The Underground Economist: Volume 2, Issue 6

The Underground Economist: Volume 2, Issue 6
4 minute read

Welcome back to The Underground Economist, Volume 2, Issue 6, an intelligence focused blog series illuminating Dark Web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the Dark Web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the Dark Web and criminal underground. Here’s the latest for the week of April 15, 2022.

Malware Purported To Disable Antivirus Products On Windows Systems

Untested threat actor “mkdele” advertised malware that they claim will disable different antivirus products on machines running Windows, on the Russian language Deep Web forum xss[.]is. The actor claims the malware works with systems running Windows 7 through 11 (64-bit architecture only) without software dependencies. The actor specified the malware is obfuscated to avoid being detected as malicious by most antivirus products. They also noted that operators need to establish administrator privileges before running the malware on the target machine. Once the code is executed, the actor claims the malware will automatically disable various antivirus products, including:

  • Microsoft Defender
  • Kaspersky
  • Norton
  • Avast
  • BitDefender

After antivirus protection is disabled, the actor claims that operators can freely run malicious payloads on the target machine until the system is rebooted or even after startup, depending on the build of the malware they purchased.

The actor is asking $600 USD for a single build of the malware with persistence until reboot, and $1,300 USD for three builds of the malware that will allegedly maintain persistence after startup.

The actor required escrow for payment, indicating they are more likely to have what they claim.

Service Creates New Cryptocurrencies For Fraud

Untested threat actor “Redon1” advertised their service to create new cryptocurrencies powered by a variety of blockchains on the Russian language Dark Web forum exploit[.]in. Threat actors can use these cryptocurrencies in different fraud schemes. 

One scheme highlighted by the threat actor is to create a new cryptocurrency and widely promote it on multiple platforms to create exaggerated publicity to lure in would-be investors. Once customers have purchased the new coin, the threat actor can blacklist a customer’s crypto wallet. This would prevent the customer from selling or refunding their money, leaving the threat actor with the profits of the sale. The actor indicated a user can specify their own transaction fees allowing them to take larger amounts of money from victims. Although the actor did not specify a price for their service, they said they would split the profits generated from the sales of the new currencies they create.

Despite their lack of credibility on the forum, the actor accepts the use of escrow service for payment, increasing the likelihood that they can create new cryptocurrencies on different blockchains.

Increased Exploits For RCE Vulnerability In Spring Cloud Function

More threat actors are developing exploits for a newly discovered remote execution code (RCE) vulnerability in the Spring Cloud Function by VMware. ZeroFox anticipates this could lead to a potential increase in attacks carried out against cloud services that use the widely deployed Spring Cloud Framework.

In early April 2022, ZeroFox researchers observed the untested actor “WhiteRabbit” looking for proof-of-concepts (POCs) to exploit this vulnerability, tracked as CVE 2022-22963, on the English language Dark Web forum “KickAss”. 

The vulnerability allows threat actors to remotely execute code on affected servers by creating malicious HTTP header requests. Affected versions of the Spring Cloud Function include:

  • 3.1.6
  • 3.2.2
  • Older, unsupported versions

The well-regarded threat actor and administrator “NSA” quickly replied to the actor’s original post, sharing different exploits that are already publicly available for the vulnerability. ZeroFox researchers have observed other threat actors sharing additional POCs in response to similarly interested threat actors.

See ZeroFox in action