The Underground Economist: Volume 3, Issue 5

The Underground Economist: Volume 3, Issue 5
5 minute read

Welcome back to The Underground Economist: Volume 3, Issue 5, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of March 13, 2023.

Threat actors share methods to bypass ChatGPT usage restrictions

In February 2023, two well-regarded threat actors shared different methods to bypass ChatGPT usage restrictions on the predominantly Russian language Deep Web forum “XSS.”

One actor, “learner,” shared a method to generate malware using the AI bot. The method involved using different languages to trick the bot into thinking the malicious code would be used for educational purposes only. After several failed attempts, the actor was eventually able to convince the bot to write a Python script that would automatically email the keystrokes of victims to an attacker every ten seconds.

The actor “shuja1337” also shared a method, which involved creating an alter ego for the AI bot that would respond to questions without filtering content. When prompted, the bot’s newly made alter ego provided the actor with previously banned details about how to make a Molotov cocktail. The method was no longer functional in early March 2023.

ZeroFox researchers assess that threat actors will likely continue developing new methods to bypass ChatGPT usage restrictions, since this technology represents a new and emerging attack vector across the criminal underground.

Botnet logs market now selling data from  compromised android devices

In late February 2023, the predominantly Russian language Deep Web automated marketplace “Russian Market” quietly expanded its botnet log offerings to include data from compromised Android devices. This is significant because there have been very few, if any, well-regarded Android botnet log markets on the criminal underground since the S.O.V.A. shop abruptly closed in 2021.

In addition to stolen data from Windows machines, some logs now contain the login credentials and browser cookies associated with a victim’s Android devices. This indicates that “Russian Market” is likely combining compromised data from different types of stealer malware impacting both Windows and Android systems to create a more dynamic product to sell.

A skilled threat actor can likely use this stolen data to imitate a victim’s browser session and user agent to gain unauthorized access to resources, despite most multi-factor authentication defenses or anti-fraud measures.

Alleged zero-day exploit For vulneravility in Xmind announced

Positively trending threat actor “CINT” advertised an alleged zero-day exploit for a vulnerability in the mind mapping tool, Xmind, on the English language DarkWeb forum “CryptBB.” The alleged exploit uses weaponized documents to trick victims into running a malicious payload, which allows threat actors to remotely execute code on Windows machines with all versions of the software installed.The actor charged $8,000 USD for the exploit.ZeroFox researchers assess the exploit likely came from an insider because the same threat actor also offers a well-regarded corporate espionage service.

Compromised email accounts for 2 different government entities advertised

Untested threat actor “Desec” advertised compromised email accounts for the Ministry of Defense in France and the Public Defender’s Office in Brazil on the predominantly Russian language Deep Web forum

“XSS.” A threat actor can likely use these accounts to:
· Gain initial network access to the target entities
· Launch phishing or spam campaigns
· Steal sensitive data

The actor charged $300 USD per def[.]gouv[.]fr account or or $100 USD per dpu[.]def[.]br account.

ZeroFox researchers assess the actor is likely credible because they agreed to use an escrow service, which would require them to deal with a forum administrator or middleman to complete the transaction.

See ZeroFox in action