Welcome back to The Underground Economist, Volume 2, Issue 7, an intelligence focused blog series illuminating Dark Web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the Dark Web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the Dark Web and criminal underground. Here’s the latest for the week of April 29, 2022.
New Service Weaponizes Word Documents Using Remote Template Injection
Untested threat actor, “SandboxEvader”, advertised a new service to weaponize Microsoft Word documents, on the Russian language Deep Web forum xss[.]is. Unlike similar services that leverage malicious macros, the actor claims that their service uses a remote template injection to avoid being detected as malicious by most commercial antivirus products and email filters, including Gmail. According to the actor, this injection method involves using a macro-free .docx file that references remotely hosted .dotm template files containing malware or loader. The actor specified that each weaponized document can be customized to execute a threat actor’s own payload.
The actor charged $125 USD per build. They also claimed to offer discounts on bulk orders.
If the threat actor is legitimate, ZeroFox researchers note that this service could provide threat actors with a new method to gain initial access to systems running Windows, in addition to other malicious purposes.
New Aggregator Site Provides Central Hub For Russian-Related Data Leaks
Well-regarded threat actor and administrator “NSA” advertised a new aggregator website, providing a central hub for threat actors to share Russian-related data leaks, on the English language Dark Web forum “KickAss”. ZeroFox researchers note that unlike most threat actors sharing Russian-related leaks on the underground, the developers of this new site, revenge[.]monster, appear to be native Russian speakers. The site features dozens of leaks of Russian-based IT infrastructure companies that have been shared to different Deep Web forums since the start of the Russia/Ukraine war in late February 2022.
According to “NSA”, the goal of this new site is to deanonymize the Russian Internet (AKA runet) by leaking sensitive data related to Russian-based IT companies, including:
- Third-party food delivery aggregators
- Internet providers
- Social networks
The actor is encouraging any pro-Ukrainian forum members to upload new leaks to the site in support of the project.
Service Leverages Seed Recovery Phrases To Compromise Crypto Wallets
Well-regarded threat actor “SHERIFF” advertised their new service leveraging seed recovery phrases to compromise cryptocurrency wallets on the Russian language Deep Web forum exploit[.]in. The actor claims that customers can provide them with seed phrases to check against cryptocurrency wallets on 45 different blockchains. If the actor is successfully able to rebuild a victim’s crypto wallet by using the seed phrases, the actor claims that they will drain the wallet and split the funds 35-65 with the customer.
The service has already received positive feedback from threat actors on the forum, including the well-regarded and prominent Russian-speaking threat actor “stallman”.
ZeroFox researchers note that a threat actor with the same alias, “Sheriff”, was recently banned from the English language Deep Web forum breached[.]co. This allegedly happened because the actor was outed by the pro-Ukrainian hacktivist group “AgainstTheWest” for claiming that they previously worked for Dmitry Badin (AKA “Dmitriy Makarov”); a suspected member of the Russian hacker group “Fancy Bear” (AKA “APT28”).
New Version of Spectre RAT Advertised
Well-regarded threat actor “DigitalMutant” advertised a new version of the widely popular Spectre remote access trojan (RAT), on the English language Deep Web forum CryptBB[.]com. The malware contains standard features for a RAT, including a file stealer, a loader, and remote control of a victim’s machine via HVNC.
Additional features for this new version of the RAT include:
- Coded from scratch from C++
- Abuses task scheduler to maintain persistence
- Does not contain software dependencies
- Executes malware at startup
- Provides additional statistics for compromised devices
- Does not decrypt strings all at once
- Gathers cookies in JSON and Netscape formats
- Deletes binary after killing malicious process
- Launches hidden command prompt
The actor charged $250 USD per month for the RAT. They also offered a preconfigured command-and-control (C2) server for an additional $50 USD per month.