Deep Dive on the Dark Web

yes thank you Oh waitress I'll introduce myself as people are sort of filtering and settling down good afternoon my name is Jon Scheyer I work at Sophos in the office of the CTO and I'm our security researcher so what that means is I don't I don't work in the labs but I work with the labs and we look at security as more of a broader discipline than just threat protection and what's great about that is that we're able to look at all sorts of things that aren't necessarily just related to malware and threat protection and the way that this talk came about was a colleague and I were wanting to develop some new material and we thought

it'd be interesting to see you know what it takes to become a cyber criminal basically if you've got no skills and so that whole idea sort of came into our heads thinking well the dark web seems to be one of these places where people go to get stuff right also I'll show you some stuff but we thought can you actually do this can you go start from kind of zero as you know somebody we've got some technical acumen but not a lot and then stitch together what would some people would consider a complex attack and that's that's really what we're gonna do today I'm going to show you and I'm doing all of this live

I've got literally three slides the rest of it is all live I have to put this up because when you're on the dark web and you do searches sometimes some unsavory things come up so if it does it's not on purpose I will get it off the screen as quickly as possible but don't blame me blame the dark web all right so you want to be a cyber criminal how what would you do well the first thing that's going to be our agenda slide and then we're gonna go into the demo and the first thing you really want to do is you want to inform yourself well some people well how do you get on the dark

web right so you start doing Google searches and all those kinds of things you end up getting on some forums and I'll show you some of those forms but really what you need to do is you need to get some sort of seed money some cash and and well the dark web only operates on fake money and so you got to get yourself some bitcoins and then from there you're able to do all sorts of things and this is really when we talk about complex attacks this is kind of what they look like right you've got some fishing that has maybe a link to a compromised web server that was can deliver you an infected doc that

maybe has a botnet software in there and then eventually you download some ransomware encrypt your victims and profit on the end and that's what we're gonna try to do today we're gonna try to make this complex attack chain we've been trying to make that a reality by just simply going on the dark web and seeing what we can find all right so let's do that without further ado a lot of times people start off with the dark web they go to places like this they go to hack forums and hack forums as cuts it's alright you know it's got a lot of script kiddies in there it's got a lot of stuff that is of dubious origin and

and you know sometimes this stuff is just a bunch of scams right but there's a section here that's dedicated to teaching you about some of the markets that are out there and and for sellers to maybe contact some of their audiences as well another place that you might eventually end up is something like the Deep Web and this is a website that's available on the surface web as well as on the dark web but this just is an aggregator for news about the dark web and what what's going on but here you start to get a hint as to the kinds of markets that are available you can see here are the top markets because this is

interesting these guys you can see there's green and red green obviously means go and red means it's no longer available and doing this talk is always interesting because a lot of the times I find that sites just go up and down and for whatever reasons either the crooks lose interest they get busted or law enforcement sometimes takes over and clones these sites and does all sorts of other things and as we move around the dark web we see things like this so this is apparently a an estate seller or a real estate firm in the UK that has presence on the dark web I don't know why but I guess they don't want to exclude any of their audience so they do

have a surface web president as well presence as well as you go down the rabbit hole low but further you see stuff like this a lot right so you can make America great again by clicking the wolf to Magga I have no idea there's some techno that's playing in the background usually but you see a lot of sites like this just people kind of trying to test out the dark web and seeing what's in there however if you want to make America great again you could go to this site we for $5,000 you can become a US citizen I've got some American friends that said that said to me for $5,000 they would have revoked their citizenship these

days but you can find hitmen apparently so this is the only real killer in TOR and and he's already been visit there's a disclaimer on his site further down here it says you know beware of of copycats basically beware of phishing sites so other people will take his site legitimate or not and they'll try to be the Venice man killer after that we have things like this so this is interesting might be interested interesting for you guys apparently these guys will give you tips on fixed football matches so you just give them a bit of Bitcoin and they'll give you a tip and you can go to the to the bookies and get yourself a bet on Man United or

whomever and then finally there's the happy unicorn right so if you want good luck for seven years you just need to send bitcoins to this address I checked their Bitcoin wallet there's zero money in there so nobody's got good luck these days all right so that's really a lot of the fun but if we were to start really wanting to go down this this rabbit hole of becoming a cyber criminal one of the things we need to do is obviously get some money and what you might want to do is maybe buy some of these skimmed and cloned cards and you can see skimmed in the USA and that's really important because in the USA they still haven't

