Author: DarkOwl Content Team

Q4 2023: Product Updates and Highlights

Written by DarkOwl Content Team on . Posted in Blog.

January 16, 2024

Read on for highlights from DarkOwl’s Product Team for Q4, including new exciting product features.

Actor Explore Launched

The team released a major new Explore section in our Vision UI focusing on threat actors, providing invaluable insights into cyber threat actors. This feature is designed to empower security professionals, researchers, and organizations with analyst curated information about threat actors. Our analyst team selected 298 actors in these categories: 

  • State-sponsored 
  • Cybercrime groups 
  • Ransomware 
  • Access brokers 
  • Exploit brokers or exploit buyers 
  • Critical infrastructure attackers 
  • Bulletproof hosting providers 

Each actor dossier includes descriptors, contact, and cryptocurrency. The Darknet Fingerprint page includes darknet operations (Telegram Channels or Websites Administered), associated data leaks within the DarkOwl Vision dataset, as well as Forums and Marketplaces on which the actor has been observed. Additional tabs include lists of known Tools and CVEs used as well. Within the Actor Explore section, you can see a Target Map of countries, Links to Research actor aliases and attributes in the DarkOwl Vision dataset, and can compare across different actor groups to see collisions.

This wealth of data enables users to gain a profound understanding of the threat actors, their tactics, and the potential risks they pose. Actor Explore will be regularly updated with new information and actors, prioritizing client needs, ensuring that users have access to the latest intelligence to bolster their cybersecurity efforts and research.

Figure 1: DarkOwl Actor Explore result for APT37 

Leak Context Additions

The team has significantly increased the information in Leak Context this quarter, after the initial release in September. All of this content is available in both the UI and Leak Context API. 

  • We’ve added a Search for Filetree button in the UI that lets you pivot to open a new tab & see the list of all files within the leak.  
  • We’ve added more than 7 content fields relating to the Original Post location, the Attack Type of the leak, and the Size of the leak.  

Leaks of Interest Collected

23andMe

Four datasets relating to 23andMe emerged on a deep web hacking forum as well as Telegram in early October. On October 6, 23andMe confirmed that it was investigating a cyberattack that resulted in unauthorized individuals gaining access to certain customer accounts. The company said it believed that the hackers were able to access certain accounts through a credential stuffing attack, where users had recycled login credentials. Our analyst team wrote a blog covering this leak here.

INDIA – ICMR Leaks Aadhar and Passports 200K Sample

According to the post by RavishKumarOfficial on BreachForums, this is a 200K sample from the 815 million Aadhaar and passport data leak previously posted for sale by pwn0001. The data leak is purported to be a COVID testing data breach. Data exposed includes full names, phone numbers, passport numbers, Aadhaar numbers (Government of India’s 12 digit individual identification number), age, gender, and physical addresses.  

Johnny Logs 11DEC23

A batch of infostealer logs were posted to the Johnny Logs Telegram channel on December 12, 2023. Data exposed includes log data from a reported 3,000 log files and varies based on data that was exfiltrated from each machine.

Vision UI & API Updates

We launched our UI Assistant to announce new features and content, including a weekly What’s Leaking update. 

For Email Domains, you are now able to generate an Email Domain Report PDF, a PDF version of the information displayed on the screen.

The Authenticated Site label now appears on search results, allowing user to easily tell which search results are from these sites

Search Block translations: We added new search block keywords in Arabic, French, Russian, and Spanish, and updated the design of this page to feature our growing translation options. 

Search Result Pivoting: Within search results with extracted chat users or extracted emails, cards, cryptocurrency, or IP addresses, you can select research actions under the corresponding View Switch to help you to navigate to additional results with the Research or Entity Explore sections:

  • Username Research (Chat Users): Identify the darknet footprint associated to a username or user ID of interest, that can lead to alternate usernames and conversations in our chat application data.
  • Entity Explore Results: See aggregate data on Email Addresses, Credit Cards, Cryptocurrency or IP Addresses, with the ability to filter and batch export relevant results.

Curious how these features can make your job easier? Get in touch!

Content, Content, Content: Top Research Pieces from DarkOwl in 2023

Written by DarkOwl Content Team on . Posted in Blog.

January 11, 2023

Thanks to our analyst and content teams, DarkOwl published over 110 pieces of content last year, a new record for the team. DarkOwl strives to provide value in every piece written, highlighting new darknet marketplaces and actors, trends observed across the darknet and adjacent platforms, exploring the role the darknet has in current events, and highlighting how DarkOwl’s product suite can benefit any security posture. Below you can find 10 of the top pieces published in 2023.

Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are published.

1. Dark Web Groups Turn Their Attention to Israel and Hamas

The world was shocked by the invasion of Hamas insurgents into Israel along multiple entry points from the Gaza Strip on October 7, 2023. This has led to a huge number of posts, images and videos being shared of the incursion and atrocities on social media but also on the dark web and dark web adjacent sites.  

DarkOwl analysts are closely monitoring this situation and have identified a wealth of information being shared, some of it legitimate and some likely to be disinformation. In this blog, we provide information relating to known cyber groups active on Telegram and how they have reacted to the invasion. Some groups quickly pledged their support for one side or the other. Read blog here.

2. Romance Scams on the Darknet

For Valentine’s day, our analysts put together a piece to shed light on romance scams – one of the fastest growing schemes across the globe. In the last decade, dating apps and websites have skyrocketed in popularity. As a result, nefarious actors have similarly sought to capitalize off of this booming industry by exploiting and scamming its users. In fact, according to the Federal Trade Commission (FTC), the number of reported romance scams tripled in size from 2017 to 2021. Romance scams are part of a complex criminal enterprise that exploits unassuming individuals on both an emotional and sometimes devastatingly catastrophic monetary basis. Full blog here.

3. Hamas Affiliated Channels Quiet Preceding Invasion?

When Hamas militants entered Israel along several fronts on 7 October 2023, Israel and the world were shocked. As events have unfolded this has turned to disbelief that Hamas were able to mount such a complex and successful attack without prior intelligence to indicating an attack. In the months and years to come people will surely reflect on the entirety of intelligence failures that lead to these events, but initial reports seem to suggest that Hamas succeeded by “going dark.”

DarkOwl analysts reviewed our coverage of Hamas linked Telegram channels to identify if there was any change in their activity preceding the assault. We identified that there was a period of inactivity in the run up to the attacks for some but not all the channels. This could have been a coincidence, and we have seen no hard evidence suggesting that the period of inactivity was a precursor to the invasion. However, it is important to monitor the activity of pro Hamas Telegram channels to establish if there were any patterns to the posts.

In this blog, we review some of the channels we are currently monitoring. Read blog here.

