Malware is nothing more that burglary tools. Cyber researchers have recently shed light on a Dark web marketplace called “In the Box” that is designed to specifically cater to mobile malware operators. The actor behind the criminal storefront, believed to be available since at least January 2020, has been offering over 400 custom web injects grouped by geography that can be purchased by other adversaries looking to mount attacks of their own. The automation allows other bad actors to create orders to receive the most up to date web injects for further implementation into mobile malware noted cyber threat investigators.[1]
In The Box may be called the largest and probably the only one in its marketplace category providing high-quality web injects for popular types of mobile malware. Web injects are packages used in financial malware that leverage the Adversary-in-the-Browser (AitB) attack vector to serve malicious HTML or JavaScript code in the form of an overlay screen when victims launch a banking, crypto, payments, e-commerce, email, or social media app.
These pages typically resemble a legitimate bank login web page and prompt unwitting users to input confidential data such as credentials, payment card data, Social Security numbers (SSN), card verification value (CVV) that's then used to compromise the bank account and conduct fraud.
In The Box is accessible over the Tor anonymity network and advertises a variety of web inject templates for sale, with the listing accessible only after a customer is vetted by the administrator and the account is activated. The web injects can be either purchased for $100 a month or as an "UnLim" tier that enables the buyer to generate an unlimited number of injects during the subscription period. Costs for the unlimited (“UnLim”) plan vary anywhere between $2,475 and $5,888 depending on the supported trojans. Some of the Android banking trojans that are supported through the service include Alien, Cerberus, ERMAC (and its successor MetaDroid), Hydra, and Octo.
In The Box marketplace may now proudly be called the largest and most significant catalyst for banking theft and fraud involving mobile devices. The significance of findings is highlighted by the quality, quantity and spectrum of the available malicious arsenal. Currently, cybercriminals are offering over 1,849 malicious scenarios for sale, designed for major financial institutions, ecommerce, payment systems, online retailers, and social media companies from over 45 countries including the US, the UK, Canada, Brazil, Colombia, Mexico, Saudi Arabia, Bahrain, Turkey, and Singapore. The supported organizations targeted by cyber criminals include Amazon, PayPal, Citi, Bank of America, Wells Fargo, DBS Bank, etc.
The majority of high-demand injects is related to payment services including digital banking and cryptocurrency exchangers. During November 2022, the actor arranged a significant update of close to 144 injects improving their visual design. The development comes as Cyble disclosed a new Malware-as-a-Service (MaaS) operation named DuckLogs that's marketed for $69.99 for a lifetime access, giving threat actors the ability to harvest sensitive information, hijack cryptocurrency transactions, and remotely commandeer the machines.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://thehackernews.com/2022/12/darknets-largest-mobile-malware.html
Comments