Welcome back to The Underground Economist: Volume 2, Issue 13, an intelligence focused blog series illuminating Dark Web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the Dark Web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the Dark Web and criminal underground. Here’s the latest for the week of July 22, 2022.
New Automated Phishing Service Advertised
New and untested threat actor “evilproxy” advertised an automated phishing service on the Russian language Deep Web forum xss[.]is. This service lowers the barrier of entry, offering access to more than a dozen prebuilt phishing pages targeting various companies, including:
According to the actor, these phishing pages collect a victim’s login credentials and web browser cookies. Additional features of the service include:
- Leverages stolen data to create unique user browser fingerprints
- Avoids detection by verifying visitors are not browsing from a virtual machines or headless devices
- Controls web traffic to sites by allowing or denying specific visitors access
- Manages proxies and domains
- Notifies users via Telegram
Prices for the service vary depending on the length of the license, including:
- $400 USD for one-month
- $250 USD for 20 days
- $150 USD for 10 days
New Web Browser Facilitates Fraud
New and untested threat actor “BriTchest” advertised a new web browser that facilitates fraud by enabling users to create and manage multiple accounts for various services (multi-accounting), on the Russian and English language forum club2crd[.]su. The actor claims this new browser, dubbed “Ultimate Orb”, utilizes real browser fingerprints to avoid detection by anti-fraud systems that most websites have in place. This differs from traditional anti-detect browsers, like “Che Browser”, that create new, unique browser fingerprints, which are known to sometimes fail anti-fraud evasion.
According to the actor, this new browser can divide user workspaces, or tab groups, into virtual desktops with customizable profiles and configuration settings.
In addition to multi-accounting, the actor claims that users can leverage this browser to:
- Compromise systems
- Perform spam campaigns
- Mask IP addresses
There are various licenses available for the browser, ranging from $24 USD for one-day to $2,800 USD for three-years. The actor also offers a free version of the browser that limits the total number of profiles per user.
Threat Actor Plans Attacks Against Clients Of Unspecified Managed Service Provider
Untested threat actor “Beeper” is seeking a partner to coordinate a large-scale cyber-attack against the clients of an unspecified managed service provider (MSP) on the Russian language Deep Web forum exploit[.]in. The actor claims to have access to the MSP’s administrative panel, where they currently manage resources for more than 50 different U.S.-based companies located in approximately the same time zone. These resources allegedly include more than 100 VMware instances and 1,000 servers that almost certainly contain sensitive data.
The actor claims they need a partner to launch the attacks simultaneously, due to the large number of vulnerable systems. The actor also specified that they wish to take a more favorable share of the profits, since they conducted most of the planning for the attacks on their own.
Despite their lack of reputation on the forum, ZeroFox researchers assess this actor is likely credible, as they have deposited more than $11,000 USD (0.5 BTC) into the forum’s escrow service, indicating the threat actor has funds available to broker a deal with other actors.
Source Code For Malware Intended For Government Use Advertised
New and untested threat actor “oDmC3oJrrSuZLhp” advertised the source code for malware they claim was originally intended to aide governments in the fight against terrorism, on the Russian language Deep Web forum xss[.]is. The actor claims they stole the source code from a company named “Intellexa”, that was allegedly hired to develop a lawful intercept project, dubbed “Nova Platform”, by an undisclosed government.
Like the NSO Group’s “Pegasus” spyware, the actor claims this malware can compromise devices running all versions of iOS or Android with the click of a malicious link by victims. Once the malware is installed, the actor alleges that operators can access sensitive data on the device, including:
- Call log
- Login credentials
- Web browser cookies
Additionally, the actor stated that the malware establishes persistence, and will continue running even after a compromised device is rebooted. The actor said they are willing to sell the source code to state-sponsored threat actor groups, including those in China or North Korea, for $50,000,000 USD.
Although the threat actor’s post has garnered significant attention from other members of the forum, their credibility is difficult to determine, due to another, banned threat actor that previously advertised the same source code on another Russian language forum, exploit[.]in.