The Underground Economist: Volume 3, Issue 15

The Underground Economist: Volume 3, Issue 15
5 minute read

Welcome back to The Underground Economist: Volume 3, Issue 15, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of August 7th, 2023.

Exploit For Vulnerability In Foxit PDF Reader Alleged

Well-regarded and established threat actor “johndoe7” advertised a privately developed exploit for an unpatched vulnerability in Foxit PDF Reader, tracked as CVE-2023-27363, on the predominantly Russian language Deep Web forum “XSS.” The alleged exploit allows threat actors to remotely execute code on target machines that have the free China-based software installed. This is done by tricking victims into opening a malicious PDF file. Once a machine has been compromised, the operator can leverage the post-exploitation toolkit Cobalt Strike to maintain access and launch further attacks.  

ZeroFox researchers assess this exploit likely poses a significant security risk to Foxit PDF Reader users because multiple well-regarded threat actors have already expressed their interest in obtaining the exploit.

New Tool Aims To Compromise Corporate Networks

Moderately credible threat actor “Arken66612” announced a new tool designed to compromise corporate networks, dubbed “Mega Checker,” on the predominantly Russian language Deep Web forum “Exploit.” The tool can determine if business email and password combinations are associated with a wide range of services, including:

  • Citrix
  • Remote Desktop Web (RDWeb)
  • Various VPNs, including GlobalProtect
  • Outlook on the Web (OWA)

Prices for the tool vary depending on the license, including:

  • $6,000 USD for life
  • $2,500 USD for three-months
  • $1,000 USD for one-month 

ZeroFox researchers assess this tool will likely lead to an increase in ransomware attacks, since it lowers the barrier to entry for ransomware operators looking to gain initial network access to target companies.

New AI Model Writes Malware For Threat Actors

New and untested threat actor group “XXXGPT” announced a new AI model, dubbed “XXXGPT,” that can allegedly write malicious code on the predominantly Russian language Deep Web forum “XSS.” The AI model allows threat actors using the Poe chatbot service to generate different types of malware, including:

  • Botnet malware
  • Remote access trojans (RATs)
  • Stealer malware 
  • POS/ATM malware

The group charged $90 USD per month to use the AI model.  

ZeroFox researchers assess there is a possibility that “XXXGPT” becomes the AI model of choice for threat actors because this new AI model does not have restrictions like ChatGPT to deter users from writing malicious code.

New Stolen Payment Cards Shop In The Works

In late July 2023, the new and untested threat actor “Authorize” announced a new marketplace that plans to sell stolen payment cards, dubbed “Authorize,” on the predominantly Russian language Deep Web forum “Exploit.” This new marketplace will likely try to compete with “BidenCash,” which is one of the largest underground carding markets. This is significant because the primary domain for “BidenCash” has recently had availability issues, which could help “Authorize” to position itself as a more reliable alternative.

The new marketplace was in the process of recruiting sellers. The store required a minimum supply of 50 stolen payment cards per vendor.

The store will provide support in multiple languages, indicating the administrators likely expect business from Russian, English, and Chinese-speaking threat actors. 

Prices for the stolen payment cards will vary depending on their location. There was no launch date for the new marketplace.

ZeroFox researchers assess the actor is likely credible because they have deposited a significant amount of funds into the escrow services of three separate underground communities, including “Exploit,” “XSS,” and “Verified.”

Learn More about the Authors Behind The Underground Economist

The ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.

See ZeroFox in action