The Underground Economist: Volume 4, Issue 7

Welcome back to The Underground Economist: Volume 4, Issue 7, an intelligence-focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team.

The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of March 28, 2024.

Threat Actor Seeks Suppliers of Stolen Credit Card Databases

On March 25, 2024, untested Russian-speaking threat actor “grossoman15” announced in the deep and dark web (DDW) forum exploit, the intent to launch a new credit card shop named “Tucker Carlson.” The actor also advertised the search for a supplier who is able to provide the details for a minimum of 20,000 stolen cards. 

• According to the advertisement, the cards provided should be at least 10 percent “cardable.” This almost certainly alludes to the card’s ability to make successful transactions.
• The majority of databases containing stolen credit card details almost certainly contain information pertaining to cards that are usable due to them being unused, redundant, or blocked by banks following detection of unusual activity.

The actor specified that they are seeking Russian-speaking sellers that have access to card details from the United States, Canada, Australia, and the United Kingdom. The compensation for vendors is an average of USD 100 per 1,000 cards, though this is dependent on their originating country, format, validity, billing information and other, unspecified factors.

Launch of Telegram-Based Automated Session Cookies Sales Service

On March, 24, 2024, vetted actor “SorterPassX” announced the launch of a Telegram-based session cookies sales service on the Russian-speaking BlackHatForum (BHF). The service–which offers a swathe of session cookies for sale–enables buyers to streamline account takeovers or potentially collect and resell the cookies for financial gain. Stolen login data remains one of the most valuable resources for threat actors on the DDW. 

• The session cookie sales service is offered at low prices– USD 10 per week or USD 35 per month for up to 100,000 requests for session cookies per day. 
• SorterPassX claimed that the cookies are deleted locally after the upload to the cloud storage which is available for buyers, meaning there is likely limited recycling of stolen data.

The service sells session cookies parsed from botnet and infostealer logs. These cookies are harvested as part of a separate, Telegram-based service also run by SorterPassX which allows seamless purchasing of credentials stolen by botnet and stealer malware. 

• The original SorterPassX credentials selling service was announced in April 2022 and remains operational and reasonably successful.

The service will likely gain traction in DDW communities. Automated DDW shops for botnet and infostealer logs are rare but offer considerable opportunities for follow-on malicious activity and financial gain. SorterPassX’s service will likely fill a gap in this market. 

• Since the closure of the Genesis Market in 2023, session takeover facilitation has been restricted to a limited number of cookies collected by stealers whose output is listed for public sale. 

New “Breach” Service offers access to Russian Government Institutions

On March 13, 2024, the untested actor “ZNAEM” posted an announcement in the Russian-speaking DDW forum WWH-Club, advertising a new service named “Znaem Security Service”. The service offers “extensive” access to information from databases belonging to various Russian Government departments, including:

• The Russian Ministry of Internal Affairs
• The Russian Road Safety Department
• The Social Fund of Russia
• The Federal Service for Supervision of Communications, Information, Technology and Mass Media (RKN)
• The Russian National Credit Bureau
• The Russian Federal Tax Service

Users of the service are purportedly able to purchase information via the submission of specific queries. The information is then sought by “punching through employees,” which very likely relates to the obtaining of information directly from employees within the target organization.

• While similar services often rely upon leaked data, it is likely that Znaem Security Service has at least some “live” access, whereby employees are tasked with gathering bespoke information. 
• Information requested from these organizations is very likely to include personal, identifiable information (PII), which could be implicated in future phishing attacks or sold in DDW forums. Non-malicious requests are also very likely made.

The service explicitly announces that it does not sell illicit network access to the advertised organizations, nor does it use such access to gather requested information.

• The targeting of entities within Russia and the Commonwealth of Independent States (CIS) is generally considered bad practice within Russian-speaking DDW forums and in stark contrast to the acceptable norms expected from frequenters. Such activity can result in scrutiny from peers and moderation or blacklisting from some Russian-speaking platforms.
• It is likely that the services provided by Znaem Security Service are generally considered acceptable, with a distinction being made between attacks that directly breach the networks of CIS organizations-such as digital extortion and vulnerability exploitation, and those that leverage insider employees to provide information voluntarily.

The majority of the post is written in English rather than Russian, which is atypical for posts within a Russian-speaking DDW forum. This is likely an attempt to appeal to forum members from English-speaking countries due to a perception that they would pay more for information. It is also very likely an attempt to reach additional Western customers who are conducting research or investigations into Russia-based individuals or organizations.

ZNAEM had deposited a financial sum into the forum’s escrow service to guarantee future customers and ensure credibility. It is very likely that the service is able to provide the services advertised.

Sale of Custom Phishlets for Evilginx3 Tool

On March 11, 2024, blackdatabase announced the sale of custom phishlets for Evilginx3 on the DDW forum xss. The actor listed commonly used phishlets with prices starting at USD 500 for an outlook[.]com phishlet and ranging up to USD 5,000 for phishlets targeting banking services, including Wells Fargo and Chase. The post has gained significant traction within the xss community, indicating a high level of interest from potential buyers.

Evilginx3 is a sophisticated reverse proxy tool for “in-the-middle” attacks against various online services, enabling threat actors to obtain login credentials and harvest session cookies to facilitate MFA bypass. While the third version of the tool was released publicly in May 2023, it did not include the phishlet component that enables malicious actors to adapt the software to attack particular websites.

• Evilginx3 mirrors a website to lure users into entering credentials via phishlets, and configuration files in YAML format used for proxying a legitimate website into a phishing domain. These phishlets specify how Evilginx3 intercepts and manipulates web traffic between a victim and a legitimate service to capture credentials and session tokens.
• While similar phishlets are often available in open sources, many of these are likely to be out of date or ineffective; blackdatabase’s high asking price likely indicates the phishlets sold are believed to be currently deployable.
• Notably, Google was not explicitly listed in the post, likely indicating that the actor is unable to write or provide such a phishlet.

The sale of custom Evilginx3 phishlets very likely poses a significant risk to high-profile organizations globally. Evilginx3, when used in conjunction with phishlets, offers a substantial advantage to threat actors over live panel phishing pages. Instead of being limited to credential theft, leveraging Evilginx3 in conjunction with phishlets could enable attackers to steal session data, facilitating MFA bypass and granting seamless access to sensitive data and funds stored in bank accounts.

• Each phishlet will very likely be sold to multiple buyers and should not be considered a single-purchase option.
• ZeroFox has observed multiple threat actors seeking Evilginx3 phishlets in recent months.

ZeroFox Intelligence Recommendations

• Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege. 
• Implement network segmentation to separate resources by sensitivity and/or function. 
• Implement secure password policies with phishing-resistant multi-factor authentication (MFA), complex passwords, and unique credentials.
• Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated tactics, techniques, and procedures (TTPs).
• Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently. 
• Develop a comprehensive incident response strategy.
• Configure email servers to block emails with malicious indicators and deploy authentication protocols to prevent spoofed emails.
• Deploy a holistic patch management process and ensure all IT assets are updated with the latest software updates as quickly as possible. 
• Proactively monitor for compromised accounts being brokered in deep and dark web forums. 
• Configure ongoing monitoring for Compromised Account Credentials.

Learn More about the Authors Behind The Underground Economist

The ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.