Welcome back to The Underground Economist: Volume 3, Issue 17, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of September 4th, 2023.
Actor Seeking Peers To Exfiltrate Sensitive Data From Target Websites
On August 24, 2023, the untested threat actor “wgdx2023” was seeking peers to compromise and exfiltrate sensitive data from target websites on the predominantly Russian language Dark Web forum “RAMP.” ZeroFox highlights the actor is likely part of a ransomware group looking for affiliates who can provide them with initial network access to targets because the forum is one of the largest underground communities for ransomware operators.
The group wants affiliates to steal databases containing the compromised account credentials of registered users of the websites. Ransomware operators can likely use these compromised credentials to bypass access controls within the target networks, making their efforts harder to detect. Once they have a foothold, the operators can likely move laterally through a network, escalate their privileges and deploy ransomware on the target systems.
ZeroFox researchers assess the actor’s post likely indicates a shift in the tactics used by some ransomware gangs to compromise target networks because many groups typically leverage remote access tools like Cobalt Strike to gain initial network access to targets. This is likely because there are more security misconfigurations for threat actors to exploit in websites and SQL databases than other attack vectors.
New Vulnerability Scanner Dubbed ‘D3check’ Announced
On August 18, 2023, the moderately credible threat actor “flugz” announced a new vulnerability scanner dubbed “D3check” on the predominantly Russian language Deep Web forum “XSS.” The scanner’s features would allow a threat actor to automate the reconnaissance phase of a cyber-attack, including:
- Enumerates all subdomains associated with a website
- Lists the various technologies/software a website is built with
- Searches for known vulnerabilities and exploits in software
- Indexes the data from websites
ZeroFox researchers assess the sale of this scanner will likely lead to an increase in cyber-attacks worldwide because it streamlines the information gathering process for threat actors looking to gain initial network access to targets.
Web Hosting Service Keeps Phishing Pages Active Longer
On August 16, 2023, the well-regarded threat actor “SmartPhish” announced a web hosting service for phishing pages on the predominantly Russian language Deep Web forum “Exploit.” The actor claims the service can keep most phishing pages active for approximately 20 to 30 days. Most antivirus products typically detect malicious activity on phishing pages within hours drastically increasing the lifespan of a phishing page.
Additional features of the service include:
- Phishing pages use SSL by default
- Domains can be changed
- Leverages anti-bots, including Cloudflare and reCAPTCHA, to avoid detection
The service costs $60 USD per month to host a single phishing page.
ZeroFox researchers assess this service will likely prolong the length of certain phishing campaigns because the actor said that phishing pages leveraging the service would not be detected as malicious as quickly by Google Safe Browsing as others without it.
Source Code For Ransomware Tool Dubbed ‘Lolicrypt’ For Sale
On August 15, 2023, the well-regarded threat actor and administrator “dkota” is selling the source code for the Lolicrypt ransomware on the English language Dark Web forum “Onniforums.” The actor claims the ransomware will not be detected by most antivirus products or endpoint detection and response (EDR) solutions. Additional features of the ransomware include:
- Works on systems running most versions of Windows and Linux
- Fast encryption using the ChaCha20 algorithm
- Only encrypts parts of files to increase speed and evasion
- Does not contact command-and-control (C2) server
- Does not modify Windows Registry keys
- Does not require administrator privileges to run
The actor charged $1,000 USD for the source code.
ZeroFox researchers assess the sale of this source code will likely lead to an increase in ransomware operations because it lowers the barrier to entry for threat actors looking to encrypt files on target systems. Additionally, a skilled threat actor can likely modify the source code to add new ransomware capabilities.
Learn More about the Authors Behind The Underground Economist
he ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.