caught up to the rest of the world which is chip-and-pin they're actually doing chip and signature which doesn't make sense but they still use a lot of mag stripes and in the US when you go to pay for something at a restaurant for example your car disappears it goes in to the server's hands and then they usually go to the machine swipe it and then come back to you whereas in the rest of the civilized world they bring the terminal to you right so this is why this is still a big problem in the US and most of the skin cards are coming from the US because of that particular problem so you could go this route or you could go

let's say to the tour market for example and buy yourself some dump some credit cards you can see that these get updated now the legitimacy of a lot of these markets is is dubious because I'm not going to go and start buying these credit cards and testing them see if they are real because I would obviously be giving money to criminals and buying stolen goods but we know that some of these are indeed real because we have seen you know you can do lunch X on the credit card numbers and they do indeed come out real but these guys if we click on let's say the buy CeCe's Brite credit cards right we can see that

there's a recent dump and of course I need to log in again this is what I was afraid of when you're doing live demos and then you have a bit of time so you're gonna see how super-secret my passwords are and I got to get the catch or write okay hopefully I don't have to do that too many times as we go along here but in tour market you can actually browse listings of credit cards and so you've got these credit cards to you you can filter down as well which is important because when you're buying credit cards if you're going to use them for fraud you want to make sure that you're not buying let's say a an Italian

credit card and using it necessarily in the UK because that can actually trigger the fraud algorithms so what you can do is you can go down here and say alright well we're in Britain right now so we're gonna apply the British British filter and it's just gonna show us cards from Britain now I don't want to give scroll too much because unfortunately there's some gdpr and non-compliant information here but you can see that you know they give you a bit of information depending on the level of skimming that they've done or the level of car of carding that they've done you know they'll have additional information and these ones are 13 I believe these are dollars but

you can also you know go to the sale bin and these guys often have sale pins as the as the cards get older and older then they'll just chuck them into the sales section and then you'll pay you know in this case five dollars and sixty cents for a card as opposed to 13 dollars that it was before so alright so what we want to do now is because we want to get some bitcoins right we want to buy services so we're gonna first thing we're gonna take is take our you know our 100 quid that we have because I'm the the 400 pound hacker in my basement as Donald Trump likes to say I'm getting my hundred quid I'm gonna

buy some credit cards and that's going to be the start of how I'm gonna build my little malware Empire and with the way I can do that as with services like this like coin mama you can actually buy bitcoins directly with credit cards so you're gonna take those stolen credit cards buy more bitcoins and one of the interesting scams that's been happening recently is this thing right here these these multiplied your Bitcoin sites I believe most of these are scams but these guys are saying that basically they've discovered a flaw in the blockchain and they're able to multiply a Bitcoin so that if you pay them Oh point zero one BTC you get one back so you need to give them the

bitcoins and they're gonna give you back 10 or 100x that right sure in in 24 hours basically but we're seeing a lot of these scams out there so people are actually probably making some money off this from the people that aren't as savvy and and and you know just decide they're gonna give bitcoins the way to anybody who who asks for them so the next step now that we've you know got some bitcoins because we used stolen goods to get our bitcoins is we want to start figuring out okay well what kind of services do we potentially need and you could go to this guy over here so the rent a hacker and there's a bunch of

these out there and it's just basically advertising that hey I'll hack for whatever and all I'll do you know anything you want basically always a list of technical skills I like that this guy says I'm not some crappy European country here so he's he's a real hacker but he get he lists his technical skills he's got web skills some see my programming skill he does zero-day exploits and so on and so on and that's that's one way that somebody could actually do this and people do get paid to do this stuff on the dark web however we want to do it ourselves so the next thing we want to do is probably go to one of these markets now dream

market has a market that's probably the you saw that earlier on the deep dark web ok nothing offensive this is the one that's basically taken over from Alpha Bay and then Hansa as those two markets were shut down by law enforcement which is a really interesting story in and of itself but I don't have time for this is where everybody flooded to and and most of the the premium sellers and the people that are having some success on the dark web in terms of selling their goods you're seeing this on the dream market and so the first thing we might want to do is type in something like fish for example and if my login hasn't

expired it will go ahead and show us the results but what you're gonna do here is is there's different kinds of services right there's phishing tutorials this stuff about carding you can develop an e Trade phishing page I never know what's gonna come up so we can just scroll down a little bit and see all the different kinds of phishing Apple phishing page so you could go over here and learn all you need to know about phishing and then you could probably search for some compromised web servers for example services that you could load your phishing page onto or you could go the other route which is if we go login to our little friend here the Windows 7

