Navigating the Shadows: A Comprehensive Exploration of Popular and Malicious Tools on the Dark Web

[Music]

okay we're going to go ahead and get started um so I'm going to introduce Michael Angelo Zumo um he is the global director of CTI at Cyber sixgill he is a US Marine Corps veteran who started his career as a Korean Korean linguist and intelligence analyst and he has served as at the NSA National Security Agency where he supported National Security efforts against foreign threats currently Zumo assists Enterprise organizations with their threat intelligence and threat hunting programs how familiar are you with navigating in the shadows are you current with popular malicious tools on the dark web please welcome Michael Zumo thank you I've been talking all day so I apologize if I take sips of water

throughout this presentation but uh thank you all for coming I know you guys have multiple presentations to choose from I am Zumo uh as Marina mentioned I'm the global director at CTI at Cyber 6 Gill I see a lot of familiar faces from last year so those of you that attended my presentation on threat hunting last year thank you so much for coming and thank you so much for supporting me again I hope not to hope not to let you down this time either um but today we're going to talk about some tools of the underground so last year as I just mentioned we came or I came and provided some thread hunting training yesterday we also uh provided some

thread hunting training to people who signed up and um we talked a lot about how to manage your own personas in the dark web how to find sources where thread actors are Distributing data selling data uh sharing malicious tools exploits vulnerabilities and things like that and some of the most common threat types that we covered during those threat hunting exercises were initial access fishing supply chain compromise Val accounts fraud vulnerabilities you name it right we covered a lot of stuff we focused a lot on the initial access and the tools that we're going to show you today are related to that initial access part as well and one of the most common questions that popped up last year was

you know we talked a lot about the thread actors we talked a lot about the sources talked about how to get access to the dark web setting up a VM and stuff like that the one of the questions that came up was well what tools are they using so this year we want to analyze the underground as you might remember we call it the underground not just the dark web but we analyze the underground for the most popular tools that thread actors using tried to understand the why we tried to understand how they work and then what do they do with with it or uh or alternatively what can you do about it to protect yourselves from these tools

that thread actors are using every single day so we built a query similar to the thread hunting um training last year where we utilize a bunch of different key terms leaks cracking hacking logs tools fishing credentials Brute Force you name it there was more that we added to the list as well uh and by the way before I forget my colleague Eric who's not here also helped out with this presentation and the research and a lot of uh the tools were broken so we had to kind of fix them he he I give him all the credit for that um but once we built our query we conducted our our analysis in the underground and in just

in a year's time frame since the last time was here at bside Tampa there was 324 Million results from those sources that we collect from or that we analyze related to those key terms that we just showed up on the board 88% of those came from messaging platforms like telegram or Discord which is we talked about uh the different sites or sources that thread actors are usually engaging on forums marketplaces and telegram is one of those sources has become very popular because of how easily accessible it is and some threat actors are just lazy and they don't care about getting caught um so it's no surprise that 88% of the 324 Million results here came from those

telegram channels where uh they've dedicated channels to info Stealers dedicated channels for data leaks ransomware what you name it you'll find it there and then we had just 2% of them came from fors but that Gap is going to change um once we dive into the specific tools here so as I mentioned our goal was to find these tools mostly from my own curiosity and to share with you all but then to understand well how do they work is it something I can use myself not being a developer or anything like that um and then determine what you can do about it how can you fend off these tools how can you prevent uh being a

victim of these tools and that's what we set out to to learn and what we found was there are a lot of tools out there there's a ton and there's no way anybody can cover them all but there are some that are pretty common uh that I'm sure you all familiar with NJ rat is a rat that's probably been around for two decades maybe maybe maybe longer or somewhere within then uh it's a very common tool that you'll see across the underground thread actors using it different variations or flavors of it you'll find you'll find credential stuffing tools like open bullet um there's a bunch of different ones out there as well and these are very easy to

use and then info Stealers how many people here have dealt with info Steelers within the last year quite a few hands pretty common right now and we're going to talk about one of those maybe I don't know maybe I just gave you a sneak peek I shouldn't have done that um but we're going to talk about info Steelers later on as well but the first most common tool that we came across were credential stuffers and um in the past year we saw over 449,000 results results related to just credential stuffers alone of those results 52% of them came from messaging platforms so the telegrams again Discord more so on telegram not as much on Discord but there were some