4. Darknet Marketplace Snapshot Series: Styx Market

In DarkOwl’s Darknet Marketplace Snapshot blog series, our researchers provide short-form insight into a variety of darknet marketplaces: looking for trends, exploring new marketplaces, examining admin and vendor activities, and offering a host of insights into this transient and often criminal corner of the internet. This edition features Styx market. Styx is a darknet marketplace selling illegal techniques for committing fraud, money laundering, and access to stolen data. Chatter on the darknet around Styx market first appeared in 2020 before the marketplace officially opened in mid-January 2023. Styx market offers stolen data as well as a variety of products for conducting illegal cyber activities. Learn more about Styx here.

5. Glossary of Darknet Terms 

The darknet is home to a diverse group of users with complex lexicons that often overlap with the hacking, gaming, software development, law enforcement communities, and more. DarkOwl’s Glossary of Darknet Terms is a continually evolving resource that defines the common vernacular, slang terms, and acronyms that our analysts find in places like underground forums, instant messaging platforms (such as Telegram), as well as in information security research pertaining to the darknet. Check it out. 

6. Monitoring the War in the Middle East

DarkOwl analysts have assembled a list of Telegram channels commenting on the current conflict in the Middle East. It is important to note that the channels labeled hacktivists are hacker groups, people actively DDoSing websites (distributed denial-of-service attacks), defacing websites, etc. Conflict media includes channels that are not related to hacking but are sharing various forms of near real time content from the conflict in the form of text, audio, images, and video. Analysts have found that there is more propaganda and misinformation on the conflict media accounts versus the hacktivist accounts (not say that it does not exist). Full list here.

7. Understanding the Difference Between Scams and Fraud

Many times we use the words “scam” and “fraud” interchangeably. Fraud is an umbrella term, legally referring to various types of chargeable criminal offenses. Scams, on the other hand, are a particular segment of fraud. One way to think about the difference between these two is from a legal perspective. Fraud is serious criminal business, while scams are considered more minor offenses in comparison. Many types of fraud are classified as felonies, versus scams which are typically charged as misdemeanors. Another way to look at it is from a banks’ perspective. Financial institutions differentiate the two as such: scams are theft of funds with your permission or knowledge, while fraud is financial theft without your permission or knowledge. This blog explores the differences. Read blog here.

8.  Understanding Darknet Intelligence (DarkInt)

The darknet (or “dark web”) is a thriving ecosystem within the global internet infrastructure that many organizations struggle to incorporate into security posture, but is becoming an increasingly vital component. In certain cases, that is because taking raw data and turning it into actionable security intelligence requires leveraging DARKINT – or data points sourced from the darknet and other OSINT sources that together form a risk and/or investigative portfolio. Learn more.

9. Despite FBI Takedown, Genesis Market Persists on the Darknet

Genesis Market is a well known darknet exchange that specializes in the sale of identity and account-takeover tools – which, in the case of this forum, primarily means the sale of compromised personal devices via the use of malware. When a buyer obtains a “bot” from Genesis Market, they are actually purchasing persistent remote access to an unsuspecting victims computer. In April, the United States Federal bureau of Investigations has announced the seizure of the criminal forum Genesis Market in an internationally coordinated effort dubbed “Operation Cookie Monster.” Our analysts detected the disruption in Genesis Market at early afternoon Tuesday April 4th, which is consistent with other accounts who also saw the popular marketplace replaced with the law enforcement landing page at that time. Full blog here.

10. Examining Recent Telegram Posts from Russia’s “Z Bloggers”

The letter “Z” has been heavily used as a pro Russian invasion propaganda motif since the early days of the invasion in 2022. The “Z” symbol is often associated with images of Russian leaders in the government or military. The symbol is also commonly associated with Russian war journalists, soldiers, and other Kremlin supporters typically used as vehicles for misinformation campaigns  on chat platforms like Telegram. The media commonly refers to this group of individuals as the “Z bloggers”, the “Z Army”, and more generally as war influencers. This blog will take a look at recent posts from 3 different “Z blogger” channels in an effort to better understand how this content has recently been utilized as a propaganda motif. Read blog here.

2023, That’s a Wrap!

Thank you to everyone who reads, shares and interacts with our content! Anything you would like to see more of, let us know by writing us at [email protected]. Can’t wait to see what 2024 brings! Don’t forget to subscribe to our newsletter below to get the latest research delivered straight to your inbox every Thursday.

Threat Intelligence RoundUp: December

Written by DarkOwl Content Team on . Posted in Blog.

January 02, 2024

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Russia’s AI-Powered Disinformation Operation Targeting Ukraine, U.S., and Germany – The Hacker News

Ukraine, Germany, and the United States are heavily targeted in Russia’s “Operation Doppelganger” – a new wave of fake news stories distributing falsehoods via news sites and social media accounts controlled by the actors involved. The companies involved are Structura National Technologies and Social Design Agency. The world is well aware of continued dis- and misinformation efforts by Russia. As the war in Ukraine continues, and the US 2024 election approaches, these efforts are expected to grow and continue. Read full article.

2. FBI disrupts Blackcat ransomware operation, creates decryption tool – BleepingComputer

After weeks of speculation that downtime on the leak site for Ransomware group Blackcat/ALPHV was due to law enforcement action, the site has officially been seized. The DOJ announced that the FBI had successfully breached the ALPHV ransomware operation’s servers to monitor their activities and decryption keys. The site had been suffering issues since Dec 7, which the group had attributed to technical issues despite reports of Law Enforcement action. However, a new message soon appeared on the site, claiming that the site had been unseized and providing a new onion address for the leak site.

The message is translated as follows:

BEGINS

As you all know the FBI got the keys to our blog, now we’ll tell you how it was.

First of all, as everything happened, having studied their documents, we understand that they received access to one of the DC, because all the other CCs were not touched, it turns out that they somehow hacked one of our hosters, maybe even he helped them.

The maximum they have these keys in the last month and a half, it’s about 400 companies, but now they’re more than 3,000 companies will never get their keys.

Because of their actions, we introduce new rules, or rather remove ALL rules, except one, you cannot touch the CIS, you can now block hospitals, nuclear power plants, anything and anywhere.

Reight is now 90% for all the adverts.

We do not issue any discounts to companies, payment strictly the amount that we indicated.

VIP adverts receive their private affiliate program, which we raise only for them, at a separate center, full, isolated from each other.

Thank you for your experience, we will take into account our mistakes and will work even tighter, waiting for your dive in chats and requests to make discounts that are no longer available.

ENDS

The site is currently showing as seized again. Read article.

3. Major Cyber Attack Paralyzes Kyivstar – Ukraine’s Largest Telecom Operator – The Hacker News

Kyivstar suffered a cyberattack that took most internet and phone services completely offline on December 12, 2023. The incident also impacted the air-raid alert system as well as some financial sector operations. Initial reports detail that 25 million mobile users and over 1 million home internet users were affected. Kyivstar issued a public statement that it would compensate these users who didn’t have service for the outage. Kyivstar indicated that this incident occurred as a result of the Ukraine-Russia war but didn’t provide evidence for this claim. Read full article.