machine which I'll do some demo live demo on as well you could find a page like this I just found this page about 20 minutes ago and it's an AT&T phishing page as you can see but what's interesting and the reason that some of these things get pop is that the web servers are poorly secured and if I just simply take off this bit right here and go back one you can see all right well there's some text files there let's go back one more now this is interesting to me because I'll make that a little bit bigger for you guys this is interesting to me because some of these look familiar like bTW hmm I wonder what that is so we

go over here to BT we click on index.html oh look it's a bt fishing kit so a lot of these guys when they compromise a web site they will load a whole bunch of different fishing kits on the same site but what they sometimes do too which is really fun for me is they leave the zip file with all the code in there this in this case they didn't but the last one I'd looked at they did and so you're able to grab that fishing kit if you don't want to buy it we're criminals right so we're just going to steal it anyways is you can grab one of these fishing kits and this is a very typical one that you see that

has you know gives you the opportunity to fish all sorts of different people even the the AOL users that are still the three of them that are still out there and anybody else who's still on Yahoo but you go in here and you put in your email address for example right so princess at gmail.com and whatever password what I like about this one is they also try to they try to get some additional information out of you so they ask you for the secondary verification methods right so that's really good as a Fisher you can now have some additional information to potentially compromise that account with the additional verification options so I will say tell us your phone number so

four-four and then a bunch of numbers it doesn't really matter I don't think and then this is the next step of our attack so in the attack that I talked about I said okay let's let's fish somebody so now I'm becoming a criminal mastermind because I'm thinking well I can fish people for credentials and I can sell those off and I can start making a bit of money over there while I compromise people at the same time so the next thing I wanted to do was deploy a document that was infected which is you know invoice dot docx you see those very often and so when you log in to this site it automatically downloads that

because if you caught on to what was what the site was before it was a DocuSign phishing site you're expecting a document at the end of this because I've sent you an email that says hey there's a there's a document here waiting for you you need to log in and grab that document and so at the end I'm giving you a document alright so what am I going to do with that document how am I going to infect you well there's a bunch of different ways you can do that and these are all tools again that are available there are these things called dock builders that that that provides you with a template and a program so

that you can grab malware in a any kind of document template an invoice template it could be a spreadsheet it could be anything really and then they'll just merge those two together and provide you with a finished product that you can then load up into that phishing page that the user will then eventually open up and click on here's an example of one that's just basically all written in Python and you can see here it gets some random bytes it writes the file out and really all that is it's just it's trying to become a little bit more polymorphic the code itself is all obfuscated in in base64 hacks here and then if we go down

to the very end you can see that that's end there we go if I can do this it's not there we go it's not the windows key it's the function key so when you get to the end over here eventually they give you the the very simple usage and this is where when we talk about getting tools from the dark web and we talk about the cyber criminals that are behind this stuff this is where we start to see the ease of use which with which they want to provide their products because they want to make it as easy for anybody to use this so without any real technical acumen whatsoever I can simply put in my

Python space the the the script itself and then malware dot exe is basically the payload as well as a couple decoy documents if I want and that's really all you need to actually build this document or you could go this other route here which is go the GUI driven route so this is something this is an extra that we picked up not too long ago it's called Anka log the other one was called a K builder and these are the two different versions of a K builder or Anka log story so a version 1 and version 2 and you can see that over time as this guy's made some money and maybe improved his his his exploits or

something like that he's added more functionality over here very basic over here but over here now we've got some additional stuff we've got some some hosting potential here if you don't have a compromised web server that you can put this document on they will host it for you for example and I always love that with all of these tools they always say something like this is for educational purposes only you can't read that but you'll see that over and over and over again these tools like that's going to get them out of trouble if they get popped by law enforcement so now we've got you know a way to fish the user and deploy a document we've got the

document that we can build the next thing is well we need a payload what are we going to stick in that malware argument for example as a payload well as I'm thinking about becoming a criminal mastermind and building up my criminal empire I'm thinking maybe botnet software would be a really good thing to do because now I can actually control a computer so if we go back to to dream over here we can see that there's something called beta bot now beta bot has been around for quite some time and it's available for what's the price seven dollars and seventeen cents now when this first came out it was not seven dollars and seventeen cents it was quite expensive