there and then 45% came from dark web forms or Deep Web forms or even clear web fors um so that Gap closed significantly significantly there when we talk about cronal stuffing tools alone and on the left hand side bottom left hand you could see a uh t channel that is dedicated to open bullet uh configs so thread actors on this channel basically just share pre-made config files for an open bullet instance uh you'll also see them selling them there as well some thread actors thinks they're they're difficult to build so they'll sell them to thread actors and and they actually do make sales on those and then on the bottom rightand side we have uh an example from a a dark

web Forum uh where thread actor was advertising a release of Silver Bullet which is pretty much the same thing it was just a different name um and it was a free version uh but as you can see here a lot of thread actors uh offer service Services nowadays and once you download that tool you can upgrade to a premium service where you get a whole support and everything like that but the most common one and for those that attended thread hunting last year got a little sneak peek into this one the most common credential stuffer tool that we came across was open bullet now you can find open bullet too on GitHub it's not very difficult to

find it's probably why it's so uh popular amongst thread actors and on its GitHub page it to tells you that performing Doos attacks or credential credential stuffing on sites is illegal and don't do it but that's exactly what this tool is used for more often than not and again reminder if you play with any of these tools after this talk we're not going to become perpetrators and we're not going to become victims right so follow those rules that we talked about last year if you if you weren't here message me I'll send you those rules later on but when we talk about open bullet two just open bullet too not Silver Bullet not any other credential stuffing

Tools in just the past year there was aund and over 144,000 results for open bullet 2 across the underground just in the last last year and now you can see 84% of those results came from dark web forms and then another 15% from messaging platforms so what this tells me is that th for those OG hackers or thread actors that are just you know dedicated to the Forum life this is the tool that they're using when it comes to credential stuffing and initial access and uh the one of the reasons or some of the reasons why I think it's so popular is that for people like me that don't like working in the terminal too

much it's got a pretty easy to use UI it's very easy to install you can just get it from GitHub you don't have to worry about downloading it from some thread actor that's trying to trick you we'll talk about that later and it's extremely accessible additionally everything that you need to operate that tool is available on the very same forums that they're sharing the tool so here's an example 1.2 million a little over 1.2 million results of telegram channels Forum post uh pce bins you name it where they're sharing config files so these are basically just configurations of the tool sending requests to a particular site to try and automate that credential stuffing channels like that over 1.2 million

results dedicated to just that for for any credential stuffing tool but certainly open bullet once you have a config whether you build it or copy and paste it from a thread actor you could buy one you could just use one that they share publicly you might have to fix it a little bit but they're there once you have that the only other thing you need is a combo list which is just a username and password file where you can get any data leak AT&T leak is you know was made public the last three weeks or so right 70 million people over 70 million people you load that into a uh into open bullet and now you can perform a credential

stuffing tack against any Target that you want so AT&T is just one example but there are tons I mean hundreds of thousands millions of credentials that are uploaded every single day to the underground some of them are valid some of them are not some of them are complete garbage but you don't it doesn't matter to you you just need credentials to to load into this tool and then see let it run by itself to see if you get any valid hits so you can find these anywhere on the Underground and doesn't take much time you go to one source and you will find them and then the last thing you need is a target which you come up with yourself and the

tool runs it on its own from that point so to demonstrate this shim do play the video please sorry Dad cat you off guard there we recorded ourselves using the tool and I'll narrate over this we have our Cali box here uh I already have open bullet installed but again you just get it off of GitHub is very easy to install we're going to run the tool real quickly here and if you can't see this too well I do have a video of this so just message me afterwards I could send it to you well now we have our fancy UI here of open bullet 2 and the first thing we're going to do is load in a config

now again I can get one s from the underground but just to show you how easy it is we're going to build our own config ourselves where we're just going to build an HTTP request to a site called demo Blaze which is just basically like an e-commerce site where you can test Automation and stuff like that towards so it's nothing malicious here but we built a request to demo Blaze next thing we need is our word list or our combo list again we can get those from on the ground anywhere we want but I just made my own here where we have three usernames and passwords that I made up and just load it into a