4. Russian Hacker Vladimir Dunaev Pleads Guilty for Creating TrickBot Malware – The Hacker News

Russian national Vladimir Dunaev was arrested in 2021 and extradited to the United States in the same year. He recently (November 30, 2023) pled guilty to developing the Trickbot malware, which was a banking trojan turned initial access tool for ransomware attacks. Dunaev is the second actor to be arrested for his role in Trickbot, and will be sentenced in 2024; the first was a Latvian national who was sentenced in June of 2023. Article here.

5. German police takes down Kingdom Market cybercrime marketplace – BleepingComputer

German law enforcement announced the seizure of Kingdom market a darkweb marketplace known to sell drugs, hacking tools and counterfeit documents. One of the administrators of the site was reported to have been arrested in the US. A seizure notification was posted on their onion site. The site has operated since March 2021 and was one of the most well-known dark marketplaces. It was announced that investigations were ongoing to identify the people who operated the site aided by the seizure of their infrastructure. Other marketplaces have taken this opportunity to invite sellers to their sites to continue their operations via Dread. Read article.

6. Kelvin Security hacking group leader arrested in Spain – BleepingComputer

Kelvin Security group is a prolific hacking group who are quite active on BreachForums and RaidForums, selling stolen data for profit. Spanish law enforcement revealed they arrested a Venezuelan national who is a possible leader of the group on December 07, 2023. This actor was heavily involved in the group’s financial activities, such as moving money through various cryptocurrency exchanges to make tracing funds more difficult for authorities. Read full article here.

7. Navy contractor Austal USA confirms cyberattack after data leak – BleepingComputer

Australia-based Austal USA, a shipbuilding company, revealed it was the victim of a cyberattack as of December 6, 2023. Austal USA itself is a subsidiary of Austal and has contracts and multiple programs working with the US Navy. Ransomware gang Hunters International group claimed responsibility for the incident. Read article.

8. BidenCash dark web market gives 1.9 million credit cards for free – BleepingComputer

The Darkweb marketplace BidenCash has reportedly released 1.9million credit cards for free. This is the third time that they have made such a release although the validity of the cards is not confirmed. BidenCash launched in early 2022 as a new marketplace on both the dark web and the clearnet, selling credit and debit cards that were stolen through phishing or skimmers on e-commerce sites. Article here.

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

DarkOwl 2023 Recap: A Quick Reflection & Updates

Written by DarkOwl Content Team on . Posted in Blog.

December 28, 2023

With 2023 at a close, our content and marketing teams reflect on a number of exciting events, trends and changes the DarkOwl team experienced this year. We look forward to an even more successful and prosperous 2024 and wish the same for all our customers, partners and readers! Thank you for your support over the past year and continuing to read, engage and share our content. We hope you continue to find the topics we cover valuable, enlightening and interesting. Last marketing plug of the year… don’t forget to sign up for our weekly newsletter to make sure you receive updates about latest from our research and content teams! 

DarkOwl Around the World

Trade Shows and Events

DarkOwl made the rounds this year traveling all over the world for trade shows and speaking sessions and we are so glad to be able to see our customers, partners, and prospects face to face. In 2023, the team attended several events all around the world from San Francisco, Las Vegas, New Orleans, National Harbor, Panama City, London, Prague, Paris, Vienna, Munich, Singapore, Dubai, Hyberbad, Haryana, and more. Thank you to everyone who sat down with DarkOwl along the way. We hope to see even more you on the road in 2024. Check out where we will be in 2024 and request time to meet here.

DarkOwl CFO and DarkOwl FZE CEO at CyberTech Global in Tel Aviv.
DarkOwl CEO at the G-20 Conference in Gurugram, Haryana, India.
DarkOwl CBO, Director of Client Engagement and Project Engineer & Data Analyst at OsmosisCon in New Orleans, LA.
DarkOwl Director of Strategic Partnerships in Lille, France at FIC.

Darknet Hands-On Labs

DarkOwl hosted two darknet hands-on labs for the first time this year. In July, we hosted “Explore the Darknet with DarkOwl” at the Carahsoft headquarters in Reston, VA. Attendees got access to DarkOwl Vision and got to conduct hands-on searches during a Scavenger Hunt. DarkOwl’s industry leading Vision UI provides access to the largest commercially available database of darknet content in the world, without having to access the darknet directly, so you can take action to prevent potentially devastating cybersecurity incidents. After an afternoon of learning about the darknet and diving into it, attendees enjoyed networking during happy hour.

Our next hands-on lab, we hosted with Blackbird.AI at the Carahsoft headquarters in Reston, VA as well, “Explore Darknet Data and Beyond With DarkOwl and Blackbird.” In this session, attendees once again got direct access to DarkOwl Vision to explore the platform and conduct darknet searches in a Scavenger Hunt and see in real-time, how Blackbird’s Constellation Platform aggregates and adds color to this data. Blackbird provides the only purpose-built platform for organizations to detect, measure, and mitigate disinformation and information-driven risk. Together, get the complete picture you need for critical decision making.

The team is excited to do more of these in-person trainings, make sure you don’t miss the invite to our next one!

Employee Fun and Events

Not only did the team travel around the world for client meetings and conferences, but back in Denver, CO at Headquarters, DarkOwl had some fun too! With a workforce that is becoming more and more remote friendly and DarkOwl focusing on finding the best talent, making sure that everyone at DarkOwl stays connected is of upmost importance.

Team Offsite
Meeting our adopted owl
Meeting our adopted owl

Last year, we adopted an owl! This year we renewed that adoption and the team was lucky enough to meet our adopted great horned owl. He jumped early from his Michigan nest in 2015 and fractured his right wing in two places and was on the ground for about a week next to a barn before he was picked up by the landowners and brought to a rehabilitation center. He was sent to the Raptor Education Foundation in Denver in August, 2016 where he now lives. You can learn more about him on his dedicated adoption page. 

We love our #Pets!

Arguably, one of the most exciting things this year was the start of the DarkOwl Pets Channel! Our furry employees brought so many smiles throughout the year and of course a couple crashed meetings and plenty of naps along the way. 😻

Porter, Apollo and P.
Biscuit, Garfield, Bentley, Zooka and Lil’ Dip.
Bevy May, Bart, Sumi, Feni, Nova and Cudi.

Reminder: DarkOwl analysts and their pets recommend you never use your pet’s name in any password combination as it is a popular term for threat actors using brute force attacks.

Content, Content, Content

DarkOwl published over 110 pieces of content this year – everything from research blogs, darknet 101 topics, press releases, webinars and more. The team will be ranking the top 10 pieces in the new year. Stay tuned to make sure to see the highlights!

