Menu
Blog

The Underground Economist: Volume 4, Issue 19

by ZeroFox Intelligence
The Underground Economist: Volume 4, Issue 19
9 minute read

Extortion “Negotiator” Seeks Employment in Dark Web Forum

On November 17, 2024, an actor with the alias “inverter” posted in the Russian-speaking dark web forum RAMP announcing they were seeking employment with a ransomware collective. Inverter, who has an untested reputation in the forum, detailed that they could work as a “negotiator” due to their ability to “understand psychology” and “break through” their victim’s weaknesses.

Less than 24 hours later, the post received a reply from actor “Moneyistime” (who has a positive reputation in the forum) stating that their team would like to work with inverter. Moneyistime did not specify the name of their collective or operation but claimed to represent a team with more than six years of experience.

Instances of ransomware and digital extortion (R&DE) actors seeking individuals to fill a negotiator-type vacancy are rare in deep and dark web (DDW) forums. While negotiation is a key aspect of R&DE attacks, from both the attacker's and victim’s perspectives, the process is not typically conducted by a dedicated negotiator. Instead, it is often overseen by a member of the R&DE collective that is proficient in the victim’s native language and has well-researched the victim’s industry, likely payout propensity, and any relevant local legal guidance. There is a roughly even chance that a perceived need to employ a specialist role is reflective of anticipated large-scale operations resulting in drawn-out negotiations.

Inverter being almost immediately contacted by an alleged ransomware actor is also very likely indicative of the continued issues that extortion collectives face with seeking and obtaining trustworthy and vetted affiliates. These difficulties have been exemplified by many threat actor posts throughout 2024. Following significant law enforcement (LE) operations earlier in the year, ZeroFox has observed multiple instances of R&DE collectives approaching hiring and affiliation with significantly increased scrutiny.

Allegedly Functional Stripe Accounts Announced for Sale

On November 17, 2024, actor “Verdena77” posted in the dark web forum Exploit, advertising the sale of accounts for the payment processor platform Stripe. Verdena77, who has an untested reputation in the forum, claimed that the accounts are registered to U.S.-based business entities, which were very likely self-registered for purposes of bypassing Stripe’s know-your-customer (KYC) security protocols.

  • As with similar online payment processing services, registering a Stripe account requires the provision of details associated with the applying individual and their business. This is often both for the purposes of preventing the platform’s misuse and satisfying regulatory requirements.

Such advertisements are rare in DDW forums, especially in comparison to that of other counterfeit and verification services. This is primarily due to the high-effort approach required to create numerous illegitimate accounts. Verdena77 did not specify the quantity available or the asking price of the accounts, instead advising interested parties to contact them discreetly.

There is no evidence that Verdena77 or the advertised services are credible, and no feedback is available from buyers at the time of writing. However, if Verdena77’s offerings are legitimate, they will almost certainly be of interest to an array of financially motivated threat actors seeking a method by which to conduct cashout and carding operations. Should an actor be in possession of stolen personally identifiable information (PII) and personal financial information (PFI), an unattributable Stripe account will increase their chances of successfully stealing funds.

New Drainer-as-a-Service Announced in Dark Web Forum

On November 8, 2024, actor “DRA1N” posed in the dark web forum Exploit announcing the launch of a new drainer-as-a-service with seemingly comprehensive features. DRA1N is newly registered to the forum but has already established a positive reputation.

  • A drainer-as-a-service is a malicious offering designed to enable the theft of cryptocurrency from user wallets. While their techniques vary, drainer-as-a-service offerings typically employ ready-to-use malicious scripts, phishing kits, and anonymity services and feature some form of technical support. These services can often be rented via either a subscription-based pricing model or payments made to the service provider based upon a proportion of profit.

DRA1N’s service allegedly includes numerous features to assist the user in bypassing cryptowallet security protocols. Some of those highlighted in the advertisement include:

  • “Complete transparency”, which likely alludes to the users’ ability to view the tool’s code and to control the operation to some extent. This is likely intended to reassure users of the tool’s effectiveness and potential customization.
  • Phishing features, such as the redirecting of victims to a fake domain impersonating their intended destination in order to steal input information, as well as ad-based phishing.
  • Unspecified “active bypass methods” designed to bypass anti-fraud and other security measures.

Registrations to DRA1N’s service were reported immediately after the thread’s creation, likely indicating that some specific users were privately notified about its launch. Positive reactions were also quickly observed—including from actors with positive reputations, such as “aptget”.

DRA1N’s service cannot be purchased outright; only the option to rent is available. However, rather than buyers paying a monthly subscription fee, users pay a proportion of their profits to the developers. There is a very likely chance that DRA1N and their advertised service is credible and poses a threat to cryptocurrency holders globally. The comprehensive and advanced alleged features of the service are very likely indicative of innovation from increasingly professionalized threat actors, as well as an intent to lower technical accessibility requirements for would-be threat actors.

Dark Web Actor Announces Malicious Chrome Extension for Sale

On November 4 and November 5, 2024, untested actor “PatrickDust” (on Exploit) and “patrick_star_dust” (on RAMP) posted in both Russian-speaking dark web forums advertising their new tool for rent dubbed “iNARi”. The tool is allegedly a malicious, multifunctional extension for the web browser Google Chrome that utilizes the latest Chrome Extension framework Manifest V3. The requested price of the tool is USD 5,000 per month, plus a 10 percent profit-share to be paid to developers. This price is notably high and reflective of high expectations for iNARi’s deployment.

Exhaustive features are not provided, but, according to the advertisement, iNARi is designed to redirect unsuspecting Chrome users to malicious domains, collecting sensitive user data such as credentials and email addresses, as well as session cookies. The tool is also allegedly able to bypass some security protocols, such as virtual private networks (VPNs), proxy servers, and other anti-fraud mechanisms.

The apparent comprehensive approach is reflective of a diverse tool which—if legitimate and functions as advertised—offers the attacker the ability to exploit a large number of Chrome-based threat vectors and can lead to subsequent data theft, network compromise, or malware deployment. Although malicious browser extensions have been available for purchase or rent in DDW forums for a long time, the versatility and apparent sophistication of iNARi appears indicative of threat actor innovation.

ZeroFox Intelligence Recommendations

  • Develop a comprehensive incident response strategy.
  • Deploy a holistic patch management process, and ensure all IT assets are patched with the latest software updates as quickly as possible.
  • Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege.
  • Implement network segmentation to separate resources by sensitivity and/or function.
  • Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently.
  • Implement secure password policies, phishing-resistant multi-factor authentication (MFA), and unique credentials.
  • Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
  • Proactively monitor for compromised accounts and credentials being brokered in DDW forums.
  • Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated tactics, techniques, and procedures (TTPs).

Appendix A: Traffic Light Protocol for Information Dissemination

Appendix B: ZeroFox Intelligence Probability Scale 

All ZeroFox intelligence products leverage probabilistic assessment language in analytic judgments. Qualitative statements used in these judgments refer to associated probability ranges, which state the likelihood of occurrence of an event or development. Ranges are used to avoid a false impression of accuracy. This scale is a standard that aligns with how readers should interpret such terms.

Tags: Threat Intelligence

See ZeroFox in action