The Underground Economist: Volume 3, Issue 23

Welcome back to The Underground Economist: Volume 3, Issue 23, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of November 27th, 2023.

Zero-Day Exploit For File Upload Vulnerability In Magento Alleged

On November 13, 2023, the new and untested threat actor "ring-0" advertised an alleged zero-day exploit for a file upload vulnerability in the e-commerce platform Magento Open Source on the predominantly Russian language Dark Web forum "Exploit." The exploit would likely allow threat actors to compromise target websites built on 2.4.x releases of Magento. This would be accomplished by uploading malicious files to the target websites to secure remote shell access.

Once this initial foothold has been established, a threat actor could take different post-exploitation actions, including:

• Steal the personally identifiable information (PII) of customers
• Pivot across the network
• Escalate privileges to administrator
• Install ransomware

The threat actor said there were more than 19,200 target websites that were vulnerable to this exploit, including:

• 5,972 in the U.S.
• 3,570 in Germany
• 1,553 in the U.K.

The actor charged approximately $3.7 million USD (100 BTC) for the exploit.

ZeroFox researchers assess the threat actor is likely credible because they agreed to use the forum's escrow service. This is significant because it requires the actor to work with a forum administrator or middleman to complete the transaction.

Guide Details How Threat Actors Can Self-Host Sms Phishing And Spam Campaigns

On November 12, 2023, the well-regarded threat actor “Poe” advertised a guide that details how other threat actors can set up the infrastructure to run their own SMS phishing (also known as smishing) or spam campaigns on the English language Dark Web forum “Onniforums.” The guide is designed to walk threat actors through the process of creating scalable, hardware-based systems that they could use to send millions of SMS smishing or spam messages to potential victims each day.

To get started, a threat actor would need: 

• Windows machine
• Mobile network access (2G or 3G) 
• An unspecified hardware device that costs approximately $10 USD

In addition to the guide, a threat actor would receive an undisclosed software package that is required to send the SMS messages. 

The actor charged $50 USD for the guide and the software.  

ZeroFox researchers assess the sale of this guide will likely lead to an increase in SMS phishing and spam campaigns worldwide because it lowers the barrier to entry for threat actors.

English-Speaking Threat Actor Looking For New Team Members For Raas Project

On November 13, 2023, the untested English-speaking threat actor “Pwnstar” announced that they were looking for new team members to enhance the capabilities of their ransomware-as-a-service (RaaS) project on the predominantly Russian language Dark Web forum “RAMP.” This is noteworthy because it indicates that more English-speaking threat actors are likely beginning to model their ransomware operations after Russian-speaking threat actors. 

• Most English-speaking threat actors typically sell custom ransomware to individuals, instead of building out teams for RaaS projects like Russian-speaking threat actors.

The actor said they were looking for threat actors with Active Directory (AD) experience who could assist them in the post-exploitation phase of ransomware attacks against profitable target companies. 

• The actor claims to be the administrator of a new but positively trending ransomware gang that has more than 15,000 subscribers on Telegram. They did not disclose the name of the group.

New team members would get access to the custom ransomware tool leveraged by the gang. The actor claims this tool can encrypt the files of target companies without being detected as malicious by most antivirus products.

ZeroFox researchers assess that this announcement likely indicates traditional English-speaking ransomware operations are evolving, since the threat actor also offered to split a percentage of the profits from any successful ransom payments with team members. This is another practice that has been predominantly tied to Russian-speaking ransomware gangs.

Learn More about the Authors Behind The Underground Economist

The ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.