Welcome back to The Underground Economist: Volume 3, Issue 6, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of March 27, 2023.
New stealer malware announced
In late February 2023, well-regarded and established threat actor “arv6” announced a new stealer malware dubbed “IM’BETTER” on the predominantly Russian language Deep Web forum “XSS.” Unlike other stealers, this new malware provides threat actors with real-time updates from compromised machines, including new login credentials, browser cookies, or payment cards. Previously, this feature was only available to paying customers on the Deep Web autoshop “Genesis Market.”
The price for the malware varies depending on the length of the license, including:
· $550 USD for three-months
· $380 USD for two-months
· $190 USD for one-month
ZeroFox researchers assess it is highly likely this new stealer malware will draw interest from threat actors because of its unique capabilities.
Script highlights Telegram’s rise to prominence across the criminal underground
In early March 2023, untested threat actor “DeadlyData” shared a script, dubbed the “Telegram Terminator,” that can automatically report Telegram channels/groups on the predominantly Russian language Deep Web forum “Exploit.”
The availability of this script highlights the increasing popularity of Telegram among threat actors, as various cyber criminals continue to migrate their operations to the platform from traditional Deep and Dark Web sources. This is likely because Telegram provides threat actors with greater autonomy, anonymity, and automation.
Although Telegram is typically slow to take down reported channels or groups, a threat actor can likely use this “Telegram Terminator” script to sabotage competitors by affixing a scam label to their stores or services.
ZeroFox researchers assess that Telegram will almost certainly continue its rise to prominence across the criminal underground, especially since more Deep and Dark Web sources are now requiring the use of multi-factor authentication or escrow services, which can be off-putting to would-be scammers or fraudsters.
Automated Telegram service determines if stolen payment cards are valid
In late February 2023, new and untested threat actor “2CHECK” advertised an automated Telegram service that determines if stolen payment cards are valid on the predominantly Russian language Deep Web forum “Exploit.” The service can check various payment card data, including CVV codes and physical addresses. If a card is valid, the service will return the associated bank identification numbers (BINs).
Additional features of the service include:
· Checks data in .txt documents, regardless of file format
· Places an authorization hold (AKA pre-auth) on cards to avoid detection
by most anti-fraud systems
· Checks stolen payment cards against data holdings from different Deep
and Dark Web card shops
ZeroFox researchers assess this service is likely to facilitate new carding operations because it streamlines the process for threat actors looking to cash out funds from stolen payment cards.
Well-regarded threat actor & data broker steps away from popular deep web forum
In March 2023, well-regarded threat actor and established data broker “IntelBroker” banned their own account on the English language Deep Web forum “Breached.” Prior to this self-imposed ban, “IntelBroker, had become one of the most active and influential users on the forum, even spearheading their own threat actor group comprised of multiple well-regarded peers.
The actor had recently announced a new service to compromise accounts with hashed passwords in bulk. They were also known for leaking the sensitive data of mostly U.S.-based targets, running their own ransomware project, dubbed “Endurance,” and compromising corporate networks for paying customers.
ZeroFox researchers assess the actor is likely trying to keep a low-profile because the forum administrator previously banned their alternate account, “thekilob.”