This year, we also launched our LinkedIn Newsletter, “Weekly Intelligence Summary: Deep and Dark Web Round Up,” which is published on LinkedIn every Monday morning and rounds up cyber news from the week prior. Keep up to date with the latest from DarkOwl Analysts every Monday – you can subscribe here.

New Products and Enhancements

DarkOwl places great emphasis on learning from customers and making sure our products are always providing value. We make a continuous effort to enhance our dark web data products with features geared towards analyst and threat intelligence teams. Below are a couple highlights of big launches we had this year, both of new products and offerings as well as feature enhancements.

DarkSonar API Launch

In April, DarkOwl added, DarkSonar API to the product suite. DarkSonar, a relative risk rating based on darknet intelligence, measures an organization’s credential exposure on the darknet. DarkSonar enables companies to model risk, understand their weaknesses and anticipate potential cyber incidents. In turn, organizations are able to take mitigating actions to protect themselves from loss of data, profits, and brand reputation.

Built on DarkOwl’s proprietary Entity dataset, DarkSonar generates a risk rating that is unique to each company. The algorithm used to generate these signals takes into account key quantitative and qualitative factors over time of organizational exposure of email addresses with associated passwords, and weights each signal accordingly. The result is a quantifiable risk indicator that can help companies and organizations monitor and potentially predict cyberattacks.

In testing internally and with beta partners in the insurtech and third-party risk industries, DarkOwl found an elevated DarkSonar score in the months before a cyberattack in approximately 75% of the cases where a company publicly acknowledged a breachDepending on the companies and the nature of the attacks this percentage was as high as 85% in some instances. This indicates that DarkSonar can help organizations assess their risk level as an additive data point – and potentially predict a pending threat.

Read more about DarkSonar API on our product page or in our interview with Director of Product, Sarah Prime and Product Manager, Josh Berman.

Darknet Services Offering

In July, DarkOwl announced the launch of Darknet Services, our customizable tailored, expert analyst support to enrich darknet data and provide customers with darknet risk analysis, threat actor profiling, darknet monitoring, data acquisition, and brand protection. For individuals who are not familiar traversing the darknet it can be a daunting task to search for threats and risks to an organization. DarkOwl is the darknet expert, with access to the largest database of darknet content. DarkOwl’s team of expert analysts are able to conduct these investigations on behalf of customers identifying mentions of organizations as well as data relating to them that may be exposed. Our customizable service options allow customers to leverage our in-house expertise to save time, keep their employees safe, and fulfill the need for actionable threat intelligence. Let us be an extension of your team.

Read more about Darknet Services on our product page or in our interview with DarkOwl Director of Intelligence, Senior Threat Analyst, and Darknet Intelligence Analyst to understand a little more about their backgrounds, why they love cyber, projects they’re working on, and some tips and tricks for new analysts. You can even see some example reports here.

Actor Explore: Your Ultimate Resource for Cyber Threat Actor Intelligence

In November, DarkOwl released “Actor Explore,” an exciting new addition to our Vision UI platform that provides invaluable insights into cyber threat actors. This feature is designed to empower security professionals, researchers, and organizations with analyst curated information about threat actors, enhancing their ability to understand and combat cybersecurity threats effectively.

In today’s digitally driven world, the landscape of cyber threats is ever-evolving and increasingly sophisticated. As businesses and individuals become more dependent on technology, the need to protect sensitive data and critical infrastructure from cyber attacks has never been more critical. One effective approach to enhancing cybersecurity is to track and monitor cyber threat actors. The actors that are responsible for conducting attacks; individuals or groups with malicious intent, often targeting organizations, governments, or individuals. Understanding why they are operating, what they hope to achieve and what methodologies they are using can assist analysts in protecting infrastructure and predicting future activities.  

With Actor Explore, users can access comprehensive threat actor information and each actor profile includes a detailed dossier, offering an in-depth overview of the threat actor. Additionally, DarkOwl analysts provide extensive information such as darknet fingerprints, targets, tools, CVEs, contact information, and more when available. Actor Explore connects this information to our other data sets, including leak sites, ransomware sites, alias, cryptocurrency, etcetera that actors are associated with. This wealth of data enables users to gain a profound understanding of the threat actors, their tactics, and the potential risks they pose.

Cyber threats are continually evolving, and so are the threat actors behind them. The collection consists of threat actors in several categories, including: state-sponsored, cybercrime-focused, ransomware groups, access brokers, exploit brokers and buyers, critical infrastructure attackers, and more. Actor Explore will be regularly updated with new information and actors, prioritizing client needs, ensuring that users have access to the latest intelligence to bolster their cybersecurity efforts and research.

You can read more about Actor Explore here and why tracking and monitoring threat actors is important in our write up here.

A Year of Growth 

2023 was exciting for the DarkOwl team, as we grow our product suite and continue to improve our current products.

One of DarkOwl’s key differentiators is our product team’s ability to respond to the needs of our clients and collect the data that matters the most to them. Last year, DarkOwl was proud to assist our national security and government partnerships by providing crucial insights into data leaks and cyber activity surrounding the war in Ukraine. This year, we are pleased to have reported on and shared insights into the Hamas and Israel conflict.

DarkOwl Announces Availability of Vision UI on AWS Marketplace

AWS Marketplace serves as a comprehensive e-commerce platform featuring thousands of software listings from independent vendors, streamlining the process from discovery to deployment of software compatible with Amazon Web Services (AWS), around the globe. This collaboration offers security teams and leaders a swift and cost-efficient avenue to harness DarkOwl’s invaluable darknet data resources utilizing their AWS account. 

Bringing DarkOwl Vision UI to the AWS Marketplace allows access to advanced threat intelligence and empowers organizations to fortify their defenses against evolving cyber threats. DarkOwl Vision UI on AWS Marketplace offers scalability, making it suitable for organizations of all sizes. Users can choose a subscription plan that aligns with their specific cybersecurity needs. 

Clients Seeing Increased Demand for Dark Web OSINT

We understand how incredibly challenging it is to maintain insight into everything the threat actors have insight into. This year, we put an emphasis on leveraging our company’s expertise in darknet technology to gather the data that allows our clients and their customers to stay ahead of potential threats.

Newly announced partnerships include: 

Don’t miss any updates from DarkOwl in 2024 and get weekly content delivered to your inbox every Thursday.

Guarding Your Finances Online: The Latest Darknet Fraud Trends

Written by DarkOwl Content Team on . Posted in Blog.

December 19, 2023

Introduction 

Fraud is one of the most prevalent activities on the darknet, threat actors will buy and sell fraudulent goods as well as providing tips on tricks on how to how to conduct fraudulent activities. There are many different types of fraud that are conducted against many industries, and events, although financial gain is the overriding incentive, with actors often being opportunistic in who they target and when. 

Here we will explore some of the types of fraud DarkOwl analysts have observed on the darknet. 

