The Underground Economist: Volume 3, Issue 3

The Underground Economist: Volume 3, Issue 3
4 minute read

Welcome back to The Underground Economist: Volume 3, Issue 3, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of February 6, 2023.

New RaaS Project Dubbed ‘Mallox’ Announced

Untested threat actor “Mallx” announced a new ransomware-as-a-service (RaaS) project, dubbed “Mallox,” on the Russian language Dark Web forum “RAMP.” The actor said they would prefer to work with affiliates who have already established initial network access to companies. Features of the RaaS project include:

  • Written in C++
  • Controlled via web panel
  • Chat functionality to negotiate with victims
  • Leverages strong encryption (ECC and ChaCha20)

The actor offered to split any successful ransom payments 80-20 in their favor, which is typical of most RaaS projects.  

ZeroFox researchers assess the number of ransomware attacks will likely increase continue to grow in 2023, since the arrival of new RaaS projects, like “Mallox”, emerged on the criminal underground, just weeks into the new year.

Service Develops Custom Cyber-Attack Infrastructure

New and untested threat actor “XORacle” advertised a new service that develops custom cyber-attack infrastructure on the English language Dark Web forum “CryptBB” and the predominantly Russian language Deep Web forums “XSS” and “Exploit.” This is significant because the service would likely lower the barrier to entry for most threat actors, allowing individuals of any skill level to launch more sophisticated attacks, if they can afford it. The actor said they can program multiple tools, including:

  • Custom malware
  • Command and control (C2) panels
  • Phishing pages
  • Automated scripts
  • Malicious web browser extensions
  • Exploits for unpatched vulnerabilities

ZeroFox researchers assess the actor is likely legitimate because several peers have already vouched for the service, noting the actor’s professionalism and their below-market pricing. Additionally, the actor agreed to use an escrow service, which would require them to utilize a forum administrator or middleman to complete any transactions. 

Alleged Data Breaches Impact Various Tech & Financial Services Companies

Untested threat actor “Hyeuene” announced data breaches impacting two large data centers in Southeast Asia on the Russian language Dark Web forum “RAMP.” The alleged datasets contain the personally identifiable information (PII) of more than 2,000 employees from multiple high-profile, undisclosed tech and financial services companies. This is significant because a threat actor can likely use this information to launch spear-phishing attacks or malware campaigns against the target organizations.

Compromised data includes:

  • Full names
  • Phone numbers
  • Email addresses
  • Hashed passwords
  • Employers
  • Job titles
  • ID card numbers   

The actor charged $175,000 USD for the complete datasets.

Automated Telegram Service Offers Botnet Logs For Various Domains

Untested threat actor “omegarequest” advertised a new automated Telegram service, dubbed “Omega BOT REQUEST,” that offers public and private botnet logs for various domains on the predominantly Russian language Deep Web forum “Exploit.” The bot allows threat actors to query a database containing more than 759 million sets of compromised account credentials for different services. After purchase, the bot deletes these records from the database, preventing the resale of credentials. This is notable because most automated botnet log shops on Telegram and similar platforms typically resell email and password combinations from public botnet logs for a limited number of domains, often making it more difficult for threat actors to successfully compromise target accounts. 

There was a flat fee of $25 USD for the service. The actor charged an additional $0.01 to $0.25 per set of credentials, depending on the order quantity.

See ZeroFox in action