The Underground Economist: Volume 2, Issue 5

5 minute read

Welcome back to The Underground Economist, Volume 2, Issue 5, an intelligence focused blog series illuminating Dark Web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the Dark Web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the Dark Web and criminal underground. Here’s the latest for the week of April 1, 2022.

Threat Actor Raising Funds For Proposed SS7 Service

New and untested threat actor “cybersec101x” is raising funds for a new service that would potentially provide threat actors with access to a Signaling System No. 7 (SS7) gateway, on the English language Dark Web marketplace “AlphaBay”. The advertised service would allow threat actors to control the SS7 signaling protocols used by most mobile network operators to establish wired/wireless phone calls, SMS messages, number translation, and prepaid billing services. 

This access could enable different types of fraud, including:

  • SIM-swapping
  • Bypassing multi-factor authentication codes sent via SMS

Although the actor does not currently have access to an SS7 entry point, they are still accepting $5,000 payments to invest in the service. According to the actor, this amount would reserve a one-year license and at least four phones per investor. The actor anticipates their service will launch sometime in the next year.  

Based on the actor’s lack of credibility on the marketplace, ZeroFox assesses with moderate confidence that this is a scam intended to defraud would-be investors. 

Images from advertisement on the Dark Web for access to a Signaling System No. 7. ZeroFox assesses with moderate confidence this is a scam intended to defraud investors.

‘Breached’ Poised To Replace ‘RaidForums’

In mid-March 2022, well-regarded threat actor and administrator “Pompompurin” launched the fast-growing successor to the English language Deep Web forum “RaidForums”, dubbed “Breached” (AKA “BreachForums”). There have been several attempts to replace “RaidForums” since its closure in late February 2022. This includes “Darknetworld” and “Raidforums2”. However, none of these forums have caught on as quickly as “Breached”. 

Although the actor claims this new forum is not affiliated with “RaidForums” in any way, the two share nearly all the same features. The actor is even offering to restore the accounts of old “RaidForums” users, with their reputation scores intact.

Additionally, the forum features a new ransomware section, where threat actors can share detailed leaks about victims or ransomware gangs. Cyberattacks targeting ransomware teams have become increasingly more prevalent on English language Deep and Dark Web forums since the Conti gang announced its support of the Russian invasion of Ukraine in late February 2022. 

As a result, ZeroFox researchers note that most of the threat actors who have migrated to “Breached” so far appear to be English speakers with an anti-Russian/pro-Ukrainian stance. This differs somewhat from the more inclusive community associated with the original “RaidForums.” 

Screenshot from Dark Web
Original post from threat actor “pompompurin” welcoming users to the new “Breached” forum

Service Automatically Generates Malicious Payloads To Compromise Targets

New and untested threat actor “mk_0” advertised a service, dubbed “R-Network”, that they claim can automatically generate malicious payloads to compromise target machines, on the English language Dark Web forum “CryptBB”. The actor claims that the randomly generated payloads allow threat actors to establish a reverse shell connection to their targets without being detected by most antivirus products. Once they have gained this initial access, the actor claims that operators can leverage a simple web interface to manage and remotely execute additional code on compromised machines.   

According to the actor, the payloads can be customized to perform a variety of different functions, including:

  • Deliver malware to a specific target machine
  • Prevent the malicious process from being terminated
  • Run malware at startup
  • Hide malware in memory using an alleged zero-day exploit

The actor did not specify a price for the service.

Screenshot from Dark Web

New Leak Of Sensitive Data Targets Indian Government & Military

The well-regarded threat actor and known intelligence broker “spectre123” shared a link to download a new leak of sensitive data related to the Indian government and military, on the English language Deep Web forum breached[.]co. The actor cited India’s ongoing relationship with Russia and the humanitarian crises in both India and Ukraine as reasons for publishing more than 40 GB of classified data on their website, intelrepository[.]com. 

According to the actor, the leaked data contains information from:

  • The joint defense secretary
  • Ministry of Defense
  • Navy

The actor recently returned from a lengthy absence from the underground to disclose leaks related to the Venezuelan Navy, as well as a Russian contractor. The actor expressed anti-Russian/pro-Ukrainian sentiment as their motivation for the leaks, quelling previous rumors that “spectre123” was working with the Russian government.

Screenshots from Dark Web

Subscribe to our Blog

Best practices, the latest research, and breaking news, delivered right to your inbox.