim PII, that users can leverage to target specific individuals based on their mobile carrier or geographic region.

ZeroFox researchers assess that this new service is likely to be successful since it streamlines the spamming process, lowering the barrier for entry to threat actors.

Original post from threat actor “BetaGateway” announcing their new SMS spamming service dubbed “Beta Route”.

Threat Actors Warn Against Using Telegram For Fraudulent Operations

In early May 2022, ZeroFox researchers observed two new and untested threat actors, “swift_” and “Silverman”, share a news article on the Deep Web forums “Exploit” and “KickAss”, respectively, indicating that Telegram had recently shared user data with federal authorities in Germany. 

Based on the traction these threads have gained from reputable members of both forums, ZeroFox researchers assess that some threat actors may begin to move away from using Telegram for their fraudulent operations in favor of other secure messaging services, such as Jabber or TOX.  

ZeroFox first observed the threat actor “Swift_” warn “Exploit” users against using Telegram for fraudulent operations, opting instead to use Jabber servers hosted in countries allegedly outside of U.S. jurisdiction. These include:

  • China
  • Vietnam
  • Ukraine
  • Switzerland

Threat actor “Silverman” mentioned the previous thread on “KickAss”, echoing the same sentiment against using Telegram for business. The well-regarded threat actor and administrator of the forum, “NSA”, later replied to this thread, claiming that they have always opposed Telegram. 

Original posts from threat actors “swift_” and “Silverman” warning threat actors against using Telegram for fraudulent operations.

Database Containing The PII Of 19 Million U.S. Voters Advertised

The well-regarded and established threat actor “Malbar” advertised a database allegedly containing the PII of 19 million U.S. voters, on the Russian language Deep Web forum “XSS”. The actor claimed to have 60 GB of sensitive data compiled from different, unspecified elections that took place between February 2013 and February 2022. The alleged data includes:

  • Full name
  • Gender
  • Ethnicity
  • Date of birth
  • Physical Address
  • Email address
  • Phone number
  • Voter ID
  • Election ID
  • Voting precinct
  • Voting method
  • Date and time ballot cast
  • Party affiliation

The actor did not specify a price for the database, stating they are open to negotiations. The actor also agreed to use an escrow service, indicating they likely possess said data.

Original post from threat actor “Malbar” advertising a database that allegedly contains the PII of 19 million U.S. voters.  

Subscribe to our Blog

Best practices, the latest research, and breaking news, delivered right to your inbox.