E-Commerce Fraud 

The targeting of e-commerce businesses such as Amazon, PayPal and Shopify is widespread on the darknet. Criminals will use a range of techniques such as refund fraud, hacked accounts and gift card fraud in order to obtain funds. 

The dark web adjacent platform, Telegram is used extensively to advertise fraud and scam markets. Users are able to search for channels which provide them with ways to conduct fraud, groups that will provide fraud services for you sell you fraudulent goods.  

Refunding Services 

Refunding fraud is when a user will obtain a cash refund for goods that they have not purchased or for goods the buyer had already received a legitimate refund for. Refund fraud can have significant financial implications for businesses, leading to monetary losses and potential damage to their reputation. 

A user knows as Bam or Amazon God offers refunding services for Amazon goods in a range of jurisdictions. They provide the refund service as well as offering methodologies and mentorship as a consultant. 

Figure 1: Threat acor provides refund services on Telegram 

Hacked Accounts 

Hacked accounts often come from stolen credentials, or through credential stuffing attacks allowing criminals to access legitimate accounts to purchase goods. This is also known as Account Takeover (ATO). These accounts are often sold on the dark web and dark web adjacent sites.  

Figure 2: DarkOwl Vision result for the sale of Amazon Prime accounts 

Many organizations are targets of these types of account takeovers, with threat actors becoming more successful at obtaining credentials which can be used on multiple accounts. However, we do see many accounts being made available for streaming service accounts such as Netflix or Hulu, usually for very low prices.  

This is why it is very important for individuals to practice good password hygiene – not only in their professional life, but also in their personal life. Password reuse can lead to multiple of your accounts being stolen. DarkOwl recommends the use of a password manager and routine changing of passwords.

Tutorials 

Although not a fraudulent activity in its own right, DarkOwl analysts note that threat actors are increasingly selling tutorials and guidance on how to conduct different types of fraudulent activity on the darknet. This means that actors do not necessarily have to have skills or sophistication in order to be successful – they are able to purchase this knowledge and carry out the fraudulent actions themselves. Because of this sharing of knowledge, the number of individuals committing fraud can grow at a pace it might not have done or have been able to beforehand. Cracking tutorials in the darknet cover all matters of illegal “cracking” including passwords, wi-fi routers, commercial accounts, and software. For obvious reasons, we’ll not detail any of the cracking tutorial methods that we’ve spotted across popular hacking forums and Telegram channels.

Financial Fraud 

Although the majority of fraud is committed for the purposes of financial gain, it does not always target the financial sector directly. However, there are multiple types of fraud that do. This continues to be a trend DarkOwl has observed on the dark web and we do not expect it to decrease. 

Gift Card Fraud 

Gift card fraud refers to the unauthorized acquisition, use, or manipulation of gift cards for financial gain. Gift cards are prepaid cards issued by retailers, restaurants, or other businesses, and they are commonly used as presents or convenient forms of payment. However, criminals have developed various schemes to exploit vulnerabilities in the gift card system. 

Gift cards are often used as a way to launder money, allowing users to purchase goods with funds which have been illicitly obtained. Gift cards can be purchased with cash and can therefore also be used to obfuscate the purchase of illicit goods. 

Figure 3: Threat actor sells ebay gift cards 

Fullz  

Fullz is a dark web term which refers to a complete set of personal information that cyber criminals often seek to steal and sell on the dark web for fraudulent purposes. This information typically includes a person’s full name, social security number, birthdate, address, phone number, email address, financial account details (such as credit card numbers, bank account information, and associated security codes), and other sensitive data. 

This information can be used to steal a person’s identity, conduct social engineering attacks, and conduct account takeovers. Most commonly we see fullz being sold on the dark web for the purposes of conducting financial fraud, with actors using the details to open fraudulent bank accounts to be used for other scams.  

Figure 4: Telegram account selling Bin and Fullz 

Credit Card Fraud 

Credit card fraud is common on the dark web, with many marketplaces and vendor stores exclusively selling stolen and or cloned credit cards. WWH Club us an example of a marketplace which is set up exclusively to cater to the carding community.  

Credit cards will be sold with varying balances or credit limits on them, the more cash available the more expensive that they will be. Threat actors have been able to create cards, which they have cloned, and they create on mass and sell on the dark web.  

Users will purchase these cards to cash out the funds or purchase illicit goods and obfuscate their identity.  

Figures 5 and 6: Cloned cards and card advert 

Counterfeit Goods 

Another item that is very popular on the dark web is the sale of counterfeit goods. While these can vary in type, from designer goods to sporting ware, the majority of items we have seen advertised on the dark web are counterfeit documents. Passports from a variety of countries, driving licenses, birth certificates and immigration documents are available for purchase on the dark web.  

Again, there are marketplaces and vendor stores that are dedicated to the sale of these goods as well as being made available on the majority of high-profile marketplaces within their own area.  

DarkOwl has not verified the quality of any of these goods, and it is unclear whether the sale of these is a scam in and of itself. However, it is possible that some threat actors do have access to the materials to create these. The price of the document is usually a good indication of the quality. Some of the documents sold also appear to be legitimate, likely stolen from the original owner for the purpose of selling on the dark web.  

Figure 7: Marketplace offers counterfeit documents 

Healthcare Fraud 

Healthcare fraud became increasingly mainstream as a result of the 2020 pandemic, with actors selling vaccination cards and PPE (personal protective equipment). However, this has continued as the pandemic has subsided. Although vaccination cards are still available, we have seen a move towards Medicare fraud in the US as well as the sale of medical information in leaks and breaches. Mentions on the dark web related to 1095A Forms, healthcare agent credentials, and Medicare / Medicaid. We assess that this information is being made available on the dark web so that criminals can use it to conduct healthcare fraud and claim benefits which they are not entitled to. DarkOwl will continue to monitor this trend into 2024. 

Figure 8: Sale of healthcare information 

Conclusion 

Threat actors use the dark web to conduct, learn and sell activities relating to many different types of fraud. The primary reason for this activity is financial gain and we do not expect this to change, however new trends and types of fraud continue to emerge. DarkOwl will continue to monitor these trends into 2024. 

Curious how DarkOwl can help your fraud use case? Contact us.

2 Month Review of Cyber Activities in the Israel Hamas Conflict

Written by DarkOwl Content Team on . Posted in Blog.

December 14, 2023

Introduction 

It has been 2 months since Hamas’s October 7th surprise attack on Israel. In that time there have been many developments both on the ground and in the cyber realm. A number of groups emerged in the aftermath of the attack pledging their support to either Hamas, Palestine or Israel and cyberattacks increased in the region targeting both sides to varying degrees of sophistication. DarkOwl analysts have been tracking these events and activities, and in this blog we review some of the notable cyberattacks that have occurred and the groups that have taken responsibility.  

