Welcome back to The Underground Economist: Volume 3, Issue 20, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of October 16th, 2023.
Sensitive Data Related to Israeli Government Agencies Advertised
On October 10, 2023, well-regarded and established threat actor “blackfield” advertised sensitive data related to Israeli government agencies on the predominantly Russian language Dark Web forum “RAMP.” The actor claimed to have the personally identifiable information (PII) of individuals associated with the Israel Defense Force (IDF) and Security Agency (also known as “Shabak” or “Shin Bet”). The alleged compromised data includes the phone numbers and photos of victims. The actor also claimed to have access to the victims’ social media accounts.
The threat actor publicly agreed to a deal with well-regarded peer and known ransomware gang member “achillesec,” indicating the actor likely sold “achillesec” initial access to target networks for previous ransomware operations.
ZeroFox researchers assess the war between Israel and Hamas will likely lead to an uptick in criminal activity on the Deep and Dark Web because threat actors stand to gain a significant profit from exploiting the conflict.
Threat Actor Discontinues Sales for ‘DarkGate’ Malware
On October 10, 2023, well-regarded and established threat actor “RastalFarEye” announced they would no longer be selling the multifunctional malware “Darkgate” on the predominantly Russian language Deep Web forum “Exploit.” ZeroFox first reported the malware with loader and remote access trojan (RAT) capabilities in June 2023. The malware quickly gained momentum on the criminal underground, allowing threat actors to build their own botnets of compromised Windows machines.
The threat actor likely chose to discontinue “DarkGate” sales to ensure the long-term viability of the malware. ZeroFox highlights that limiting the number of instances of “DarkGate” in the wild will likely make it more difficult for researchers to perform further analysis and reverse engineering on the malware.
ZeroFox researchers assess the actor will likely continue to support the malware for pre-existing customers because they previously offered one-year licenses for the malware. The actor released new updates for the malware days prior to the announcement. These recent developments could make future versions of “DarkGate” even harder for commercial antivirus products to detect.
Actor Selling Compromised Email Accounts for Government Entities Worldwide
On October 2, 2023, the untested threat actor “Pwnstar” advertised compromised Office 365 email accounts for various government entities worldwide on the predominantly Russian language Dark Web forum “RAMP.” A threat actor can likely use these accounts to achieve various goals, such as:
- Obtain sensitive data
- Perform phishing or spam attacks
- Gain initial access to target networks
The actor claimed to have valid .gov email accounts from multiple regions, including:
- Middle East
- South America
The actor charged $300 USD per email account.
ZeroFox researchers assess that threat actors will likely continue to target government email accounts because they can easily obtain compromised login credentials from malware logs and turn a profit by reselling them individually at much higher prices.
Source Code for Google Chrome Malware Loader Alleged
On September 29, 2023, well-regarded threat actor “SocketSilence” advertised the source code for a Google Chrome malware loader on the predominantly Russian language Deep Web forum “XSS.” The loader allows threat actors to install malicious Chrome extensions on target machines running 64-bit architecture versions of Windows 10 or 11. The generated payloads do not require any interaction from the victims to execute.
Additional features of the loader include:
- Small build size (40kb)
- Loads malicious extensions from local threat-actor controlled machines or URLs
- Payloads will not be detected as malicious by most antivirus products, including SmartScreen and Microsoft Defender
- Malware can maintain access to compromised machines across system restarts
The actor charged $2,700 USD for the source code.
New Data Breach Search Engine ‘Oni Fail’ Announced
On September 19, 2023, well-regarded threat actor and administrator “DKOTA” announced a new data breach search engine, dubbed “Oni Fail,” on the English language Dark Web forum “Onniforums.” The search engine allows threat actors to query more than 304,000 sets of compromised account credentials from various data breaches worldwide. A threat actor can likely use these email and password combinations to:
- Perform account takeovers
- Commit fraud
- Gain initial access to target networks
The search engine is currently free to use. This is likely a tactic employed by the administrators to get more threat actors interested in the product while they work to ingest new datasets. ZeroFox highlights the current data holdings for the search engine are notably smaller than competitors like “Illicit Services.”
ZeroFox researchers assess the continued development of “Oni Fail” will likely lead to an increase in cyber-attacks worldwide because threat actors can easily leverage the search engine to obtain the compromised account credentials of victims.
Learn More about the Authors Behind The Underground Economist
The ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.