Welcome back to The Underground Economist: Volume 2, Issue 18, an intelligence focused blog series illuminating dark web findings in digestible tidbits from ourZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of September 30, 2022.
Multifunctional Exploit Software For Sale
Untested threat actor “killerAV” advertised their new multifunctional exploit software, dubbed “PenTestSoftware,” designed to compromise Windows machines, on the predominantly Russian language Dark Web forum “RAMP.” While it is common for threat actors to leverage commercial penetration testing software, like Cobalt Strike, for their operations, ZeroFox researchers note that this is a rare instance where a threat actor has claimed to independently develop their own tool with similar functionality.
In addition to gaining unauthorized access to target machines, the actor claims the software exploits unnamed vulnerabilities in Windows to escalate privileges. This increases a threat actor’s chances of launching successful attacks with the tool. Additional features of the software include:
- Obfuscates payloads to avoid detection by most antivirus products’ runtime scans
- Delivers payloads via spam modules
- Unlocks password-protected files
- Steals login credentials and additional system information from target machine
- Detects active hosts on network
The actor had three, ten-day licenses available for $10,000 USD each.
Despite their lack of reputation on the forum, ZeroFox researchers assess the threat actor to be credible, as they agreed to use the forum’s escrow service, which requires the actor to make a security deposit prior to making a transaction.
Kit Steals NFTs From MetaMask Cryptocurrency Wallets
Untested threat actor “jezabeth” advertised a kit to steal non-fungible tokens (NFTs) from MetaMask cryptocurrency wallets, on the predominantly Russian language Deep Web forum “Exploit”. The kit leverages a custom phishing page that tricks MetaMask users into sending their most expensive NFTs to a threat-actor-owned cryptocurrency wallet. This is done via abuse of the victim’s Seaport signature. The actor claims their tool can steal multiple Ethereum-based NFTs, including:
The asking price for the tool is $10,500 USD (8 ETH). They also agreed to use the forum’s escrow service, indicating the actor is likely to possess what they claim.
The announcement follows a growing trend on the criminal underground where more threat actors are offering custom tools and services that target NFTs. These tokens have become an increasingly popular way to buy and sell products online via cryptocurrency.
Phishing Page Targets Revolut Banking Customers
Well-regarded threat actor “goodrabbit” advertised a phishing page that targets Revolut banking customers on the predominantly Russian language Deep Web forum “XSS”. Interestingly, this page offers administrator access to a web panel, where users can control a victim’s web camera.
This would likely allow threat actors to take photos of their victims, proving a greater success rate for account verification purposes and bypass of know your customers (KYC) verifications.
Additional features of the phishing page include:
- Steals login credentials
- Collects payment card details
- Intercepts one-time password (OTP) codes
- Detects victim’s country of origin
- Translates data in different languages
- Exports stolen data to MySQL database
The actor is asking $4,150 USD for lifetime access to the phishing page and the administrator panel.
Reverse Proxy Phishing Service Aims To Compromise Google Accounts
Untested threat actor “BabadookServices” advertised a reverse proxy phishing service to compromise Google accounts, on the predominantly Russian language Deep Web forum “XSS”. The actor said the service can steal a victim’s session cookie, allowing threat actors to prevent further multi-factor authentication by mimicking a victim’s active session. The actor claims this is done by utilizing a modified version of the Evilginx framework to perform man-in-the-middle (MITM) attacks.
- During a MITM attack, a reverse proxy sits between the victim and Google.com
- The victim visits the phishing page and enters their Google login credentials and OTP code
- The reverse proxy forwards these requests to Google
- Google returns a valid session cookie to the reverse proxy
The actor charged approximately $1,150 USD per month to use the service, or $6,000 USD to buy the tool outright.
The actor also offered configuration files (AKA phishlets) for Yahoo, Office 365, and Hotmail for $600 USD each.
For more insights from the ZeroFox Intelligence team, download our new Quarterly Threat Landscape Report.