Underground Economist Volume 3 Issue 9
More Russian-Speaking Threat Actors Offering Deals That Impact Chinese Targets
ZeroFox researchers have observed a growing number of Russian-speaking threat actors offering deals that impact Chinese targets on the predominantly Russian language Deep Web forum “RAMP.” This goes against the notion that many Russian and Chinese language threat actors work in cooperation with each other on the criminal underground.
In late April 2023, untested threat actor “ChinaDan” announced a data breach containing the personally identifiable information (PII) of 630 million Chinese citizens. Compromised data includes:
- Full name
- National ID number
- Phone number
- Physical address
- Date of birth
ZeroFox researchers highlight this is likely the most substantial data breach impacting a Chinese target since threat actors leaked more than 23TB of sensitive data from the Shanghai National Police in 2022.
In early May 2023, new and untested threat actor “dayone31337_blardo” advertised network access to the Chinese telecommunications company China Telecom. The actor claims to have administrator privileges to the target’s internal network, which would be ideal for ransomware gangs. The actor specified the company generates approximately $57.7 billion USD (400 billion CNY) in revenue.
ZeroFox researchers assess the actor is likely credible because they agreed to use an escrow service, which would require them to work with a forum administrator or middleman to complete the transaction.
Original screenshots from threat actors “ChinaDan” and “dayone31337_blardo” offering deals that impact Chinese targets
Newly Developed Stealer Malware Announced
New and untested threat actor “Mystic Stealer” announced a newly developed stealer malware, dubbed “Mystic Stealer,” on the Russian language Deep Web forum “WWH-Club.” Uniquely, this malware can change its code to avoid detection by most antivirus products. Additional features of the malware include:
- Works on most machines that run Windows (both 32-bit and 64-bit architecture versions)
- Written in C and Python
- Small build size (200kb to 250kb)
- Runs in memory
Like most stealers, the malware collects sensitive data from a victim’s web browser, including:
- Login credentials
- Browser cookies
- Payment cards
- Cryptocurrency wallet data
- Additional system information
ZeroFox researchers assess this new stealer malware is likely to succeed because it has already received positive feedback from peers, including the well-regarded and established threat actor “kyky12.”
Original screenshots from threat actor “Mystic Stealer” announcing a newly developed stealer malware dubbed “Mystic Stealer”
New Data Breach Search Engine Advertised
Untested threat actor “mennemmen007” advertised a new data breach search engine, dubbed “Illicit Services,” on the predominantly Russian language Deep Web forum “Exploit.” The search engine allows threat actors to query more than 13 billion records that contain the sensitive data of victims, including:
- Full names
- Email addresses
- Phone numbers
- Physical addresses
- License plate numbers
- Birth years
- Vehicle identification numbers (VINs)
ZeroFox researchers assess this new search engine almost certainly leverages stolen data from the “Intelligence X” search engine and data archive because the “Illicit Services” administrator shared alleged emails between the Intelligence X founder, Peter Kleissner, and a bug bounty hunter who was angry because they never received payment for disclosing a vulnerability in the Intelligence X platform.
It is highly likely the bug bounty hunter exploited the vulnerability they discovered to steal data from the Intelligence X platform and use it to create their own, free data breach search engine to spite Kleissner.
Original post from threat actor “mennemmen007” advertising a new data breach search engine dubbed “Illicit Services”
Service That Compromises Cryptocurrency Wallets Gaining Momentum
A service that aims to compromise various cryptocurrency wallets is gaining momentum on the predominantly English language Deep Web forum “Exploit.”
In early May 2023, new and positively trending threat actor “MarkoP0lo” claimed they successfully used the service to pocket more than $7,500 USD (4.214 ETH) from a victim’s cryptocurrency wallet. This is significant because the service now has a chance to corner the market, since there are only a few trusted vendors that compromise cryptocurrency wallets.
The well-regarded and established threat actor “hash_attack” first announced the service in late January 2023. The announcement was initially met with skepticism from peers.
ZeroFox researchers assess the positive feedback will likely attract new threat actors to use the service because they can receive up to 75 percent of the stolen funds from a victim’s wallet.
Tags: Cyber Trends , Deep & Dark Web , Threat Intelligence