The Underground Economist: Volume 3, Issue 7

5 minute read

Welcome back to The Underground Economist: Volume 3, Issue 7, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of April 10th, 2023.

Source code for ‘Pegasus’ spyware alleged 

New and untested threat actor “DeanonClub” advertised what they claim is the source code for the mobile surveillance spyware “Pegasus” on the predominantly Russian language Deep Web forum “Exploit.” The Israeli company NSO Group develops and sells the spyware as a cyber weapon to various government agencies worldwide.“Pegasus” can compromise mobile devices running most versions of iOS or Android without the target having to execute the payload. Once installed, operators can leverage the spyware to secretly monitor a target’s: 

· Text messages and emails 

· App usage 

· Location data 

· Microphone/camera 

ZeroFox researchers assess a deal involving this source code would likely lead to further abuse of the “Pegasus” spyware, since there have already been controversial cases where government agencies have used the spyware to target individuals, including journalists and human rights activists. It is highly likely that any potential buyers would also have the capability and intent to create new spyware variants because the actor said they would only sell the spyware to state-sponsored threat actors. The actor named a price of $200,000 USD for the source code. 

Original post from threat actor “DeanonClub” selling the alleged source code for the mobile surveillance spyware “Pegasus”

New code sharing service for malware developers announced

New and positively trending threat actor “el84” announced a new code sharing service for malware developers on the predominantly Russian language Dark Web forum “RAMP.” The service allows threat actors to share, review, or revise the source code for malicious projects with their peers.

The actor has published two repositories since launching the service in early March 2023, including a command and control (C2) server and a licensed copy of the penetration testing framework Cobalt Strike.

ZeroFox researchers assess this new service has a chance to fill the void left behind by the now-defunct code sharing site git[.]rip. Threat actors would often collaborate on malware projects together and leak source code from various corporate targets on this now defunct site.

Call spoofing service, encrypted SIM cards advertised

New and untested threat actor “SinisteR_lol” advertised a call spoofing service, dubbed “SPOOF.TODAY,” and encrypted SIM cards on the predominantly Russian language Deep Web forum “Exploit.” The service can make phone calls appear as if they are coming from different
numbers worldwide. This is done by abusing the Session Initiation Protocol (SIP), which is a signaling protocol used in many voice, video, and messaging applications.

Additional features of the service include:
· Does not collect user data
· Can log into SIP server from multiple clients, including

The actor was also planning to launch an affiliate program, where threat actors would receive a percentage of the profits from any successful scams utilizing the service. The actor charged approximately $191 USD (155 GBP) to use the service for life. They also offered encrypted SIM
cards for an extra $308 USD (250 GBP) each.

Internet privacy service likely run by Russian insiders

Untested threat actor “I_Deleter” advertised an Internet privacy service, dubbed “IDeleter,” on the predominantly Russian language Deep Web forum “WWH-Club.” ZeroFox researchers assess this service is likely run by insiders who work for the Russian government because the service leverages the resources of the Russian censorship agency (Roskomnadzor) to perform various actions.

The service can remove personal information or negative sentiment from a wide range of sources, including:
· Search engines (Google and Yandex)
· Social media platforms (VK and Odnoklassniki)
· News sites (Kommersant, Izvestia, RBC)
· Blogs (VC[.]ru and LiveJournal)

Additionally, the service can block, delete, or seize:
· Websites
· SIM cards
· Social media accounts/groups
· Telegram channels

Prices for the service vary from $200 USD to $20,000 USD, depending on the action.

Original post from threat actor “I_Deleter” advertising an Internet privacy service dubbed “IDeleter”

Learn More about the Authors Behind The Underground Economist

The ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.

CTA for Hitchhiker's Guide to the Dark Web

See ZeroFox in action