The Underground Economist: Volume 3, Issue 8

7 minute read

Welcome back to The Underground Economist: Volume 3, Issue 8, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of May 8th, 2023.

New ATM Jackpotting Malware Comes Preloaded On Physical Card

New and positively trending threat actor “haltrum” advertised a unique new ATM jackpotting malware that comes preloaded on a physical card on the English language Dark Web forum “CryptBB.” A threat actor would insert the malicious card into the ATMs like a normal payment card. After holding down the 0 and Enter keys simultaneously, the malware would eventually force the ATM to start dispensing cash, allowing the user to empty the funds inside the ATMs.

The actor claimed that the malware worked on various ATM machines in the U.S., U.K., and Germany, but they did not disclose which ATM brands or software versions the malware can compromise. The actor charged $20,000 USD for the malware.

ZeroFox researchers assessed that the actor is likely credible because they agreed to use an escrow service, which would require the actor to work with a forum administrator or middleman to complete the transaction.

“haltrum” advertising a unique new ATM malware jackpotting malware that comes preloaded on a physical card 

Multiple Ransomware Projects Advertised On The Dark Web

Multiple threat actors have recently advertised new ransomware-as-a-service (RaaS) projects on the predominantly Russian language Dark Web forum “RAMP.” This shift in the current trend of threat actor behavior across the criminal underground is significant because the emergence of new RaaS operations would almost certainly lower the barrier to entry for threat actors looking to perform ransomware attacks against corporate targets worldwide.

On April 8, 2023, the moderately credible threat actor “shrinbaba” advertised a new RaaS project, dubbed “CryptNet.” The actor claims the ransomware will not be detected as malicious by most antivirus products. Additional features of the project include:

  • Encrypts files offline
  • Strong encryption (leverages both AES and RSA algorithms)
  • Deletes/disables backups
  • Tracks details about compromised machines
  • Built-in chat function to negotiate with victims

On April 21, 2023, the new and untested threat actor “rtgtgth” advertised an unnamed RaaS project designed to compromise Windows machines. Additional features of this project include:

  • Uses multithreading to optimize performance
  • Strong encryption (leverages both AES and RSA algorithms)
  • Compromises machines across the local area network (LAN)

ZeroFox researchers assess that this sudden spike in ransomware activity will likely continue because new ransomware groups are emerging and enticing would-be affiliates with a large percentage of the profits from any successful ransom payments.

Multiple threat actors advertising new ransomware-as-a-service (RaaS) projects on the predominantly Russian language Dark Web forum “RAMP”

Service Invests In Fraudulent Operations

Well-regarded threat actor “Uroborus Investment” advertised a service to acquire or finance fraudulent operations across the criminal underground on the predominantly Russian language Deep Web forum “WWH-Club.” The actor claims that the service has already invested in more than 300 businesses and also pays for ideas, connections, or opportunities.

The actor’s thread quickly received positive feedback from peers, including the well-regarded and established threat actor “WAH CHING FINANCE,” who claims that the group financed their business.

ZeroFox researchers assess that this is likely a state-sponsored threat actor group because the group has an exorbitant operational budget.

New Botnet Logs Service Dubbed ‘Cosmic Cloud’ Announced

New and untested threat actor “CosmicCloud” announced a new botnet log service, dubbed “Cosmic Cloud,” on the predominantly Russian language Deep Web forum cookie[.]pro. The service adds more than 1,500 new logs per day from target devices worldwide, including but not limited to:

  • Argentina
  • Brazil
  • Canada
  • Europe
  • U.S.

The botnet logs contain compromised account credentials and stolen browser cookies for various services, including:

  • Amazon
  • Facebook
  • Financial institutions, including banks and cryptocurrency exchanges

Prices for the service vary depending on the length of the license, including: 

  • $650 USD for two months
  • $400 USD for one month
  • $150 USD for one week

Original post from threat actor “CosmicCloud” announcing a new botnet logs service dubbed “Cosmic Cloud”

Cyber-Attacks Against Taiwan-Based Targets Alleged

In April 2023, two threat actors announced different cyber-attacks against Taiwan-based targets on the predominantly Russian language Dark Web forum “RAMP.”

The first was on April 6, when the moderately credible threat actor “uetus” announced an alleged data breach impacting an unnamed Taiwanese university. The actor said their team, dubbed “Genesis,” stole 25GB of sensitive data to protest the growing cooperation between Taiwan and NATO. The same actor previously claimed to have breached Samsung because they did not agree with the politics in South Korea. ZeroFox researchers assess that there will likely be additional attacks against Taiwan-based targets because “uetus” claimed that they were planning new campaigns. 

The second occurred on April 22 when the untested threat actor “vars_secc” advertised network access to an unnamed telecommunications company. The actor specified that some of the compromised machines had the personally identifiable information (PII) of customers. ZeroFox researchers highlight that the network access offered by “vars_secc” would be ideal for ransomware gangs because the actor said the buyer would get access to the entire local area network (LAN).

Original posts from threat actors “uetus” and “vars_secc” announcing different cyber-attacks against Taiwan-based targets

Learn More about the Authors Behind The Underground Economist

The ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.

CTA for Hitchhiker's Guide to the Dark Web

See ZeroFox in action