In the first few days of the conflict, attention was largely focused on images and media reportedly coming out of Israel and Gaza highlighting the atrocities which were occurring. Telegram, which is monitored by DarkOwl, appeared to be being used as a de-facto news source, providing details of what was happening in certain areas and also posting images of the aftermath. Channels appeared or grew in size supporting one side or the other and while sharing information, there were also reports of false or fabricated information and media being shared stoking the flames on both sides.  

Figure 1: Telegram channel posts image of Hamas breaching into Israel 

The cyber world also reacted to the conflict with existing hacktivist groups quickly pledging allegiance to their chosen side or already fighting for the cause. Groups quickly began to post online about the targets they had successfully compromised with attacks ranging from DDoS (distributed denial-of-service), defacements to data leaks. As the conflict has progressed, the level of activity has ebbed and flowed, with some groups turning their attention back to previous targets.  

Figure 2: Selection of Cyber groups profile images 

After the initial invasion and activity, several cyber incidents accompanied the air and ground conflicts in the Middle East. Key activities we identified as part of the conflict are detailed below although this is not an exhaustive list and does not describe all reported activities.

October Events

  • A leak purportedly from the Palestinian Foreign Ministry was published on cracking[.]org which contained details of Chinese and Palestinian projects as well as correspondence documents and PII for approximately 500 people. DarkOwl was able to obtain this leak for review.  
  • Ghosts of Palestine openly announced they will target NATO countries who support Israel although Turkey was excluded from targeting.  
  • BlackSec joined the digital operations arena, claiming it would target Israel and not remain neutral in the conflict.  
  • The RedAlert app which was used to alert Israelis to rocket attacks was subject to a spoof attack which was reported to collect personal information. It was unclear who was behind this attack but demonstrated cyber actors taking advantage of the military conflict for their own gain.  
  • Stucx Team claimed an attack on an Israeli SCADA system via their Telegram channel, Supervisory Control, and data acquisition (SCADA) controls industrial processes. Targeting these types of systems can bring down water plants and electrical facilities and are usually one of the most concerning attacks for cyber security experts. A high level of sophistication is usually required to successfully attack these processes. However, they became a common Israeli target as the conflict continued.   
Figures 3 and 4: STUCX Team Telegram post from DarkOwl Vision and on the channel 
  • The group GlorySec posted on Telegram that they considered a firewall on Palestinian websites, indicated Palestine had prepared well in advance for a conflict in the cyber realm as well as the physical realm. They also said they’d release the data right to Israel to support their operations and encouraged them to investigate this. It is unclear what information they had or if this was shared.  
Figure 5: Telegram post by GlorySec via DarkOwl Vision
  • Anonymous Algeria publicly warned the UAE and alerted its airline, Emirates, to a possible system compromise for what they view as “not supporting Palestine”:  
Figure 6: Anonymous Algeria Telegram Post
  • Reports indicated that Pro-Hamas hacktivists groups were targeting Israeli Entities with Wiper Malware, the destructive malware appeared to have signatures within it linking it to the Middle East. This development highlighted the use of sophisticated tools as part of the ongoing conflict and suggests a “cyber war” may also be taking place. 

As the month of October concluded, hacktivist activity relating to the Gaza conflict appeared to decrease. While the start of the conflict saw a large amount of emerging activity, with actors and groups choosing sides and issuing threats online, digital activity surrounding the Israel-Hamas conflict tapered down. However, increases were expected as the conflict continued.

November Events

  • AnonGhost Indonesia & Anonymous Indonesia warned the Japanese government that for supporting Israel that they would carry out cyberattacks, the groups had already been active in targeting countries they deemed to be anti-Palestine or Pro-Israel.  
  • GhostSec claimed to have successfully targeted several Israeli PLCs via their Telegram channel. 
  • Anonymous claimed to have information relating to Mossad spies which they threatened to disclose on Telegram it is unclear where this information came from or if it relates to valid data.  
Figure 7: Anonymous post on Telegram 

Although the hacktivist groups on Telegram appeared to quiet in this period security research reported on several activities which indicated that Iranian hackers were using new tools to target Israel and that a Hamas linked APT was also targeting Israel with a new backdoor tool. Indicating that nation states and Nation State sponsored groups continued to be active in the cyber sphere. These groups tend to avoid the publicity that hacktivist groups seek.  

December Events So Far… 

Cyber incidents began to increase after the temporary ceasefire between Hamas and Israel completed.  

  • Cyber Toufan hacking group claimed to have breached Israeli company SodaStream, and exfiltrated 100,000 records:  
Figure 8: Post for SodaStream data on dark web forum via DarkOwl Vision 

Conclusion

Hacktivist groups and cyberattacks have been a component of the Israel Hamas conflict since it began, with many groups getting involved and attacks across of a scale of sophistication being conducted on both sides. Although the activities have ebbed and flowed in the first two months of the conflict, it is clear that they are likely to continue for the length of the military conflict – if not longer. DarkOwl will continue to monitor the activities of these groups as the conflict continues.  

Sign up for our weekly research roundups to not miss any DarkOwl research.

DarkOwl Announces Availability of Vision UI on AWS Marketplace

Written by DarkOwl Content Team on . Posted in Press Releases.

December 12, 2023

DarkOwl, the leading provider of darknet data, is pleased to announce the availability of DarkOwl Vision UI on AWS Marketplace. AWS Marketplace serves as a comprehensive e-commerce platform featuring thousands of software listings from independent vendors, streamlining the process from discovery to deployment of software compatible with Amazon Web Services (AWS), around the globe. This collaboration offers security teams and leaders a swift and cost-efficient avenue to harness DarkOwl’s invaluable darknet data resources utilizing their AWS account. 

This strategic move makes DarkOwl’s darknet data more easily accessible than ever to a broader audience, allowing organizations of all sizes to enhance their cybersecurity posture. 

DarkOwl Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search darknet data. Vision provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. By leveraging DarkOwl’s extensive database of darknet content, organizations can gain unparalleled visibility into potential risks and vulnerabilities. The user-friendly interface of DarkOwl Vision UI simplifies the process of monitoring, analyzing, and responding to emerging threats. 

Bringing DarkOwl Vision UI to the AWS Marketplace allows access to advanced threat intelligence and empowers organizations to fortify their defenses against evolving cyber threats. DarkOwl Vision UI on AWS Marketplace offers scalability, making it suitable for organizations of all sizes. Users can choose a subscription plan that aligns with their specific cybersecurity needs. 

“We are excited to make DarkOwl Vision UI available on the AWS Marketplace, making it easier for organizations around the world to enhance their cybersecurity posture,” said Alison Halland, Chief Business Officer at DarkOwl. “With the increasing sophistication of cyber threats, it is crucial for businesses to have access to advanced threat intelligence tools and with our product on AWS Marketplace, we are happy to make this a reality.” 

