What’s new in the hackers’ supermarket?
Following on from our series in 2017, we look at the latest deals cybercriminals are browsing for on the shelves of the dark web.
The dark web continues to be a place where cybercrime tools are available for sale or hire, and where cybercrime-as-a-service – which enables inexperienced individuals to cheaply purchase ready-to-use tools to launch various types of attacks – continues to thrive.
Cybercriminals paying for these tools and services strive to keep their identity secret, paying with cryptocurrency and using the Tor browser to access dark web markets. These markets – the five biggest of which are Dream, Point, Wall Street Market, Berlusconi Market and Empire – sell a range of malware tools, with prices starting at just a few dollars.
The most widespread tools available on the dark web in 2017 were IoT botnets for rent, malware and ransomware kits and zero-day vulnerabilities. While some of these remain a threat in 2019, new tools have emerged. Let’s take a look at some of the new stock in the hackers’ supermarket:
This type of trojan enables remote administrative control once installed on a victim’s machine. Remote access trojans (RATs) can install backdoors and key loggers, take screen shots and exfiltrate data. In August last year, Hackernoon found that the average price of remote access trojans in the five biggest dark web markets was $9.74.
According to the National Cyber Security Centre (NCSC), these malicious RATs can be difficult to detect as they are often designed not to appear in lists of running programs and mimic the behaviour of legitimate applications.
One of most common remote access trojans employed by low-skilled cybercriminals is JBiFrost. Mainly delivered via an email attachment disguised as an invoice or request for a quote, it is used by cybercriminals to move laterally across a network or install additional malicious software.
Since the beginning of 2018, the NCSC has observed an increase in JBiFrost usage in targeted attacks on critical national infrastructure and related supply chains. The trojan has been used to exfiltrate IP, banking credentials and personally identifiable information. Infected machines have also been used as botnets to carry out DDoS attacks.
Other RATs available include Adwind – which was deployed via spoof emails designed to look like they were sent from the SWIFT financial network in 2017 – Gh0st RAT and Blackshades.
New IoT botnets
IoT botnets have been available on the dark web for some time, but new variants are emerging all the time. These botnets launch DDoS attacks or take control of connected devices, with the best-known example the 2016 attack on web domain registration provider Dyn which was orchestrated by the Mirai botnet and included the compromise of CCTV cameras.
Other botnets included Linux.Aidra, Bashlite – variants of which reached more than 100,000 devices
and the Linux/IRCTelnet botnet, which targets routers, DVRs and IP cameras. The latest IoT botnet to be
identified is Torii, which researchers suggest is an example of an evolution of IoT malware
Lateral movement frameworks
These tools allow an attacker to move around a network after gaining initial access. Examples include PowerShell Empire, Cobalt Strike and Metasploit.
PowerShell Empire can be used to escalate privileges, harvest credentials and exfiltrate information. It can also generate malicious documents for social engineering attacks. As it’s built on a common legitimate application (PowerShell) detection is tricky.
Last year Empire was used in an attack on a UK energy-sector company, as well as a spear-phishing campaign against a number of South Korean organisations while the Winter Olympics was taking place.
These tools enable attackers to disguise their location. They have also been used to evade intrusion and detection systems, blend in with common traffic, hide command and control infrastructure and create peer-to-peer command and control infrastructure.
A popular tool is HTran, which intercepts and redirects Transmission Control Protocol connections from local hosts to remote ones. It’s been used in several compromises of government and industry targets.
These enable cybercriminals to collect the credentials of users logged into a targeted machine, which can then be used to give access to other machines on a network. With source code often publicly available, anyone can compile their own versions.
Mimikatz, for example, is typically used after access to a host is gained and the criminals want to move through the internal network. It can significantly undermine network security – escalating privileges, for example.
Mimikatz was used in conjunction with NotPetya and BadRabbit ransomware in 2017 to obtain admin credentials held on thousands of computers. These credentials were then used to facilitate lateral movement, spreading ransomware throughout networks.
Others to look out for
Phishing is one of the most-used cyberattack methods, and hackers are selling readymade spoof pages for hundreds of major brands, including Apple, Netflix, Walmart and Dunkin Donuts. According to Hackernoon, they are typically offered for about $2 each, with Apple coming in at $5.
Password-cracking tools are available for a similar price, with readymade configuration files for numerous websites – most notably Spotify – that just need to be used in conjunction with tools like SNIPR or Sentry MBA. Keyloggers cost around $2, Wi-Fi hacking software ($3) and malware for emptying Bitcoin wallets ($6) are also available.
Another development is that the sellers of these wares now increasingly offer customer support, lifetime guarantees and a free guide on how to use the tool.