The Underground Economist: Volume 3, Issue 13

Welcome back to The Underground Economist: Volume 3, Issue 13, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of July 10th, 2023.

‘Genesis Market’ For Sale

On June 28, 2023 the well-regarded automated botnet log marketplace ”Genesis Market” was advertised by the threat actor group “GenesisStore” on the predominantly Russian language Deep Web forum “Exploit.” A customer would receive the entirety of the database, source code, scripts, and possibly the server infrastructure. The threat actor group did not disclose further information, publicly opting for interested customers to reach out to them via TOX. 

A threat actor who purchased this marketplace would have an advantage over similar automated stores offering botnet logs or compromised account credentials. “Genesis Market” maintains their logs, so even if a victim changes their password, a buyer still receives the updated password in real-time.   

• The reason for the sale is unclear. However, it is likely influenced to a certain degree by the FBI and international authorities seizing the primary Deep Web domain for “Genesis Market,” genesis[.]market, in early April 2023. Despite this, the Dark Web domain remains functional. 

ZeroFox researchers assess a deal involving “Genesis Market” is likely imminent because the thread has garnered interest from various well-regarded peers.

Original screenshots from threat actor “GenesisStore” announcing the automated marketplace “Genesis Market” is now for sale

Tool Aims To Compromise Corporate Networks

Well-regarded and established threat actor “Kotiki” advertised a tool designed to compromise corporate networks on the predominantly Russian language Deep Web forum “XSS.” The tool can determine if email and password combinations are associated with various remote services, including:

• Remote Desktop Web Access (RD Web)
• Citrix
• Pulse Secure
• Fortinet
• Palo Alto
• Cisco
• Active Directory Federation Services (ADFS)

Prices for the tool vary depending on the length of the license, including:

• $3,000 USD for life
• $1,200 USD for three-months
• $600 USD for one-month

ZeroFox researchers assess this tool will likely lead to an increase in ransomware attacks because operators typically abuse remote services, like VPNs or remote desktop, to gain initial network access to target companies.

Original screenshot from threat actor “Kotiki” advertising a tool designed to compromise corporate networks

New Doxing Service Advertised

New and positively trending threat actor “2738549032” advertised a service to gather publicly available information about a target (AKA doxing) on the English language Dark Web forum “Onniforums.” A threat actor can likely use this service to publicly shame or humiliate individuals. This could help them in promoting an agenda, such as gaining a competitive advantage over other fraudulent business owners

The service researches a target using various sources, including:

• Social media
• Public databases
• Previously published material

The actor charged $50 USD per report. 

ZeroFox researchers assess there is a possibility the actor can corner the market because professional doxing services are rarely offered on the criminal underground, and previously observed ones did not yield high quality results.    

Actor Looking For Donations For Data Leaks Website ‘Intel Repository’

Well-regarded threat actor and established data broker “spectre123” announced an opportunity to donate funds to their data leaks website, “Intel Repository,” on the predominantly Russian language Deep Web forum “Exploit.” The website, which has been sporadically online since 2018, typically leaks sensitive data related to governments, including the U.S. The actor tried migrating their operations to Telegram in 2022 but failed.

The intelrepository[.]com website was most recently active in July 2023. The site had two unique datasets impacting the U.S. military, including one 200MB file from 2023 that allegedly contains confidential and proprietary information from various U.S. defense contractors, such as Raytheon. The actor charged $10,000 USD for the complete dataset. 

ZeroFox researchers assess the actor will likely continue to ramp up operations if they secure funding for the website because they have indicated that their goal is to grow the project in scope like WikiLeaks.

Learn More about the Authors Behind The Underground Economist

The ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.