DarkOwl Vision UI is now available on the AWS Marketplace, and interested users can find more information on the AWS Marketplace Listing

About DarkOwl
DarkOwl uses machine learning and human analysts to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. For more information, visit www.darkowl.com.

What are Stealer Logs?

Written by DarkOwl Content Team on . Posted in Blog.

December 06, 2023

DarkOwl analysts have observed an increase in stealer log data available on the darknet in the past couple years. Stealer logs are logs of sensitive information that have been stolen from compromised victim devices. Data from stealer logs can be more damaging to victims in the hands of a bad actor than the credentials found in leaks and breaches. The data obtained through an infostealer allows a bad actor to get multiple kinds of information, such browser data, credentials, IP addresses, crypto accounts, about the victim rather than the limited information generally offered in a leak.  

From email accounts to banking credentials, stealer logs can grab it all. This could result in a number of attacks such as identity theft, tricking individuals or institutions to transfer money (or drain accounts), account takeover, fraudulent purchases, and other forms of fraud. Many victims do not know that their machine is infected by stealer malware since they are often distributed by phishing emails, fake websites, fraudulent software and apps, and other social engineering methods. In this blog, DarkOwl analysts will break down what stealer logs are and how they work. As stealer logs start replacing the role of leaks and breaches, they will be the ones to look out for.  

Stealers, Infostealers, and Stealer Logs  

Stealer log-related terminology is defined below: 

A stealer is another word for an infostealer, or information stealer. Per DarkOwl’s darknet glossary, a stealer is “a software-based program, typically malware, that is deployed on victim devices that when executed or downloaded is designed to take credentials, cookies, and sensitive information to take advantage of the victim financially, engage in fraud, and possibly identity theft.” After the stealer has covertly accessed stored information, it will transmit the data back to the cybercriminal. 

Infostealers are commonly delivered by social engineering, such as malspam campaigns and phishing emails. Typically, attachments with malware are included in the email. The email likely has a “lure,” or a legitimate-looking trap to encourage victims to open the attachment or link and install the malware onto their device. Information stealers are on the rise and promise lucrative business opportunities for cybercriminals.

While researching for our piece “Pardon Me While I Steal Your Cookies – A Review of Infostealers Sold on the Darknets,” darknet analysts also learned many infostealers are offered in alignment with a malware-as-a-service (MaaS) or stealer-as-a-service (SaaS) rental model with subscriptions-based access to the malware executables and associated command and control C2 botnets.

Stealer logs are the logs that are extracted from what is generated from the information stealers. The logs contain credential data created after the information stealer has been installed on a device. After the malware (the infostealer) has gone through the system and extracted the valuable information, these logs are sent from the compromised machine to a C2 (command and control), controlled by the cybercriminal, and can be distributed from there, such as being sold on the darknet.

Autofill: a feature found in most browsers that will automatically populate previously entered information into form fields.

Cache: a cache is a system for the storage of temporary files such as web browsers and other media so that the page can be accessed without being downloaded again.

Cookie: text that is sent by a server to a web client, and returned by the client each time it uses that server. This technology is typically used for authentication of website users, session tracking, and also for maintaining information about the users.

Session Cookies: a file with a string of letters and numbers, known as an identifier, that is sent by a website server to a browser for use during a limited timeframe. A session cookie is sent with the browser request for a web page from a server. The session cookie communicates to the server which parts of a page the browser already has so that the server does not re-send them. When the browser is closed, the session cookies are deleted.

Persistent Cookies: persistent cookies are not deleted after the browser is closed and the sessions ends. Persistent cookies are data files that can give websites saved user preferences, information, settings, and login credentials.

Hardware Identifier: the Hardware Identifier is used by Microsoft in Windows. A hardware identifier is an identification string defined by the vendor used by Windows to match a device to a driver package. The particular HWID is produced when the operating system is installed. 

Why do Stealer Logs Matter?   

The information in stealer logs can give a cybercriminal the information they need for identity theft crime, financial crime, and could essentially result in a total online takeover in some cases.  

Stealer logs can obtain everything that you do on your machine. How many applications have not been signed out of? How many accounts open directly without credentials? How many cookies have you accepted? Do you log out of Amazon every time? Is your credit card saved to your account? A bad actor using information from a stealer log can get acces to all of this and more. Everyday mundane actions on the technology that we’ve come to rely on in our daily lives can be accessed, stolen, and sold.  

The data from stealer logs can be so useful to bad actors because of the types of data it can target and exfiltrate, including browser data and cookies. Browsers save information such as sites visited, search histories, cookies, cache, and autofill data.

Browsers are the applications such as Chrome, Safari, and others used to access the internet. Browsers save browser histories, which is a record of the sites the user has visited. Browsers save cookies, search history, download history, and cache. Browsers will also save usernames, passwords, credit card information, addresses, and more if the user elects for the browser to save that information.

This information also comes from autofill data saved to browsers. Exfiltrated browser data in a stealer log can give a bad actor a trove of PII (SSN, dates of birth, addresses, phone numbers) as well as financial information (credit cards) and credentials (usernames and passwords). A bad actor can combine this data and use if for theft and fraud against the victim.  

Cybercrimninals can access accounts by recreating credentialed sessions using cookies taken from victim devices by infostealers. If a bad actor has the cookie from an authorized credentialed session, they can re-create account access and get to the account. Even if the bad actor does not have the username and password to a site, if they have the cookie from the browser they can use that cookie to take the credentialed session to clone access to the account. The browser may recognize the credentialed cookie session as the victim logging in, not the bad actor. Email services and banks may not raise a red flag when a bad actor logs in with stealer log cookie data, because with cookies the actor is accessing the credentialed session.  

Another reason why stealer log data is so valuable to cybercriminals is because stealer log data tends to be more timely. Leaks and breaches can occur years after a user initially registered, and therefore the credentials (such as passwords) may not be up-to-date. However, stealer log data will contain the victim’s most recent details. A stealer log pulls the most recent passwords and credentials from the victims machine rather than the third pary where the account was registered.  

Even if a user is following healthy cyber-hygiene practices and changing their password every 90 days, a stealer log can make those efforts moot. Furthermore, a victim may not be aware an information stealer has infected their device even if they use antivirus software. When a user authorizes the action to download the malware, antivirus software will not be able to prevent the infection. Since stealers are typically downloaded by accident, can bypass antivirus software, can be difficult to locate  unless by an expert, and give the most up-to-date information, they are incredibly valuable to cybercriminals.  

Breaking Down a Stealer Log  

The following sections will break down the different components of a stealer log. Data is obtained from a stealer log found in DarkOwl Vision.  

Browser Data  

Many browsers will ask users if they want to save information that has been entered into forms (e.g. remembering a password for a website) while on that browser. A stealer log can exfiltrate saved browser information from a victim device and send it back to a bad actor.  