text file we're going to now take that file load it into our tool which you can see there word list one and then we're going to create a job so now we're combining that word list with our config file we're going to hit play and again we're targeting demo Blaze at this point because there was only three credentials in there it worked pretty quick um so it would take longer if you had like thousands in there but you can see we have one SU successful match which was that test account followed by that random password here that I had at the end and that's it from there you can try and log into the account escalate your

access uh and try and Traverse the network or the account any way you can from that point should we can you go back to presentation please awesome and that's really it that's as easy the tool gets so any thread actor from script kites to the most fisticated actors out there can use this to get that initial access or to find valid accounts to then try and find a way into the network this is a great starting point for them so what can we do about it I think like for everything pretty much when it comes to initial access is that the very first thing that you can Implement is multiactor authentication adding an additional layer to that login so that even if

those accounts are compromised you have an extra step there to try and protect that account before thread actor is able to get access to it when it comes to credential stuffing because the thread actors are going to be targeting a specific site and Performing multiple requests sometimes thousands of requests and which could potentially shut the site down but because they're sending a ton of requests in a short amount of time you can Implement account lockouts and rate limiting so that if you see multiple attempts on a single account uh from suspicious indicators then you could just suspend the account automatically or if you see lots of requests coming from the same IP or something like that

then you can just suspend it all together password policies enforcing stricter password policies a lot of the leaks that we see thirdparty leaks uh where we we see your employees that are using their work accounts but to sign up for Netflix LinkedIn AT&T if they were in there for for some reason their passwords that they're using should not be able to uh access your own network right one they shouldn't be the same passwords but by enforcing stricter password policies will help you ensure or protect those accounts even further because a lot of those lists those third party leaks we see you just won't be able to log into your account if you have those appropriate

requirements um so enforcing those will help and then also enforcing more frequent resets because even if an account is leaked out there a a thread actor gets their hands on a a valid combination if you have uh frequent resets then by the time they're able to try and exploit that account you might have already reseted it and yet you've added that that little buffer there for you to to uh mitigate any attacks dark web credential monitoring or just underground credential monitoring if you have some sort of feed or way to consume these leaks proactively will allow you to just take the appropriate steps remediate these issues before a threat actor does try and attempt an attack like this or gets

their hands on valid accounts so we see this all the time just be even if the passwords that you're seeing for accounts are not valid just knowing that your employees emails are out there or uh your personal emails are out there will give you an advantage in trying to just reset passwords or change any sort of account information that you can to prevent a threat actor from getting access leads us into our next tool I I I think on the the previous talks we talked about uh fishing as well uh or the the most common types of tools in the killchain um but fishing was of no surprise uh the one of the most common

tools that we observed in the underground amongst thread actors I think most of you know what fishing is so I'm not going to go ahead and read this definition for you uh but to Showcase how common fishing tools and services were we built another query this one was a little bit more specific we didn't have to do too much filtering here to to filter out the noise but we basically looked for mentions of fishing fish scam fishing as a service in different variations and uh that also had template kit or service in the post um we you know without those extra key terms there we had a bunch of noise so we want to add some more parameters to

try and find real good results and then just in the past year year alone over 549,000 results for fishing alone in the underground 69% of those came from messaging platforms Telegram and then we saw about 133% from forums 2% from markets things like that and some examples here again telegram on the leand side there are tons of telegram channels for fishing and fraud Alone um but you can see here we have uh Channel where it wasn't just one thread actor there was multiple thread actors on there that were just offering their services for fishing in this case this thread actor were selling um uh fishing kits for any site any Target that you want they would build a fishing

kit for you in some cases I saw them selling the service for as little as $50 to thread actors and then on the rightand side there's no shortage of thread actors looking for pre-made fishing kits or fishing Services as well you can see in this case this thread actor was looking for a Santander email template or fish um and they meant PM not PN for a private message uh but what I didn't screenshot here is all the thread actors that replied to this post saying hey I got you things like that I'll PM you um so it's a very common tactic that you'll see by thread actors that are just too lazy to go find it themselves they'll

