The Underground Economist: Volume 2, Issue 2

Welcome back to The Underground Economist, Volume 2, Issue 2, an intelligence focused blog series illuminating Dark Web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the Dark Web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the Dark Web and criminal underground. Here’s the latest for the week of February 18, 2022.

Zero-Day Exploit Targets RCE Vulnerability In SonicWall SSL VPN

New and positively trending threat actor “eliotto” advertised what they alleged to be a zero-day exploit for an RCE vulnerability in SonicWall SSL VPN, on the Russian language Dark Web forum “RAMP”. According to the actor, the exploit allows an unauthenticated user to remotely execute malicious code on any SSL VPN-compatible SonicWall device. The actor is asking $100,000 USD for the exploit.

The same actor gained positive feedback on the forum after listing their first zero-day exploit for Quantum storage devices in January 2022, indicating expertise in this area and a potentially functioning exploit for SonicWall SSL VPN.

ZeroFox researchers note that this is the second SonicWall zero-day exploit advertised in the month of February. The first observation was on February 5, 2022 when untested threat actor “0x_0day” advertised their SonicWall SSL VPN exploit on the Dark Web Russian language forum Exploit. This threat actor charged $15,000 for the exploit, but did not provide further details.

New Malware Loader Service Compromises Android Devices Via Google Play

Well-regarded threat actor, and known ransomware operator, “gustavedore” advertised their service to compromise Android devices via malicious applications hosted on Google Play, on the Russian language Dark Web forum “RAMP”. Unlike similar services offering malicious applications, the actor claims to provide fully functional infrastructure, including:

• Domains
• Servers
• SSL certificates

The actor also claims to create Google Play Developer accounts to manage and publish malicious applications. Another tactic the  actor claims to utilize is seeking out and purchasing pre-existing mobile applications on Google Play to later weaponize. 

The malware is controlled from a web panel, where threat actors are provided with different payloads to choose from, including banking trojans and botnet stealers. The panel logs any instances where malware is successfully downloaded or installed to a target Android device. 

The actor charged approximately $2,800 USD for their service.

More Threat Actors Migrating To ‘J-Shop’ To Buy Stolen Payment Card Data

ZeroFox is observing a large migration of threat actors to the carding shop “J-Shop”. The shop is one of the oldest and most trusted marketplaces to buy stolen payment card data in the underground. ZeroFox researchers note that this new surge in activity comes one-year after the shutdown of “Joker’s Stash”, which left a void in the carding world that has yet to be filled by a single marketplace. 

Since December 2021, ZeroFox researchers have observed at least eight new batches of stolen payment cards uploaded to “J-Shop”. During this time, administrators have briefly halted purchasing on the shop several times so developers could make the necessary changes on the backend to accommodate the influx of new customers. 

In addition to stolen payment cards, “J-Shop” sells the PII of victims from the U.S. The marketplace also features a tool that threat actors can leverage to determine if stolen payment card numbers are valid or not.

Threat Actors Take Notice Of Tax Season

More threat actors are harvesting and selling the personal information of victims from the U.S., as the deadline for filing federal tax returns approaches. ZeroFox researchers have observed at least two high-profile cases so far in 2022, including the moderately credible threat actor “AK-74M”, advertising a database that they claim contains the sensitive tax documents of U.S. victims, on the Russian language forum xss[.]is. Compromised data includes:

• SSNs
• Dates of birth
• Bank account numbers
• Driver’s license numbers
• Credit reports

The actor is asking $8,000 USD for the database.

Additionally, ZeroFox identified untested threat actor “ciisco”, who is selling administrator access to the internal network of an unspecified U.S. tax company, on the Russian language Deep Web forum club2crd[.]cc. Like “AK-74M”, the actor also claims to have access to sensitive tax documents and victim PII.

The actor is asking $5,000 USD for access to the network. They also required escrow to facilitate payment, indicating that they are more likely to have a foothold in the network.