EvilExtractor Stealer

The developers of EvilExtractor present it as a legitimate subscription-based tool. However, researchers have discovered that it has been advertised to threat actors on multiple hacking forums since 2022. Attackers use it to steal sensitive information, particularly data from web browsers. Kodex created it and it has been regularly updated since its release in October 2022.

Most infections occurred due to a phishing campaign. There attackers sent account confirmation requests with a compressed executable attachment resembling a legitimate PDF or Dropbox file. Fortinet discovered several such attacks. When the target opens the file, a PyInstaller file is executed, which launches a .NET loader that further launches an EvilExtractor executable using a base64-encoded PowerShell script. To avoid detection, the malware checks the system time and hostname on launch to determine if it is running in a virtual environment. If it is, the malware will exit.

Trigona affiliate program

One of the Darknet forums offers an affiliate program Trigona. The Trigona ransomware was initially detected in October 2022 and has gained notoriety for exclusively demanding ransom payments in Monero cryptocurrency. In the short time it has been active, this group has victimized people globally.

Trigona is a group that hacks into victims’ devices and encrypts all their files, except those in specific folders such as the Program Files and Windows directories. Additionally, they steal sensitive documents and add them to their dark web leak site before encrypting them. This program provides ransomware-as-a-service (RaaS) and has several capabilities:

• The Tor network’s admin panel comes equipped with end-to-end encryption for all data.
• Storing leaked databases on the cloud.
• Cross-platform build with cryptographically advanced encryption.
• DDoS capabilities.
• Call facilities for countries across the globe.

Shadow Vault – MacOS Stealer

A malware called RedLine Stealer is being sold on underground forums. It is specifically designed to target users of MacOS. A harmful software known as malware is designed to extract sensitive information from internet browsers, such as saved login details, autocomplete data, and credit card information. Once installed on a computer, it takes an inventory of the system, collecting details like the username, location data, hardware configuration, and information on installed security software. The latest versions of RedLine can even steal cryptocurrency. This malware targets FTP and IM clients and can upload and download files, execute commands, and periodically send information about the infected computer.

• This software has a keylogging function that records keystrokes and creates several copies of the stolen data. These copies are saved in various locations so the information can still be retrieved even if deleted.
• The extractor can grab data from Metamask, Exodus, Coinomi, Binance, Coinbase, Martian, Atomic, Phantom, Trust, Tron Link, Kepler, etc.
• This software can be installed using either PKG or DMG file formats.
• The process of extracting data from Apple devices’ keychain database is encrypted, making it difficult to detect the amount of stolen information and avoid being caught.

Mystic Stealer’s rise

A new version of Mystic Stealer, version 1.0, was released in late April 2023, but an updated version, 1.2, was quickly launched in May, indicating that the project is actively being developed. The seller is advertising the malware on various hacking forums, such as WWH-Club, BHF, and XSS, and is available for rent to interested parties.
Mystic is capable of stealing login credentials from nearly 40 different web browsers, such as Chrome, Edge, Firefox, and Opera (but not Safari), as well as over 70 browser extensions, including Coinbase Wallet, Dashlane, and LastPass.

• The Mystic Stealer is capable of operating on different Windows versions, ranging from XP to 11, and is compatible with 32-bit and 64-bit OS architectures.
• It works in a computer’s memory to avoid detection from anti-virus software.
• The C2 communication is encrypted using a unique binary protocol over TCP. Also, any stolen data is directly sent to the server without being stored on the disk.
• Mystic performs multiple anti-virtualization checks, including examining the CPUID information to confirm that it is not being run in a sandboxed environment.

Akira ransomware

In March of 2023, cybercriminals began using a new ransomware called Akira. This ransomware encrypts data and changes the filenames of all affected files by adding the extension “.akira”. It also creates a ransom note called “akira_readme.txt”. The letter claims that the company’s internal infrastructure has been partially or fully shut down and that all backups have been deleted.