Figure 1 from DarkOwl Vision displays some of the browser data that can be found in a stealer log. In the example below phone numbers, dates of birth, usernames, and passwords have all been taken from saved browser data by a stealer log.

Figure 1: Source: DarkOwl Vision

Browser Data and Cookies  

Technological cookies are text that is sent by a server to a web client, and returned by the client each time it uses that server. This technology is typically used for authentication of website users, session tracking, and also for maintaining information about the users. DarkOwl analysts have observed cookies in stealer logs from the darknet.   

A bad actor who has access to cookies could use those cookies to recreate a victim’s credentialed session—meaning after they have signed in—to gain account access. Below data of a stealer log taken from DarkOwl Vision shows saved cookie information in stolen browser data from a stealer log.  

Figure 2: Source: DarkOwl Vision

Autofill Data  

The autofill data taken from a browser in Figure 3 gives a victim’s username and password to multiple accounts as well as the URL and application used. The username and password for the Google account as well as the scholarships.gov credentials could be used to impersonate and financially harm the victim. Additionally, any financial credentials saved on other sites with compromised usernames and passwords, such as Trip Advisor, could be leveraged by a cybercriminal.  

Figure 3: Source: DarkOwl Vision

In Figure 4, the autofill data from the stealer logs gives the victim’s phone emails, addresses, full names, dates of birth, and social security numbers. 

Figure 4: Source: DarkOwl Vision

Another file from the stealer log in Figure 5 distinguishes the most important autofill data. This way the most beneficial auto-filled data is readily available for a cybercriminal to use, and they don’t have to waste time searching for it.

Figure 5: Source: DarkOwl Vision

Domain Detects  

A file found in stealer logs observed by DarkOwl analysts contains a “DomainDetects.txt” file. This file gives access to the highest priority domains found in the log.

Figure 6: Source: DarkOwl Vision

Installed Browsers 

A specific file shows all of the installed browsers and versions of those browsers from the victim device.  

Figure 7: Source: DarkOwl Vision

Installed Software

Another file has all of the applications on the victim’s compromised machine.  

Figure 8: Source: DarkOwl Vision

This kind of information is especially helpful to investigators, as they can see what VPNs are being used. A bad actor could also leverage some of the information for advanced social engineering—from this entry we can see that the device has games including Grand Theft Auto and an Epic Games Launcher.  

User Information  

Finally, the stealer log contains a file called UserInformation with details about the victim’s device. This includes IP address, country, zip code, HWID (hardware ID), language, the height and width of the screen, time zone, operating system, UAC (user account control), keyboards, hardware’s, anti-viruses, and storage (RAM, MB, bytes).  

Figure 9: Source: DarkOwl Vision

Information taken by stealer logs can be used to defraud people in general and to identify specific individuals and machines. Individuals can be identified if their social security number is taken by the stealer. A machine can be specifically identified by certain kinds of hardware, including a HWID (Hardware Identifier) that is redacted but pictured in Figure 9.  

Final Thoughts  

Stealer logs are a reminder how fragile online identities and accounts are. At any moment, with the few wrong clicks of a button, everything could be taken over usually unbeknownst to the victim. Stealer logs are becoming more prevalent on the darknet and may soon replace leaks and breaches as cybercriminals’ preferred method for stealing credentials. The data is generally fresher than credential data found in leaks and breaches and individuals tend to be an easier target than a corporation with a security team. However, cybercriminals can also be victims of infostealer malware which could be very useful to investigators.   

Don’t miss any research from the DarkOwl team. Subscribe to email here.

Threat Intelligence RoundUp: November

Written by DarkOwl Content Team on . Posted in Blog.

December 01, 2023

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Iranian Cyber Espionage Group Targets Financial and Government Sectors in Middle East – The Hacker News

Iranian cyber actors have run a campaign for the past year targeting various entities in the already conflict-laden Middle East. Victims include Jordan, Kuwait, Oman, Iraq, Israel, and Saudi Arabia. Tools used in the 8-month long campaign include custom web shells and backdoors, indicating an elevated level of sophistication. Read full article.

2. Boeing Breached by Ransomware, LockBit Gang Claims – Dark Reading

Threat group LockBit claimed to have infiltrated Boeing’s systems using a zero-day. Boeing appeared on the LockBit leak site at the end of October 2023, but they offered no proof of data or material belonging to Boeing. Article here.

3. General Electric, DARPA Hack Claims Raise National Security Concerns – Dark Reading

Notorious actor “IntelBroker” published their purported access into General Electric (GE) and the Defense Advanced Research Projects Agency (DARPA), claiming credentials, military and other sensitive data was for sale. GE confirmed an incident occurred, but didn’t provide additional details. IntelBroker claims to have access to GE’s development environment. Read more.

4. Researchers Expose Prolific Puma’s Underground Link Shortening Service – The Hacker News

Prolific Puma is distributing phishing services, malware, and other scams via link shortening services. They have registered tens of thousands of unique domain names since the spring of 2022 and are consistently abusing DNS infrastructure in their efforts. They have not been observed advertising these services on underground markets as of yet. There is also no indication as to where Prolific Puma operates from or what language they speak. Read here.

5. Ardent Health Hospitals Disrupted After Ransomware Attack – Dark Reading

30 hospitals in the Ardent Health Services system have been hit by a ransomware attack, resulting in all emergency services being redirected. While Ardent is headquartered in Tennessee, the impact has been felt throughout six states. Learn more.

6. Cybercriminals Using Telekopye Telegram Bot to Craft Phishing Scams on a Grand Scale – The Hacker News

A new bot, Telekopye, has emerged on Telegram. Actors are using it in seller, buyer, and refund scams. The criminal group known as the “Neanderthals” has pioneered the use, tricking innocent users to enter payment details to buy goods and/or services via emails or SMS that do not exist. The groups ensure use of VPN, proxy, and TOR technologies to remain anonymous. Read full article.

7. Meet the Unique New “Hacking” Group: AlphaLock – Bleeping Computer

Russian cyber group AlphaLock debuted on Telegram this week, advertising various services such as “training pentesters.” This is often code for ransomware operations, with Russian groups using this language as they don’t want to be seen as malcious ransomware actors. The group also offers customized online courses, directed to be used for training the future, and then using said newly trained actors to establish a marketplace on DDW forum XSS where they sell the pentesting services. Read full article.

8. Russian-speaking threat actor “farnetwork” linked to 5 ransomware gangs – Bleeping Computer

Russian-speaking actor “farnetwork” contributed to the Nokoyawa RaaS operation as a project leader and recruiter, and contributed to the development of JSWORM, Nefilim, Karma, and Nemty ransomware variants. The actor recruited for the various gangs, and actively speaks to analysts from various intelligence firms to promote their work. Their online aliases include: farnetworkl, jsworm, jingo, razvrat, piparkuka, farnetworkit. Learn more.

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

Products

Services

Use Cases

Company

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.