The Underground Economist: Volume 2, Issue 8

5 minute read

Welcome back to The Underground Economist, Volume 2, Issue 8, an intelligence focused blog series illuminating Dark Web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the Dark Web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the Dark Web and criminal underground. Here’s the latest for the week of May 13, 2022.

New Service Trains Threat Actors To Spread Malware Via Google & Facebook Ads

New and untested threat actor “Clarks” advertised a new service to train threat actors on their method to target and compromise machines, to spread malware via malicious advertisements, on the English language Dark Web forum “CryptBB”. This method primarily leverages ads on Google and Facebook to spread malware instead of phishing emails. 

The actor offers two different versions of the service: one that comes with all the kits a threat actor will need to deploy this method, and another that does not. The full kit includes:

  • Stealer malware (with at least a two-month license)
  • Remote desktop protocols (RDPs) and virtual private servers (VPS)
  • Hosting services
  • Domains
  • SSL certificates

There is also an optional course module focused on compromising U.K.-based businesses and bank accounts.

Additionally, the actor claims to have a private tool to manually obfuscate malware; however, this was only available by contacting the actor directly. ZeroFox researchers note this is likely done to ensure that buyers will continue to use the tools provided to them by the actor following the completion of the course. 

The actor charged $1,000 USD for the version of the service with the kits, and $300 USD for the version without. The actor claims their team will assist students until they successfully compromise or steal a combined 1,000 machines/logs by using their method. 

Original post from threat actor “Clarks” advertising course to spread malware via Google and Facebook ads.

Threat Actor Selling Payment Gateways To Cash Out Stolen Payment Cards

New and untested threat actor “whitestein” is selling access to U.S.-based payment gateways that purportedly allow individuals to cash out funds from stolen payment cards, on the Russian language Deep Web forum xss[.]is. The actor claims that they leverage an unspecified merchant account service provider to configure both online and physical payment gateways. According to the actor, they successfully leveraged these gateways to generate more than $50,000 USD in unauthorized charges with compromised payment cards. The actor specified that it takes approximately 48 hours for individuals to receive the stolen funds from transactions that are processed by the gateways.

The actor charged $1,500 USD for access to a payment gateway. It is not clear how many gateways are available.

ZeroFox researchers highlight that they are unable to accurately discern the threat actor’s credibility given the lack of reference information. However, their proposed method still represents a viable option for threat actors to employ due to the large quantity of stolen payment cards available on the underground economy.

New Underground Marketplace Specializes In Sale Of Stolen Payment Cards

In late April 2022, new and untested threat actor “BidenCash” announced an emerging underground marketplace that specializes in the sale of stolen payment cards on the Russian language Deep Web forum xss[.]is. The actor claims their new shop, dubbed “BidenCash”, already has more than 2.5 million stolen payment cards available. ZeroFox researchers assess this marketplace fills a need because threat actors are still looking for a viable option to replace the now-defunct “Joker’s Stash”. According to the actor, they plan to address this gap in the underground economy by providing threat actors with a convenient and reliable source of stolen payment cards.

Features of the new shop include:

  • Quickly replenishes cards
  • Supports pre-ordering and automatic buying
  • Multi-factor authentication
  • GPG account recovery
  • Compiles sales statistics for card suppliers
  • Instantly refunds orders

ZeroFox researchers will continue to monitor the growth of this new marketplace, as “BidenCash” is actively looking for stolen payment card suppliers. 

Service Disguises Malware As Different File Types

New and positively trending threat actor “QuantumSoftware” advertised their file extension spoofing service to disguise malware as other file types, on the English language Dark Web forum “CryptBB”. The actor claims that most commercial antivirus software will not detect their spoofed LNK files as malicious, including Windows SmartScreen. The actor specified that customers must obfuscate their own payloads. 

Other features of the service include:

● Spoofs any file extension

● Maintains persistence

● Hides payloads after running

● Defines where malware is located on target machine

According to the actor, the spoofed files can execute multiple payloads with administrator rights by triggering the User Account Control (UAC). This increases the likelihood of compromising a target machine, compared to other traditional weaponized documents, because the malware mimics another program that prompts the victim for administrator rights.  

Prices for the service vary depending on the length of the license, including:

● $1,577 USD (€1,500 EUR) for one-year

● $945 USD (€899 EUR) for six-months

● $373 USD (€355 EUR) for two-months

● $199 USD (€189 EUR) for one-month

Original post from threat actor “QuantumSoftware” advertising service to disguise malware as different file types.
See ZeroFox in action