The Underground Economist: Volume 3, Issue 10

New Multi-Functional Malware With Botnet & Stealer Capabilities Announced

Untested threat actor “dkota” announced a new multi-functional malware with botnet and stealer capabilities, dubbed “Hydra,” on the English language Dark Web forum “CryptBB.” The malware can automatically change its source code to avoid detection by most antivirus products. Additional features of the malware include:

• Uses the IP addresses of compromised machines as residential proxies
• Hides malicious files in Windows Registry
• Encrypts traffic
• Automatically compromises connected devices
• Leverages first compromised machine as command-and-control (C2) server

The malware can also steal sensitive data from a victim’s web browser, including:

• Login credentials
• Browser cookies
• Payment card details

In addition to the malware, the actor offered to encrypt an unlimited number of malicious payloads for customers. Buyers would also receive a guide, detailing how they can use the malware to create their own botnets. 

The actor charged $500 USD for the malware.

Original screenshot from threat actor “dkota” announcing new multi-functional malware with botnet and stealer capabilities dubbed “Hydra”

Automated Smishing Tool Advertised

New and untested threat actor “evilphish” advertised an automated smishing tool, dubbed “Smisher,” on the predominantly Russian language Deep Web forum “XSS.” The tool allows threat actors to send customized SMS phishing messages to target phone numbers worldwide. The actor specified the tool is connected via API to various cloud-based communication platforms, including:

• TrueDialog
• Twilio
• ClickSend
• Vonage
• Nexmo
• SmsGlobal

Additional features of the tool include:

• Spoofs numbers to make messages appear as if they are coming from a different sender
• Automatically translates messages into multiple languages
• Sends messages in bulk
• Schedules messages in intervals

ZeroFox researchers assess the tool is likely to gain momentum on the criminal underground because it is virtually certain to lower the barrier to entry for threat actors looking to perform smishing attacks.

Original screenshots from threat actor “evilphish” advertising an automated smishing tool dubbed “Smisher” 

Trusted Network Access Broker Operating On English Language Forum

Well-regarded and established threat actor “HeXsploit” advertised network access to various companies worldwide on the English language Dark Web forum “Onniforums.” 

Researchers highlight that this is a shift in a known paradigm where the trusted network access brokers usually operate on the Russian-speaking underground forums.

The actor claims to have administrator access and access to LocalService accounts that threat actors can exploit to gain administrator privileges to the internal networks of multiple companies, including:

• A law school based in the U.K.
• A U.S. ball bearing manufacturer

Prices for the access vary depending on the size of the target companies, including:

• $2,000 USD for more than 20,000 sets of credentials associated with large businesses
• $800 USD for more than 3,000 sets of credentials associated with medium businesses
• $500 USD for more than 500 sets of credentials associated with small businesses

ZeroFox researchers assess that any deals involving these network accesses will likely lead to an increase in ransomware attacks, since the actor said they originally planned to use the accesses for own ransomware operations.

Original post from threat actor “HeXsploit” advertising network access to various companies worldwide on the English language Dark Web forum “Onniforums”

Course Teaches Threat Actors How To Steal Sensitive Data From Target Companies

Well-regarded and established threat actor “omerta” advertised a course that teaches threat actors how to steal sensitive data from target companies on the predominantly Russian language Deep Web forum “XSS.” The actor said they would teach three students their private method to exfiltrate stolen data. They specified the course requires Linux, indicating the actor would likely be teaching the students how to operate an undisclosed tool. The course only takes one day to complete. 

ZeroFox researchers assess the actor is likely using the course to train their own threat actor group, since they claimed to have jobs for students stealing sensitive data from target companies upon successful completion of the course.

Learn More about the Authors Behind The Underground Economist

The ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.