The Underground Economist: Volume 4, Issue 4
Welcome back to The Underground Economist: Volume 4, Issue 4, an intelligence-focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team.
The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of February 15, 2024.
New Tax Fraud Scheme Leveraging Employer Identification Numbers
On February 11, 2024, well-regarded Russian-speaking threat actor “Journalist” disclosed a method of leveraging the legitimate gocardless[.]com service to identify corporate employer identification numbers (EINs) on the Russian-speaking community “Coockie Pro.”
- The method involves obtaining and leveraging an organization’s EIN to conduct tax fraud schemes.
- Threat actors can use the EIN to create fake tax returns and raise fraudulent tax refund claims.
- Journalist advised leveraging gocardless[.]com, a service offered by a financial technology company specializing in online payment solutions, to register an account for free in the name of a targeted company in order to obtain their EIN.
Translation of Journalist’s post outlining how to leverage GoCardless in tax return scams
Source: ZeroFox Intelligence
Journalist provided screenshots of the method in action, seeming to successfully obtain the EIN for a U.S.-based construction company, confirming the EIN’s authenticity by verifying it against another unnamed source.
- Journalist alleges to have obtained the EIN prior to paying for GoCardless’ Pro Plan, circumventing any barriers to entry in providing a legitimate payment method that might disclose a threat actor’s identity.
Tax refund and related schemes surge on the DDW in the run up tax season in the U.S. year-on-year, with Russian-speaking threat actors seeking to leverage innovative methods for financial gain. Journalists’ method demonstrates how a legitimate fintech service can be leveraged for performing scams on behalf of U.S. organizations. ZeroFox anticipates schemes of this nature will continue to propagate amongst financially-motivated actors ahead of the April 15, 2024 U.S. tax return deadline.
Translated and redacted screenshot showing the successful obtaining of the EIN for a U.S.-based construction company
Source: ZeroFox Intelligence
Second New Ransomware-as-a-Service of 2024 Announced in Dark Web Forum
On February 2, 2024, English-speaking threat actor “koley” announced the launch of a Ransomware-as-a-Service (RaaS) project named Ransomhub. The announcement, which was made in the Russian-speaking dark web forum RAMP, revealed that affiliates are now being sought. This is the second new RaaS operation that ZeroFox has identified in 2024 and follows the recent discovery of Wing, which was also posted in English.
RAMP post advertising new Ransomhub RaaS project
Source: ZeroFox Intelligence
Koley proclaims Ransomhub to be “the next generation of ransomware”, offering affiliates numerous state-of-the-art features and benefits, including:
- Native architecture with encryption software written in Go Programming (Golang) and C++, which the threat actor claims will create complications for anti-virus (AV) software.
- “Very fast” encryption speeds assisted by an adaptive algorithm change method.
- Supports Windows and Linux-based operating systems, as well as virtual machines.
- Uses an Abstract Syntax Trees (AST) structure to re-encrypt every day, maintaining obfuscation.
- Access to the ransomware’s control panel, which offers affiliates a unique .onion domain. The panel is used to manage targets and log their accesses, use chat rooms, and create private blog pages that can be used for “proofing.”
RAMP post advertising new Ransomhub RaaS project
Source: ZeroFox Intelligence
Ransomhub also allegedly includes an innovative feature that enables and encourages efficient communication and cooperation between affiliates. The platform includes tools that enable affiliates to vouch for each other and share evidence of cooperation with other RaaS teams on previous projects.
- Features such as these are very likely an attempt to increase cohesion and trust amongst a fundamentally skeptical user base, particularly amidst numerous recent incidents of disruption and agitation in dark web marketplaces. Koley very likely views the ability to share information and cooperate as a means to increase the project’s credibility, stature, and profitability.
As with the vast majority of RaaS operations, Ransomhub declares a host of countries off-limits to attacks under threat of banning from the platform. As expected, this includes countries within the Commonwealth of Independent States (CIS). The project also forbids attacks targeting organizations based in China, North Korea, and Romania.
- The exclusion of CIS likely indicates some affiliation with or loyalty toward the Russian state, though it may instead display intent to conform to the established norms expected when operating within Russian-speaking dark web marketplaces.
- Despite the omission of Iran, the banning of attacks against these states likely indicates geopolitical loyalties to parties seen as anti-Western.
Romania’s status as a Western member of both the European Union (EU) and the North Atlantic Treaty Organization (NATO), and its inclusion in this list, indicates the group’s likely loyalty, affiliation toward, or residence within the country.
