Menu
Blog

The Underground Economist:   Volume 4, Issue 15

The Underground Economist:   Volume 4, Issue 15
12 minute read

Malicious Stealer Log Marketplace Advertised for Sale

On July 30, 2024, user “2Easy.Shop”—which is almost certainly synonymous with the official handle of the malicious marketplace 2EasyShop—posted in the dark web forum Exploit, claiming that 2EasyShop, its digital infrastructure, and its domain will be auctioned and sold to the highest bidder. The minimum bid is USD 150,000, bid increments are set at USD 10,000, and the instant purchase price is USD 200,000. While the auction is set to take place in Exploit, it is not known if it will occur publicly.

2EasyShop, described by the poster as a “ready-made, configured, highly profitable business”, is a dark web marketplace that specializes in advertising and selling stealer logs.

  • Stealer logs are compilations of various types of information that has been stolen from devices and networks infected with a strain of malware known as a stealer. Typically, stealer logs are composed of information such as URL login and password combinations, personally identifiable information (PII), personal financial information (PFI), network and system information, and web browser data such as cookies and session tokens.
  • The diversity of information found in stealer logs ensures an ongoing demand from a vast array of cyber threat actors, who leverage it to enable initial network access, enhance social engineering attacks, or conduct fraudulent activities.

According to the advertisement, the purchase also includes:

  • A supply of private stealer logs that have not been circulated elsewhere and contact details of over 30 sellers (likely individuals leveraging established malware distribution operations that regularly sell on 2EasyShop);
  • An associated Telegram channel and access to 54 unspecified forums in which to advertise via a 2EasyShop official handle; and
  • A long list of contacts and alluded-to capabilities that are very likely indicative of access to fraudulent services, such as bank accounts created leveraging stolen PII. 

On August 3, 2024, 2Easy.Shop reposted the rules of the auction and claimed that the auction time will be extended by 72 hours. As of August 6, 2024, the thread has received no visible traction and no new announcements have been posted, though it is unknown if conversation or negotiations are taking place by private means.

2EasyShop launched in approximately 2018 and experienced significant initial growth. Despite claims of overly assertive administrative staff and the site generally featuring older and lower quantities of logs than rival sites, the shop quickly became a competitor to other stealer log marketplaces, such as Genesis and Russian Market. The platform is fully automated (meaning customers can create an account, add funds, and make purchases all without interacting with sellers), and a diverse array of information is available due to sellers leveraging a number of different stealers.

However, in recent years 2EasyShop has become associated with frequent and lengthy periods of interrupted service and administrative issues.

  • In Q2 2023, 2EasyShop’s previous domain was hijacked by threat actors who conducted subsequent phishing attacks targeting the platform’s customers, damaging its reputation.
  • In February 2024, 2EasyShop’s administrators claimed to have lost access to customers’ wallets. While no further detail was made available surrounding this issue, it was followed by periods of downtime.

While 2Easy.Shop did not specify a reason for listing the platform for sale on Exploit, it is likely the culmination of a series of errors and issues that resulted in a diminishing reputation and customer base. Other stealer log marketplaces have grown significantly in popularity—notably the recently-launched dark web service Exodus, which quickly drew significant attention.

Given the very likely growing demand among various types of cyber threat actors for the information contained within stealer logs, it is likely that a sale will take place. If the auction fails, there is a roughly even chance that the site will remain closed until a sale occurs, though the asking price may be reduced. Should the platform become non-operational, a number of sellers that primarily use 2EasyShop would very likely move to Russian Market, Genesis, Telegram-based services, or smaller deep and dark web (DDW) marketplaces. 

A successful deal at the asking price would very likely reinvigorate 2EasyShop, resulting in more reliable service, an increased supply of logs, and a higher volume of sales that almost certainly pose a threat to individuals and organizations.

Alleged Drug Enforcement Administration Numbers Advertised for Sale in Latest Snowflake Breach

Only July 30, 2024, threat actor “Sp1d3rHunters” posted in the popular hacking forum BreachForums, advertising a data breach that targeted a North America-based pharmaceutical company. The breach allegedly consists of 3 terabytes of information related to “prescribers”, which very likely includes PII such as names and contact details. Sp1d3rHunters also alludes to the breach containing 1.6 million Drug Enforcement Administration (DEA) Registration Numbers.

  • DEA Registration Numbers are unique identifiers assigned under the U.S. Controlled Substances Act (CSA) to certain health care providers (such as doctors, nurses, dentists, and veterinarians) and others whose job duties require prescribing and distributing controlled substances.
  • The Sp1d3rHunters alias was recently changed from “Sp1d3r”, very likely in an attempt to establish the long-suspected connection to the alias “ShinyHunters.”
  • After registering in the DDW forum exploit on May 30, 2024, the threat actor was responsible for posting several data breaches related to the May 23, 2024, breach of the cloud-based service provider Snowflake. In this most recent post, Sp1d3rHunters alleges the victim is also connected to the Snowflake data breach.

The asking price for the data is USD 3 million, which—due to its exorbitant nature—is almost certainly an extortion attempt to incentivize the victim organization or even the U.S. government to purchase the data. Sp1d3rHunters directly addresses the victim in the post, alluding to the widespread impact that they foresee should the data not be purchased. The threat actor also reinforces this by specifying the breach remediation steps, which they allege would involve a lengthy process of practitioners re-applying for DEA numbers.

The data can also be purchased in smaller quantities for lower prices:

  • USD 10,000 for 10 DEA numbers (USD 1,000 each)
  • USD 25,000 for 50 DEA numbers (USD 500 each)
  • USD 50,000 for 100 DEA numbers (also USD 500 each) 

These offers are almost certainly aimed at other threat actors frequenting BreachForums and also very likely serve the secondary purpose of instilling urgency in the victim organization. While the latter two offers are slightly cheaper, the notable price of each DEA number is very likely reflective of the value and demand that Sp1d3rHunters perceives this information to have within DDW marketplaces.