The attackers also state that they obtained important corporate data before encryption. The ransom note offers a negotiation process with reasonable demands and promises not to ruin the company financially. It includes instructions on accessing a chat room through a Tor browser and a login code. The attackers emphasize that the quicker the company responds, the less damage will be caused. Akira has released information about four individuals on their data leak website. The amount of leaked data varies from 5.9 GB for one company to 259 GB for another.

LummaC2 Stealer

In December 2022, LummaC2 was introduced on cybercrime forums. Since then, it has been continuously developed and has become a highly advanced yet reasonably priced information-stealing malware. This malware, available as a service, is around 150-200 KB in size and is designed to extract data from several browsers, such as Chrome, Chromium, Mozilla Firefox, Microsoft Edge, and Brave. Its primary target is the latest Windows operating system, from 7 to 11.

Recent updates have been made to LummaC2 that involve improving its security by redesigning the modules used for creating harmful builds and receiving stolen logs. Additionally, a new module with a load balancer already added. The developers have also advertised their MaaS on a well-known Russian language forum frequently used by RaaS operators to promote their affiliate and partnership programs.

So what?

Darknet forum sites provide their member’s anonymity, letting them freely share their ideas, thoughts, and expertise. As a result, these online communities are valuable intelligence sources for cybersecurity professionals. The impact of the dark web on businesses across various industries highlights the need for a thorough understanding of cyber threats and effective defensive strategies.

To safeguard your organization from the dangers of the dark web and stay one step ahead of cybercriminals, it’s essential to adopt a proactive approach. Cybersecurity experts monitor threat actor communities on the clear and dark web, illicit Telegram channels, and other messengers.

Law enforcement recently shut down the widely popular Darknet forums. As a result, the Darknet community is curious to see which forums will take their place. The Popular Forums provided a one-stop-shop for a vast amount of data, with vetted postings, and users considered it a reliable intermediary for vendor transactions. However, the increased popularity of leak-focused Telegram channels and sites indicates a trend toward decentralization. This trend highlights that small groups and individuals are selling leaked data, not just ransomware groups. Therefore, individuals have more decentralized options to buy, sell, and download leaked data.

The post Malware Propagation On Darknet Forums appeared first on Gridinsoft Blog.

The US Department of Justice, Internal Revenue Service, and Federal Bureau of Investigation have joined forces with law enforcement authorities in Latvia and Cyprus to seize the SSNDOB darknet market. They informed the public about the operation in the official report on June 7, 2022.

SSNDOB used to be a large market for personal data. The name of the market is the combination of two abbreviations: SSN (social security number) and DOB (date of birth.) Thus, names, dates of birth, social security numbers, and other data of about 24 million citizens of the United States had flocked to the servers of SSNDOB, generating profit for the marketplace owners.

Leaked data vendors used to place advertisements of what they had to sell on dark web announcement boards and forums. The deals were stricken afterward on the notorious marketplace. SSNDOB administration urged its clients to pay for the data in cryptocurrency. As for the application of personal data purchased on SSNDOB, buyers used it in illegal machinations of various kinds, including tax and banking frauds. The revenue generated from such deals amounted to $19 million. The leaked information mostly came to SSNDOB from healthcare institutions.

The four seized domains were ssndob.ws, ssndob.vip, ssndob.club, and blackjob.biz. They served as mirrors, which allowed the marketplace to avoid disruption in work, should even one of the servers be shut down due to criminal investigations. However, the joint and simultaneous actions led to the effective seizure of SSNDOB operations with the marketplace infrastructure dismantled.

The Context

The context of the SSNDOB servers seizure would not be complete without a suspicion outspoken by the researchers at Chinalysis, who have traced a connection between SSNDOB and Joker’s Stash, a dark web market selling credit card details (stolen, of course.) Joker’s Stash was shut down in February 2021. But before that, around 100 thousand dollars in cryptocurrency were transferred from SSNDOB to Jocker’s Stash. Chinalysis even presume that both resources belonged to the same owners.

Following the shutting down of Hydra and RaidForums, the seizure of SSNDOB is another battle won in America’s decisive war on cybercriminals.

The post Joint Operation: SSNDOB Personal Data Darknet Market Seized appeared first on Gridinsoft Blog.