just say hey I'm looking for this and then you'll have a bunch of threat actors that reply to them immediately and then here's another example from a primarily Russian speaking form you might you might be able to recognize this because it's both in English and Russian uh so you might know what site that's coming from it's exploit um but you could see this thread actor was uh selling crypto and scam and uh uh crypto scam pages and fishing Pages some of the they advertised were crypto.com Unis swap openc um and then further down in the replies they actually they expanded Beyond crypto and targeted just banks in general so when it came to fishing tools

there honestly there was a pretty wide variety of tools that we could have used uh a lot of them came from the thread actors themselves and we wanted to save engaging with thread actors for a very specific tool which will be coming up um but so this case we just went with the the tool that was the most accessible which was a tool called evil fishing which is again uh available on GitHub you can just go find this on GitHub install it uh it's kind of funny just shows again how lazy threat actors are just like us or like me I should say where um all the documentation says evil fish but the tool when you download it

is called evil fishing it's just something that stood out to me and and in this example we decide to just Target ourselves cyber 6co where we have a user portal portal. cybersix skill.com and my colleague and I said let's just build a fishing page for a site that all of our consumers or all of our users go to and see if we could trick ourselves into using a fish um and that's exactly what we did and to do so there wasn't a good way to like record this one so we just took snapshots of uh the steps here but basically once you install the tool from GitHub you need to save a copy of the HTML for the site that you're

targeting in this case we targeted our site portal. cyber6 skill.com and then once we save the copy of our HTML we ran a command uh uh in the terminal uh for evil fishing which was the back slash new page which created a copy of that HTML and then we had to save it in this web pages folder that comes with the tool from there we have to run the evil fish command to actually execute the tool which will then we and in this case we' ran it locally we didn't want to actually you know Host this on the Internet or anything like that then our company would find out that we were doing this so we didn't do that um but

we ran it locally and you can see that the tool is now running on the bottom attack is running just wait for victims to connect so we took a look at our scam page and we didn't update the HTML or css but you could see it did a pretty good job at just making a copy just by the commands that it gives you and for people like us we might log into our own page a page that you log into every single day and you're like why does this look broken but for the unsuspecting victim the people that aren't educated in this and every day they might not think of anything of this and just still enter in

their credentials uh like they would any other day and in this case if I put test test in the credentials field here you can see the tool will immediately tell inform me that somebody put their credentials in and then I could take those and then try and log into their account on the real site and that's it that's exactly how the tool runs so again ideally or uh in a realistic situation a thread actor is going to host a fishing site whether it's a typo squad or something like that they're going to redirect users to that site get their credentials steal them that way we did it locally but what can you do about fishing I

think a lot of organizations do this really well uh there's a credit union uh out in Texas that uh we are very close with that they have a fantastic fishing program uh where they they actually fish their employees every single week which it would sound like it's traumatizing for them but the employees actually like it because they have giveaways when they do a good job um but all they do is training and awareness informing your employees about these types of threats and giving them the resources and knowledge that they need to identify these threats when they happen I think for us every time we hire new employees like the you know few days after they start working a week after

they start working they get a text message from our CEO asking for gift cards and it's like you know for for us again this is obvious like okay it's not our CEO they wouldn't ask me for gift cards I hope not I hope they wouldn't ask you for that um but that is a that is a scam that apparently works because thread actors keep using it and then you then you factor in AI like in the previous talk uh and all the different models that are coming out makes it even more difficult to uh to identify but through training uh through effective training I think uh you can put up a good uh defense against these type of

attacks so always verify your senders of emails and use filters when possible there's plenty of tools that help you try and filter out as much of this of these fishing scams as possible again enable two Factor authentication for just that extra layer of protection implementing typo squatting and domain monitoring so monitoring for any registered lookalikes domains that are trying to trick your users I know for a lot of organizations especially in the financial sector it could be very difficult and you would have to rely on your consumers uh to report these scan Pages or these emails for you uh but having some sort of methodology in place so they you can receive those reports to

identify these and then take those sites down or block them from your network um will be integral in preventing these types of attacks and then of course just like we showed on the previous slides monitoring the underground for any threat actors that are specifically targeting you your your Enterprise your organization that are selling services um to build fishing kits targeting your organization or to monitor for threat actors that like in the Santander case that are requesting fishing kits for your pages to try and trick your employees or your consumers into getting uh into giving up their credentials and then we have our last one Steeler malware info Steelers again a lot of you raise your hands these are