Despite the U.S. medical sector ensuring numerous failsafes are in place to ensure that controlled substances are protected and accounted for, the acquisition of DEA numbers is likely to be attractive to a variety of financially-motivated threat actors. This information could be used to produce fraudulent prescriptions, either for private use or to supply illicit controlled-substance markets. The PII could also be used to conduct enhanced social engineering attacks against other organizations across the sector or to grant threat actors access to the sensitive systems used by healthcare professions.

AI-Powered Tool to Target Cryptocurrency Wallets in Development

On July 25, 2024, untested threat actor “Michelangelo” posted in the primarily Russian-speaking dark web forum Exploit advertising a new artificial intelligence (AI)-powered tool designed to facilitate “complex, sophisticated, and large-scale” attacks targeting cryptocurrency wallets. Rather than searching for buyers, Michelangelo appears to be seeking other threat actors able to cooperate in development—particularly those able to integrate the tool into their own projects.

  • A list of features is included in the advertisement, the majority of which are centered around user convenience, flexibility, and the ability to manage and monitor attacks in real time. These include command line and web interfaces, task scheduling, and real-time monitoring and analytics. 
  • Other details specify the tool’s ability to facilitate and enhance password-checking and brute-forcing processes. Among these is the use of machine learning algorithms to conduct AI-enhanced password prediction and automate password spraying leveraging previously-obtained information, as well as the ability to use chosen rules and custom dictionaries. 

The advertisement does not specify exactly how the tool enables attacks or the necessary prerequisites, but it is likely that a threat actor would first need to obtain initial network access. Once established, the tool likely leverages the victim’s hardware resources to conduct password mining and spraying processes, attempting to gain access to local crypto wallets. 

  • The “Passwords” that Michelangelo claims the tool can obtain could relate to those guarding an account, the private keys associated with cryptocurrencies, or the recovery seeds associated with security codes used to perform recovery efforts.
  • However, given the tool’s apparent reliance upon optimized GPU utilization, it is very likely that it seeks to obtain private keys able to grant full access to the cryptocurrency.

Upon gaining access to the victim’s cryptocurrency, the funds can be transferred to a wallet owned by the attacker before various laundering techniques, such as the use of tumblers, obfuscate the funds.

The tool is currently under development, and its completion timeline is not specified. Given its likely need to be deployed to victim networks, Michelangelo’s sought-after collaborators almost certainly include threat actors able to provide initial network access, malware operators able to embed the tool within malicious software (thereby providing a delivery method), or botnet operators who are seeking to exploit large numbers of compromised credentials. It is unknown if the tool will be sold to a single buyer, multiple buyers, or provided as a subscription-based service.

While tools with brute-forcing and password-mining capabilities are not new, this tool allegedly contains innovative features that reflect an appetite among cybercriminals to develop and commercialize malicious techniques able to target the growing cryptocurrency economy.

Project Showcased in Dark Web Competition Leverages AI Automation

On July 23, 2024, positive-reputation, English-speaking actor “Mr_Stuxnot” announced their contribution to a dark web forum video creation contest. The project, posted in the xss forum and dubbed “XSS AGENT”, functions as an “AI-powered autonomous command and control” (C2). XSS AGENT was presented in video format in line with the rules of the competition and was also made available for download.

  • The xss forum holds a number of competitions encouraging actors to develop and showcase insights and share expertise with other interested parties in dark web communities. Contributions are usually either tools that have been developed to conduct malicious activities, proof of concepts (PoCs), or articles seeking to share knowledge related to cyberattack vectors and tactics, techniques, and procedures (TTPs).
  • In April 2024, xss moderators held their eighth iteration of the [// XSSware] competition, which offered a USD 20,000 reward distributed amongst the top seven contestants. Contributions ranged from cryptocurrency/non-fungible token (NFT) drainer kits to stealer malware to brute forcing tools that target virtual private networks (VPNs).

The function of XSS AGENT is to perform malicious post-exploitation tasks after initial network access has been gained. The PoC allegedly demonstrates the integration of AI and large language models (LLMs) with attacker-controlled C2 servers in order to conduct automated exploitation. 

Mr_Stuxnot received criticism from another well-regarded Russian-speaking actor “dunkel”, who expressed doubt as to both the usability of the tool and whether the instructions outlined would conflict with LLM regulations. Mr_Stuxnot defended the project, pointing out that this is a PoC in the early stages of development and that the LLM used (Dolphin 2.9 Llama 3 8b) is uncensored and will not restrict use. As of August 8, 2024, the competition has concluded, though organizers have not revealed results.

XSS AGENT is very unlikely to pose an imminent threat to individuals and organizations, due to it being in the early stages of development and the immaturity of the technology required to create automated tools such as these. However, the intent to create such tools is almost certainly indicative of a general appetite among threat actor communities to harness AI in the ongoing pursuit of attack automation, lowered entry barriers, and circumvention of cyber defense measures.

ZeroFox Intelligence Recommendations

  • Develop a comprehensive incident response strategy.
  • Deploy a holistic patch management process, and ensure all IT assets are patched with the latest software updates as quickly as possible.
  • Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege. 
  • Implement network segmentation to separate resources by sensitivity and/or function. 
  • Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently. 
  • Implement secure password policies, phishing-resistant multi-factor authentication (MFA), and unique credentials.
  • Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
  • Proactively monitor for compromised accounts and credentials being brokered in DDW forums. 
  • Ensure social media accounts are configured with organic security features, such as phishing-resistant MFA and complex, unique passwords.
  • Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated TTPs.

See ZeroFox in action