what this is is a pirated crack version of beta bots and you see this a lot on the dark web right now where some criminal will either steal or buy the legitimate full code and then they'll just turn around and crack it and then deliver it to anybody from anywhere from $1 to $20 and this is a really good example of how that happens and there's undream there are many different versions of beta bots that are available for sale that are all cracked and pirated and then if we go back to our machine here there it is a cracked and pirated version of beta bots but this is a fully fledged botnet control panel that has a lot of

functionality the the people that were behind this really spent a lot of time making sure that this was a robust botnet kit I'm gonna make it a little bit bigger here we're just gonna browse some of the things because this alone could be like an hour and a half talk on this because of everything that's in there but you can see on the side is your panel where you can track all the different bots that you have and you can scroll down and usually though they'll all appear down in this location or this area here and they'll give you some information like where it's come from using geo IP location your install dates and they'll tell you if it's online or

not it's got some interesting features as well so if you look at some of the tasks that we're able to do here with beta bot okay I got a login again of course let's do that so some of the tasks that are available it's not just simply controlling a computer but you can do some additional things with it you can do things like you can DDoS right so now I'm thinking okay if I'd if I get a whole bunch of computers infected maybe I can rent out my botnet to whoever wants I can put an ad on dream market and say all DDoS your competitors for free or for you know for a nominal fee I mean you can do things

like setting the the the controlling the computer as a Sox server right so now as I'm starting to build out my next step which is basically getting some people infected with ransomware possibly I can run some Sox servers where all the traffic is going to route through that so that makes it a little bit more difficult to track me I can clear browser cookies or set browsers but the one that we're going to use is the download and execute because once I've got a whole bunch of computers under my control we're gonna we're gonna act a little bit like the Sam Sam gang which has been fairly active since about 2016 and in targeting specific organizations and

what they do is they deploy ransomware but they do it in the non-traditional way the traditional way is send a bunch of emails in hope somebody clicks on it and then they get infected what Sam Sam does is they break into your network or they infect some computers on your network once they've got control then they release the ransomware on mass all at once and then say you owe us fifty thousand dollars instead of five hundred dollars for example and so this is a good tool to do that because I can go in here and set a task that will go ahead and download and execute my ransomware which is the piece we need next the one thing I want to show you

before we go just to show you exactly how you know how in-depth this thing goes is they've got some proactive defense for this bot as well and I really like this one over here which is protect from future infection via exploit kits so these guys thought well if your computer is so insecure that you got popped by us we're gonna actually proactively turn off things like JavaScript so that you're not gonna get infected by another exploit kit that you may come across during some of your browsing all right so the way we're gonna do this is we're gonna look for some ransomware as a service kits and there's a few of them out there these

days there's one called whoops to fart there's one called Earth ransomware now Earth is one that's fairly new and there's different monetization models for these things most of them they rely on a doing some sort of cut of the rants of the ransom that gets paid so if you ask for one Bitcoin some of them will last for thirty percent of the profit or fifty percent of the profit or ten percent whatever they get to set that themselves some of them have different kinds of of monetization models this subscription models I saw one that's no longer available these days that was call nemesis and they well I say it's no longer available v two or three is up

now which is completely different but they were asking for a basically they give you a trial license so you can infect twenty computers and then if you wanted to infect more than that you had to pay the at the time one hundred fifty US dollars to get a full license of the ransomware so they've got different monetization models but what's interesting about this one is that they so here they're charging point three BTC of one-time payment right so what these guys are doing is instead of allowing a open registration which most of these kids do is you actually have to contact them you pay them and then they give you a login username and password rannian is another

one that's been around for at least about a year now and it's getting continuously updated and and they've got a different model they basically buy the subscription model and you can subscribe to this kit in twelve months six month and one month periods but this is a kind of kit where you basically say to them I want my ransomware to do X and you say I want to attack Windows machines and here's my Bitcoin and my Bitcoin address and here's the price I want to charge and you give them the configuration pieces that they need they will build you of the spoke binary they will give that to you and then they will give you

access to the portal to track all of your victims for the period of time that you've paid for so if you want to pay nine hundred US dollars you get access to the portal for twelve months so the monetization here is a little bit different when you get to things like nemesis so this is the one I was telling you guys about that went away came back went away came it this one is interesting because they've changed their model a little bit from when they originally came out originally it was the trial model now basically they're saying we're just gonna take a cut of the money and I believe the cut of the money and this one is again thirty

percent which seems to be about right for most of these guys so you know cyber criminals Apple AppStore thirty percent seems about right but what I like about some of these sites though is is the nice clean look and this is where we go back to how easy do I need to make it in order to factors how he - I need to make my tool in order to get people to use it specifically people that may not have the high level of skill to create their own binary and this is what you end up with you end up with a nice slick web interface they do actually care about your security they have enabled

