The Underground Economist: Volume 1, Issue 5
Welcome back to The Underground Economist, an intelligence focused blog series illuminating Dark Web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the Dark Web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the Dark Web and criminal underground. Here’s the latest for the week of December 8th, 2021.
New “HellB0rn” Ransomware Emerges On The Dark Web
In early November 2021, threat actor “Reduction” announced their new, fast-growing ransomware variant dubbed “HellB0rn”, on the English language Dark Web forum known as “CryptBB”. The actor claimed that the ransomware prevented infected machines from running certain Windows versions with Secure Boot disabled. The malware achieves this by loading malware into memory at startup. The malware immediately forces the infected machine to reboot, encrypting all the files on the drive, then displays a ransom note. The actor charged $125 USD for a full version of the ransomware, including:
- 32-bit and 64-bit executable files
- Decryption key
- Free product updates for one month
- Technical support
ZeroFox researchers note that the new ransomware quickly gained positive feedback on the forum “CryptBB”, including praise from highly reputable threat actors.
New Background Check Service Could Lead To More Doxing Attacks
New and untested threat actor “osintguy” is advertising their on-demand background check service on the English language Dark Web marketplace “AlphaBay”. To start an investigation, the actor requires the full name and geolocation of a target. The actor claimed to have experience using various open-source tools to identify sensitive information, including:
- Phone numbers
- Email addresses
- Current and past street addresses
- Social media accounts
- Leaked passwords
- Vehicle records
- Relatives and associates
The actor is charging $100 USD per background check, and agreed to use the marketplace’s escrow service, increasing the likelihood that the service is legitimate. The actor also offers a full refund to customers if they were not able to locate any information on the target. ZeroFox researchers assess that such a service could lead to an increase in doxing attacks and social engineering campaigns against targeted victims.
FishEye (AKA Bassterlord) Retires
Threat actor FishEye (previously operating under the moniker “Bassterlord”) announced their retirement from the underground on 13 November 2021, on the Deep Web forum XSS[.]is. The actor is notorious in the criminal underground, especially for their work in the compromised network access broker space, with several high-profile access deals and attacks against high value U.S.-based organizations, in 2020. In the wake of these access deals the actor received multiple interviews from cybersecurity researchers, and acknowledged publicly that they were in cooperation with four different ransomware gangs.
In early 2021, the threat actor (under the name “Bassterlord”) was criticized by threat actor peers for drawing unwanted attention, which ultimately forced the name change to “FishEye". In February 2021, the actor’s compromised network posts completely disappeared and their primary forum activity consisted of posting on general topics. The last notable action by “FishEye” was their publication of the “Blackhat pentesting guide” which was acquired and reported by ZeroFox in the beginning of September 2021.
ZeroFox assesses that the actor’s retirement is likely related to news of arrests of key ransomware actors and the general pressure against ransomware operations by law enforcement, which saw new highs, after multiple attacks against U.S.-based entities in the Spring of 2021. The actor claims that their departure is not provoked by the crackdown on Ukrainian/Russian ransomware gangs, but rather by the fact that they have already earned enough financial compensation. Due to the fact that LDNR (Luhansk and Donetsk People's Republic)-based actors have shown that their motivations to attack U.S. entities are ideological and not purely financial, it is unlikely that the actor would stop unless threatened with consequences for his actions.
Increase In Sophisticated Phishing-as-a-Service Posts
ZeroFox researchers have been tracking an increased number of posts advertising sophisticated and professional Phishing-as-a-Service (PaaS) in the underground forums and marketplaces. ZeroFox highlights the most recent observation of this in yet another announcement on a well-regarded Russian forum by threat actor “continued”. The service had offers several features including:
- Blocks bots from visiting the phishing page
- Visitor tracking
- User IP blocking
- Mitigate the chances they are taken down
This finding may indicate further evidence that phishing attacks will become more numerous and sophisticated in the near future.
About the Writers of The Underground Economist: The ZeroFox Dark Ops Team
ZeroFox’s Dark Ops team operates amongst the criminal underground community. Our global threat hunting and Dark Web intelligence team extends the reach of your security resources by engaging with the underground community, bolstering your capabilities in an effort to give you an advantage over emerging threats and stop active or future attacks before damage can be done. Embedded into hundreds of Dark Web communities where few possess the cultural or language expertise to infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to your threat intelligence requirements. Engage directly with the team here.