BLOG

The Underground Economist: Volume 2, Issue 11

5 minute read

Welcome back to The Underground Economist, Volume 2, Issue 11, an intelligence focused blog series illuminating Dark Web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the Dark Web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the Dark Web and criminal underground. Here’s the latest for the week of June 24, 2022.

Service To Obtain Legitimate EV Certificates For Threat Actors Advertised

New and untested threat actor “DragonLah” advertised their service to obtain legitimate extended validation (EV) certificates for threat actors on the Russian language Dark Web forum “RAMP”. EV certificates help malicious websites look more trustworthy and pose a risk when leveraged by threat actors. The actor claims that they can obtain the certificates from some of the top Certificate Authorities (CAs), including:

  • SSL.com
  • Digicert
  • GlobalSign
  • Certum
  • Comodo

The actor further specified that they will deliver the certificates via:

  • USB
  • RDP
  • HSM (including Azure Key Vault and AWS CloudHSM)

Prices for the EV certificates start at $4,500 USD. The actor also agreed to use an escrow service, indicating a higher likelihood of a successful transaction with buyers. 

If this threat proves legitimate, ZeroFox researchers assess that it could pose a major security risk to the public, increasing the chances of successful phishing or malware distribution campaigns.

Original post from threat actor “DragonLah” advertising their service to obtain legitimate EV certificates for threat actors.

ZeroFox researchers recently identified a new English language Deep Web automated marketplace, dubbed “BlackBet”, specializing in the sale of personally identifiable information (PII). Unlike similar shops, this new marketplace offers comprehensive sets of PII related to U.S. business owners. Compromised data includes:

  • Owner’s full name
  • SSN
  • Date of birth
  • Articles about the business
  • Images of driver’s license
  • Background check
  • Credit report

The shop has approximately 40 sets of PII related to different business owners available. Prices for these datasets range from $10 USD to $20 USD, depending on the information included. 

Since the full information of U.S. citizens is highly sought after by threat actors, ZeroFox researchers believe that the emergence of this new marketplace could lead to an increase in identity theft or loan and relief fraud. 

A screenshot of the new English language Deep Web automated marketplace, dubbed “BlackBet”.

Malware Loader Runs On Windows Machines

New and positively trending threat actor “lucrostm” advertised their malware loader that runs on Windows machines, on the English language Deep Web forum cryptbb[.]com. The actor claims that the loader exploits local system binaries (LOLBins) to achieve and maintain persistence. According to the actor, the loader allows operators to download and execute additional payloads on compromised machines while evading most antivirus products.

Additional features of this loader include:

  • Will not run in a virtual machine (VM) or debugger to avoid analysis and reverse engineering
  • Built on serverless architecture, making attribution more difficult

Prices for the loader vary, depending on the length of the license, including:

  • $360 USD for lifetime
  • $30 USD for one-month

The actor also said they were willing to negotiate a price for the source code, with offers starting at $880 USD.

Original post from threat actor “lucrostm” advertising their malware loader that runs on Windows machines.

Actor Claims Access To Two Different Critical Infrastructure Systems In Europe

New and untested threat actor “CycloneOrg” advertised access to the internal networks of two different critical infrastructure systems in Europe, on the English language Deep Web forum cryptbb[.]com. The actor claims to have access to administrator panels for both a dam in Italy and an aqueduct in Sweden. 

The actor claimed that individuals with access to the dam would be able to operate industrial control systems, including the ability to open floodgates.

The actor further claimed that individuals with access to the aqueduct would have capabilities to control the water temperature, manipulate chemical compounds in the water, and tamper with alarms. 

ZeroFox cannot rule out the possibility that this is a scam due to the actor’s lack of credibility on the forum. Our researchers note that SCADA systems were often targeted by ransomware gangs in 2021, but most of these were located in the U.S.

Original post from threat actor “CycloneOrg” advertising access to the internal networks of two different critical infrastructure systems in Europe.
See ZeroFox in action