things that you've been dealing with um over the last year but probably over the last two or three years is when they've you know started to really pick up their momentum and steel and malware are just malicious software typically distributed through spam emails malicious websites and software downloads and there are a ton of different flavors nowadays for Steeler malware we have examples like the vdar Steeler Luma Steeler which is very popular right now we and Redline Steeler which is the one we talked about last year in the thread hunting where uh I showed you guys were one that I actually purchased an account compromised at Redline Steeler and showed you what the output looks like once you purchase one of

those you can see this one's got a dedicated telegram uh channel for support they all pretty much do but those are just three of the ones and then we also have Steelers like azer roll raccoon Steeler and then many many more and to see how common these threats are these days we really only had to look at one site we can look at all the sites but the to show their significance there's one site that we need to show which is Russia Market who's familiar with Russian Market see lots of hands this site is dedicated for vendors thread actors that are using any type of info stealer to compromise accounts and then they can sell them on this

Marketplace on the dark web I think they do have a clear web link too but um and just to show the significance just in the past year from January 1 to to January 24 there was over 7 million compromised endpoints listed for sale on Russian Market alone that's just one source and there are a ton of sources where you can find uh compromised accounts that were captured by info Stealers and again some some of the top ones we observed on this site were raccoon vdar and Redline and Luma as you could see 100% of these came from from Russian market now we observe the publication of compromised accounts from info Stealers or Steeler logs across all these

different sources and just a small little snapshot this wasn't a year's time frame this was just like a month uh from other sources you can see uh 19,000 results from sources like telegram dark web forums Mark other marketplaces uh even on pay sites where thread actors are just uploading logs for free you can see some of examples here like free chat free logs from uh the telegram group in the middle there uh then we can see some for sale down here at the bottom thread actors often try and boost their rep reputation because they're not going to sell anything without any you know trust amongst other threat actors so they'll just distribute these for free across the underground and these

are things that we can collect and analyze to try and get understand like are any of our users compromised are any of our employees compromise that we need to know about so you'll find Steeler logs and info Steelers pretty much anywhere on the Underground but most definitely on marketplaces so we tried to look for one that we could crack ourselves or try and utilize ourselves to show how it works and it's pretty pretty simple um and the one that we came across was the vdar Steeler this is an older version of vdar it's it was all in Russian and um finding this Steeler was kind of a pain because what we found oh did I skip ahead

here what we found is that of no surprise there's a lot of scammers amongst threed s there's they got no shame they don't care they're going to trick you um and one of those scammers that we came across was this threat actor adrick ad and you can see this thre actor is pretty active uh we have their Discord handle here we have a number their IQ address uh their their accounts on frauder crew cracking Mafia old BB those are just the name a few and every time my colleague and I Derek thought we found a tool like in this case crypto Clipper we downloaded tool it was a virus wasn't an actual tool this from adri ID next tool we

found Anarchy panel rat as you could see on the bottom edri K another scam and then again Nimrod stealer which was a stealer I hadn't heard of I'm like is this even real we downloaded it it wasn't real it was a scam and it was adad again um there's my timer how I keep pace so this guy by the way these were multiple sources that we got these these uh program these scams from um and every time it was it was adri a d again one of my rules when we talked about last year for thread hunting was building a VM using something like a Tails or setting up uh a dirty machine so that if you do happen to install a

scam like or a virus like I did you're not at any risk right so make sure again we're not going to be we're not going to be a perpetrator you're not going to be a victim if you start if you try to do this on your own but finally we found a cracked version of the vdar stealer also known as anti vdar according to the documentation and we got it from this hack pack 2022 back in August we downloaded this which contained actually a bunch of different tools there was a bunch of different files um with all these types of different Clippers and uh credential stuffers uh a bunch of different tools that were available in it one of which

was that vdar stealer and the funny thing about it was once we got through the files we were trying to figure out what was wrong with the tool because it wasn't working correctly uh so we went back and investigated and it was adri ad again he actually stole all these files from somebody else and then just republished it and called it the hack pack because once we dug into the tool we found the original author which you'll see here in a second uh so this guy just tried to take credit from somebody else and we probably installed another virus but we didn't check this time and in this case again the tool was a little broken so we had to play around

