The Underground Economist: Volume 2, Issue 14

Welcome back to The Underground Economist: Volume 2, Issue 14, an intelligence focused blog series illuminating Dark Web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the Dark Web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the Dark Web and criminal underground. Here’s the latest for the week of August 5, 2022.

Threat Actor Selling Source Code For Ransomware Project

Moderately credible threat actor “udp” advertised the multi-functional malware, dubbed “Light Locker,” that can generate obfuscated payloads and encrypt whole disks on target machines, on the Russian language Dark Web forum “RAMP.” Researchers highlight this uncommon tactic because most ransomware developers offer an affiliate program, which tend to be more lucrative for developers long-term than selling the source code for their projects outright.     

According to the actor, the malware mimics other programs on victim machines and triggers the User Account Control (UAC) to execute payloads with elevated privileges. This increases the likelihood of compromising a target machine, as privileges are escalated without the victim’s knowledge, elevates for a seemingly legitimate program on their machine. 

Additional features of the malware include:

• Works on machines running Windows 7 or 10 (32/64-bit architectures)
• Fast build time (less than 3 minutes) 
• Written with Delphi 10.1 Berlin and WinAPI
• Will not be detected as malicious by UAC or SmartScreen
• Exploits SMB to spread through corporate networks 

The actor charged USD $2,000 for the source code. The actor stated that they plan to sell multiple copies.  

ZeroFox researchers assess that the sale of this project could potentially lead to the proliferation of new ransomware groups, since the actor is selling the malware outright. 

16 Zero-Day Exploits For Vulnerabilities In WooCommerce Plugin Advertised 

New and positively trending threat actor “nixploiter” advertised 16 independent, alleged zero-day exploits for vulnerabilities in a WordPress e-commerce plugin, known as WooCommerce, on the Russian language Deep Web forum “Exploit.” Some of the alleged vulnerabilities include:   

• Stored cross-site scripting (XSS)
• Remote code execution (RCE)
• SQL injection
• PHP file upload
• Arbitrary options update

The actor claims that none of the exploits require administrator privileges to run.

If found to be legitimate, ZeroFox researchers expect a significant increase in cyber-attacks against e-commerce sites built using WordPress in conjunction with WooCommerce. Currently, more than 3.8 million websites are leveraging the plugin worldwide. 

Pricing per exploit starts at USD $1,000.

Actor Shares Method To Create Botnets

New and positively trending threat actor “Nu11B17” (AKA “Nullbit”) shared a method they claim threat actors can use to create their own botnets, on the English language Dark Web forum “CryptBB.” The method involves using compromised student email accounts to register for Shodan accounts, giving threat actors access to the Shodan command-line-interface (CLI). 

Individuals may then leverage the Shodan CLI with the Nuclei scanner templates to scan and identify devices with known security flaws or vulnerabilities. The actor claims that they successfully compromised over 10,000 devices using this method to mine cryptocurrency and perform distributed denial-of-service (DDoS) attacks. 

The actor previously advertised more than 500,000 compromised student email accounts from 15 universities, along with the SQL injection method allegedly used to secure this data.

The actor charged USD $1.50  per student email account, with a minimum of 20 accounts per order.

Uptick in Sale of Initial Access to Italian-Based Companies

On 23 July 2022, ZeroFox researchers observed positively trending threat actor “Insider Inc” announce that they are able to exfiltrate data from several U.S. companies via a network of insiders, on the Deep Web, predominantly Russian language forum WWH-Club. The threat actor did not identify the targeted companies by name but claimed they were “worth attention.” On 1 August 2022, the threat actor updated this thread with a link to a Telegram channel containing more  information about initial accesses. The title of the thread indicates that the actor also possesses insiders in European-based companies but made no reference to this in their posts.

The threat actor presents a unique threat to the alleged entities as they could easily sell exfiltrated data procured from insiders, sell the initial network access to a different threat actor/group to conduct secondary attacks (i.e. Ransomware or Data kidnapping attacks), or conduct other malicious activities.