- Romania-based organizations have been targeted in several high-profile ransomware attacks over recent years. In late 2022, the ransomware collective Hive attacked Rompetrol (one of the country's largest petroleum providers), and the Saint Gheorge Recovery Hospital in northeast Romania was held to a ransom of 3 Bitcoin in 2023.
- Romanian National Police assisted in the international 2023 disruption of the prolific Qakbot malware, as well as the 2021 disruption of the REvil ransomware collective. High-profile law enforcement operations have also resulted in the apprehension of Romanian nationals.
The recent increase in new RaaS operations in dark web marketplaces are likely due, in part, to the significant 2023 disruption of prolific ransomware collectives such as ALPHV, NOEscape, and HIVE. While many affiliates from these groups likely associated themselves with existing RaaS operations such as LockBit, others very likely sought to create new services.
- New RaaS operations will likely continue to introduce novel and innovative services in an attempt to attract disenfranchised affiliates from other collectives.
- Due to 2023 seeing the highest number of attacks on record and threat group LockBit conducting more attacks in Q4 than any other quarter, the ransomware and digital extortion threat landscape is very likely seen as an attractive opportunity by would-be threat actors.
The announcement of Ransomhub in English further supports the recently-observed trend of English-speaking actors being willing to enter the traditionally-Russian dominated ransomware scene, as well as post in Russian-speaking dark web forums.
At the time of writing, ZeroFox has not observed any attacks implicating Ransomhub ransomware, though attacks are very likely to take place in the coming weeks—most likely against North American, Asian, or European-based targets.
Innovative Loader-as-a-Service Announced
Since its announcement on January 25, 2024, by untested actor “Null14”, an innovative malware loader-as-a-service offering has been gaining traction on the predominantly Russian-speaking dark web community exploit[.]in.
- Loaders are a crucial part of efficient malware-spreading campaigns, as they form the spearhead of actual malware introduction to a targeted system, establishing persistence and enabling follow-on malicious activity.
Null14 claimed the currently unnamed loader targets Windows operating systems and is signed using valid certificates. The actor’s post stated the loader boasts sophisticated detection evasion capabilities as a result of it being signed with valid certificates.
- Null14 alleged that this enables operatives to deploy and execute any weaponized software via a direct link without being detected by Windows SmartScreen, User Account Control, Google Chrome, Windows Defender, and potentially Microsoft Edge. The actor also claimed that use of valid certificates would enable the loader to remain unflagged by VirusTotal.
- The loader is encrypted, with additional re-encryptions possible once per day.
- The offering also included established servers and domains which host the loader and can be used to generate phishing links to target victims.
Translated post announcing the launch of the new loader-as-a-service offering
Source: ZeroFox Intelligence
The loader is offered at a price of USD 490 per week; Null14’s post specified that, should the certificate be revoked during this time, the remainder of the purchase period would be refunded.
- Buyers were prohibited from leaking information about the copyright holder of a certificate, as this would allow de-anonymization of the certificate.
- Any buyer caught in the act will have their subscription canceled.
Although ZeroFox can neither independently confirm nor disconfirm the credibility of the service, positive indicators add credence to the legitimacy of this loader service as an innovative malware-spreading technique that moves the burden of bypassing detection from the coding skills of malware developers to relying on valid software-signing certificates.
- On February 5, 2024, vetted exploit[.]in user “boomking” claimed this new loader service is the best solution available for the price requested. The actor also claimed to have successfully bypassed Chromium and Windows Defender using it.
- Null14 posted a screenshot that included a highlighted certificate for the WinRar application, indicating that a certain instance of the WinRar executable was likely weaponized.
- Null14 did not specify the origin of the certificates, but software-signing services and valid certificates have regularly been observed for sale in predominantly Russian-speaking communities since 2021.
Malware distribution based on emulating credible software is likely on an upward trajectory, and this trend is expected to continue in the first half of 2024.
Recommendations
- Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege.
- Implement network segmentation to separate resources by sensitivity and/or function.
- Implement secure password policies with phishing-resistant multi-factor authentication (MFA), complex passwords, and unique credentials.
- Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated tactics, techniques, and procedures (TTPs).
- Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently.
- Develop a comprehensive incident response strategy.
- Configure email servers to block emails with malicious indicators and deploy authentication protocols to prevent spoofed emails.
- Deploy a holistic patch management process and ensure all IT assets are updated with the latest software updates as quickly as possible.
- Proactively monitor for compromised accounts being brokered in deep and dark web forums.
- Configure ongoing monitoring for Compromised Account Credentials.
Learn More about the Authors Behind The Underground Economist
The ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.