and I do want to mention that um because we we did this on our own we had to we had to create a local Apache server open up the ports we then created a mySQL database in the back end um and then we had to create the ACT vdar Steeler executable the Mau itself to in to infect uh victims with so once we had our admin panel set up we then had to link that admin panel to our vdar Steeler and this is where we learned of the actual author which was Vidar cracked by scales 007 so once we linked it to our admin uh panel that we created we got this nice little confirmation

file create um and then we that we had it we had our we had our Malu um and then from this point instead of yeah we thought about maybe infecting one of our employees and then like saying like hey you got you got compromised but we didn't do that that was unethical um we instead infected another machine that we set up for ourselves where we put if some of you might recognize the pitiful address here which is me uh as one of my personas um we infected that machine where we saved our proton credentials in the browser and once the uh once the vdar Steeler detected those credentials it reported back to us on the admin

panel like you see here where it gave us a glimpse of the user information and then it provided the full log file here uh to download to get all the other accounts that were compromised and that's pretty much it that's it that's exactly how the tool worked and once they're compromised typ Al the threat actors don't even use them themselves they instead sell it on marketplaces like Russian market and this is an example of a vdar Steeler post by the thread actor on Market Russian Market back in uh what's that November um where somebody in Florida was compromised by the vdar Steeler and both their Facebook and Google accounts were listed for sale for just

$10 and we see this every single day um myself and one of my colleagues here that's in the back of the room somewhere um also we purchase these for our users all the time to try and get their employee emails and their consumers off this Market uh to prevent them from getting compromised um and so one thing I want to note before I go over what you can do about it is again we took the tool ourselves we found a cracked version so it is an outdated version but we got it to work we infected ourselves with it to to test the uh the outcome but in most cases we saw for if a thread actor

wanted to utilize any of these Steelers thread the the thread actors that create them usually offer them as a service so you can go to a telegram Channel like redline for example you pay 100 bucks a month and then they they help you onboard their stealer for whatever tax that you want to perform and then they manage everything for you uh they they basically just send you to log files once uh you've comp my some of those accounts so a lot of the process that we went through is a little bit challenging for me give a lot of credit for my colleague but if you're a threat actor that is not as sophisticated or you're

script get it you can literally just pay 100 bucks a month for any of these other Steelers Luma Redline and and then the thread actors that publish those Steelers will just run it for you basically and then the logs are yours uh to use however you wish but what can we do about it again we're going to educate your employees I already went over that so I'm not going to um be dead horse to death but educate your employees making sure that they're not clicking on malicious links or suspicious links um you know we analyze a lot of these compromised accounts on these marketplaces and there's a trend of the types of sites associated with

the accounts that are compromised we see their Facebooks we see their um their Instagram accounts that are compromised but those aren't ones we're really worried about it's the pornograph graphic sites that show up on these accounts as well the suspicious like uh gaming cheat sites like places where thread or or not thread actors but users will go to like get cheats for whatever game they playing those are probably the sites that they're downloading these malware and and infecting themselves so I being able to identify those analyze those and use that to block your your users from accessing uh from their work devices uh will definitely help you mitigate as much of these attacks as possible but also install an anti an

anti virus uh to help detect any infections consume indicator feeds I have on the next p uh page here some examples of indicators uh just for the vdar Steeler alone so there are a bunch of feeds um that will report in indicators related to any of these Steelers that you can use to proactively block these threats whether they're the links that are being shared to trick users into installing it or IPS or any of the sites that are known to be uh passing these M on to victims you can use that information to block from your network so that your users can't you know accidentally click on these or intentionally click on these if they

are and that's it but to sum it up before I open it up for questions again my goal here was to show you some of these tools that are accessed by thread actors every single day um you you saw how common they were amongst those thread actors across the underground and just how easy they are to use um and and how much damage they can perform with these tools so uh I hope you learn something from this presentation and you could take that back to your organizations or your personal lives to better protect yourselves from being impacted by one of these tools yourself so thank you

[Music]

[Music]