The Underground Economist: Volume 2, Issue 3

Welcome back to The Underground Economist, Volume 2, Issue 3, an intelligence focused blog series illuminating Dark Web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the Dark Web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the Dark Web and criminal underground. Here’s the latest for the week of March 4, 2022.

War In Ukraine Shifts Landscape Of The Criminal Underground

The ongoing war in Ukraine is challenging longstanding codes of conduct that have governed behaviour in the criminal underground, which is likely to lead to an escalation in information warfare and cyber attacks against competing ideological camps. Like-minded groups are forming camps around those who support Russia, those who support Ukraine, and those who are striving to maintain the code of remaining politically neutral and not attacking a fellow CIS country. 

In late February 2022, untested threat actor “devulz” shared a statement from the Conti ransomware team on the Russian language Deep Web forum “RAMP”. In the statement, the Conti gang came out strongly for Russia, threatening to retaliate against any U.S. cyber-attacks aimed at critical infrastructure in Russia or any other Russian-speaking country. In retaliation, an undisclosed actor leaked private chats and Bitcoin addresses related to Conti.

Conti’s stance has caused a schism amongst Russian-speaking threat actors; well-regarded threat actor “Rehub” argued on the Russian language Deep Web forum xss[.]is that because of the heightened tensions between the U.S. and Russia, that ransomware teams were no longer being pursued by the Russian government. In other extreme cases, researchers observed threat actors make the argument that because of the U.S. sanctions on Russia, ransomware attacks should be legalized and taxed by Russia.

Conversely, threat actors on the new English language Deep Web forum raidforums2[.]com have made it their mission to battle back against Russia. The original “RaidForums” domain was hijacked by undisclosed actors in late February 2022 with rumors abounding the site was turned into a phishing page to harvest user credentials. The newly launched “RaidForums2” domain includes an entire forum section dedicated to fresh leaks of Russian-based targets, successfully compromised by the “Against the West” hacktivist group, which is publishing dozens of leaks daily.

New Tool Facilitates Negotiations Between Ransomware Operators, Victims

Well-regarded threat actor “darksoftware” advertised their new tool to facilitate negotiations between ransomware operators and their victims on the Russian language Deep Web forum exploit[.]in. The appearance of this tool, dubbed “BusinessCallback”, indicates that new ransomware attacks are likely imminent because it is focused on the anonymity of ransomware operators, allowing them to host the application on their own servers. 

The tool provides these threat actors with access to an administrative panel where they can easily add or delete new users and manage contact lists. Victims are given access to a separate web interface where they can securely chat with ransomware operators via Tor if they are willing to negotiate. Additional features of the tool include:

• Sends text messages
• Uploads files
• Displays status of victim (online, typing message)
• Logs victim activity
• Works with systems running Windows and Debian
• Backend written in C++ using Qt5 framework
• Frontend does not contain software dependencies

The actor charged $500 USD to own the tool; they also offered the source code for $1,500.

Cooperation More Likely Between Chinese, Russian Ransomware Actors

Untested threat actor “RTM” advertised their team’s new ransomware-as-a-service (RaaS) project in multiple languages, including Chinese, on the predominantly Russian-speaking Deep Web forum “RAMP”. This suggests that Chinese-speaking threat actors are likely becoming more willing to cooperate with Russian threat actors on matters involving ransomware.  

The actor also shared their post in Russian and English; however, they specified that they were only willing to work with Russian-speaking threat actors. This is significant because it could mark the first time that a state-sponsored, Chinese speaking threat actor has offered their services to the Russian public.

According to the actor, the project is written in C++ and does not contain software dependencies. The ransomware is designed to target:

• VMware EXSi servers
• Systems running Windows
• Network-attached storage (NAS) devices

The untested threat actor “Charodej” replied to the actor’s thread, asking if they translated the English and Russian versions of their post because they both contained grammatical errors. This further adds legitimacy to the assertion that this is a RaaS project coded by Chinese-speaking threat actors.

New Service Creates NFT Projects To Be Used In Fraudulent Operations

Well-regarded threat actor “gustavdore” advertised their service to create non-fungible token (NFT) projects they claim can be used in fraudulent operations on the Russian language Deep Web forum “RAMP”. ZeroFox researchers assess this growing trend could mirror the initial coin offering (ICO) scams that lure victims into investing in fake cryptocurrencies, due to the rise in popularity of NFTs. 

The actor claims their service includes advertising for the fraudulent NFT project, which ZeroFox notes is one of the underlying conditions that would need to be met for the operation to be successful. The actor also claimed they were willing to customize the project based on customer input. There is no indication the actor is creating malicious NFTs; it is more likely their service employs social engineering to steal money from victims.

Prices for the service started at $2,500.