What is Hydra?

Being a product of a merger of the two other markets ¹ operating in the countries of the former USSR, Hydra has been active for more than six years. Specialists agree that it grew to be one of the world’s largest darknet drug shops and the largest cryptocurrency-operating illegal market. You could buy anything there – such was the reputation of Hydra.

Users accessed Hydra via Tor browser with onion routing. That made all operations related to the platform extremely hard to track. The name “Hydra” is an eloquent reference to the mythical Hydra of Lerna, a monster who would grow two heads for each head chopped off. Such a character served as a symbol of darknet websites as something reemerging and unkillable.

There were around 17 million registered users on Hydra when it stopped working. As many as nineteen thousand people were registered as narcotic sellers. Each drug dealer had to pay $300 to register and an extra $100 monthly. The buyers used bitcoins stored on their platform wallets. Generally, Hydra used cryptocurrency as its payment method. After the operation, police obtained 543 bitcoins from these wallets, which amounts to €42,500.

Hydra servers seized in Germany

Federal Criminal Police Office of Germany (Bundeskriminalamt, or shortly BKA) has reported on the seizure of Hydra servers on Tuesday, April 5, 2022². The operation was a result of months of preparation, starting with a tip from the American special services that Hydra trails led to Germany. For half a year, police struggled to deal with Hydra. However, the marketplace managed to evade seizure and hold its ground, despite many other illegal darknet shops being gone due to prosecution or self-elimination (with theft of the money from the platform wallets.)

BKA has discovered Hydra servers under the guardianship of one of the bullet-proof hosting companies. Such groups provide Internet hosting to their clients and ignore any claims and warnings about illegal activities of their wards. Of course, the policies of such companies may vary, and closing one’s eyes to crimes might have a moral limit. What can also be a limit is an official takedown notice. That is what happened in the case of Hydra.

The chance is high that there will be arrests among the representatives of the mentioned outsourcing company providing the servers for the criminal marketplace. However, the administrators of the seized shop are still at large. Their identities remain unknown, so as their capacities to restore the website. The struggle with illegal trade on the darknet continues, as multiple smaller markets can pop out of nowhere to replace Hydra.

Scale of the event

Hydra was a powerful organization. Its lifetime profit figures amount to 5 billion dollars. Just like drug cartels have their own armies, Hydra shop owners had their marketing specialists, security service, chemists, and, very likely, laboratories.

All narc businesses in the post-Soviet states were aware of the existence of Hydra and most likely used the market as a sales platform. Therefore, 2019 rumors about Hydra starting its own ICO were pretty believable. Although it hasn’t come to this, the planned total value of the issued tokens was 147 million dollars.

Even more important is that the Hydra platform was most likely closely connected with the Russian special services, namely Federal Security Service (FSB.) The latter apparently received payments from the shop owners and used the platform for obtaining information. There is no better way to monitor criminal activity than tying it around a single site on the Internet and being in cahoots with its administrators.

The seizure of Hydra could probably take place earlier. It seemingly happened just now, though, so the operation’s effect added to the joint sanctions against Russia over its invasion of Ukraine that started on February 24, 2022.

Relation to cybersecurity

Hydra was a well-known black market of drugs, but the assortment of items and services sold there goes far beyond narcotics. On Hydra, one could buy a ransomware attack as a service, computer hacking campaign, or malware to perform it. Hydra also massively sold stolen data, virtual currency, and personal information.

Up to 8 million dollars of ransomware profits ³, which implies many successful attacks, transited Hydra’s cryptocurrency wallets. More than 85% of the unlawful bitcoins on Russian cryptocurrency exchanges originated from Hydra.

The United States has started a real war on ransomware. In 2021, the absolute majority of ransomware victims worldwide are in the USA, while 74% ⁴ of ransom money from those attacks went to Russia-related criminals. The shutdown of Hydra is a step in the US crusade on Russian hackers, who earned increased attention from the American security services over their alleged interference in the US presidential election in 2016.

The post Hydra Market Shut Down by the German Authorities appeared first on Gridinsoft Blog.