two-factor authentication so I put my PGP key in there just just to make sure that only I can log in in case I get fished and and of course like many of these software platforms they also provide support right and you'll see this very prominently on on most of these websites they do have support that's available and so that would be the next step now that we've got control of that machine using a botnet kit that we either stole or bought off the off the dark web we're gonna go and find ourselves a candidate ransomware piece that we're gonna stick in there as well and use that to deploy I'm gonna show you one more live one here that we got

from a little while ago and this one was interesting because it that's not the window I want where's the one there's the one I want okay so this one was interesting it it provided you with a builder and the Builder you could grab to to build the the ransomware to build the ransomware payload it included three files there was a setup file there was a malware stub so you might hear researchers threat researchers talk about malware stubs all the time and they're basically it's the malware that hasn't been armed yet you need to add a configuration to it in order to get it to work and the malware stuff in this case looks just like this so you can see

the dot razzed core so its core dot exe I just put dot R as in front of it so I know what it was but the core dot exe file and then you've got a setup guide that comes with it and the setup guide basically tells you again make it nice and easy here are the instructions on how you would build this and so if we go through the instructions I'll show you exactly how easy and quick it is to build one of these things so the first thing you would do is you would set your Bitcoin address it doesn't really matter if we can put anything in there we're gonna set the encrypted and the

encryption mode so anybody know why you'd want to do just the first 4 Meg's just shout it out speed actually because if you're gonna go through if you're gonna rip through a big disk and you encounter let say to terabyte SQL you know SQLite database you want to be able to encrypt that thing really quickly and move on to the next file and then not tie up too many threads so what we're gonna do here is say yes to that the attacked extensions right oops I yes again to that three so the attacked extensions you can add whatever you want and you know the typical guys are in there you could do pptx if you do all that stuff

and you can even upset the open-source guys and put ODP in there you can put whatever you want right at this point it's up to you or you can just copy and paste from that set up guy that makes it nice and easy you can set the default decryption price so bitcoins were 5700 pounds this this morning when I checked so you know that's pretty high so we could go 0.01 for example however you can also set a special decryption price per country so thanks us for Donald Trump you're getting two bitcoins there you go or whoever else see the Bears of the pandas or who else whoever else do you want that you want to go after and

then finally now that we've actually set the the configuration right we can print that configuration it's exactly what I just showed you guys we're going to load the ransomware core right which is that file that I was showing you earlier and then if we look closely we can see the timestamp here if everything works out it should work it should change so success built you can see the timestamp chained over he changed over here and now that's the file I would give to beta bots in order to download and encrypt all the users all at once again you know do not run this file on your PC you should test it in a virtual machine to

me this is like the sticker on the coca-cola machine that says don't tip it towards you this way because you know somebody one person had to do it and now they have to put a sticker on the machine same thing over here too many people I guess we're infecting themselves then calling in for support afterwards I'll show you one more kit this one's called Philadelphia and this one is also available on the dark web I'll show you the dream ad for it it's over here somewhere they are Philadelphia another one of these kits that when it first came out it was available for sale for around four hundred US dollars and now it is what it's very cheap I think yeah it's

fifteen dollars and sixty cents this particular version of it but again it's a pirated cracked version of one of these kits and we've got it right over here and Philadelphia is a different model so where most of these that I've showed you were ransomware as a service in the cloud where all the infrastructure the backend infrastructure was in the cloud this one you would host yourself so welcome Philadelphia we've got to basically set up our account here so admin admin username and password right there we go and we're gonna login and this one has three components one component is the headquarters which is this the other components something that's called a bridge which is what all

the victims communicate to and obviously the third component is your victims but this one allows you to fully configure the kit if you want to you can deploy new agents there's some interesting things in here like the timers so under timers here you've got your regular ok if you don't pay by a certain amount of time then we're going to either delete the keys or delete all the files but there's also this Russian roulette over here which I really like because this adds a little extra extra incentive to pay so you can say delete in this case one file every six hours so you can say delete 100 files every two hours and that comes up in the message that you

get the ransom note that says hey if you don't pay us within two hours we're gonna delete a hundred random files off your machine and so these guys have had you know a little bit of extra incentive and and maliciousness to their their their kit but they also have a heart of gold it seems because they've got this give mercy button down here so you know this is where all your victims would show up you've got all their IDs and because they take support calls let's say you know you run a I don't know a a homeless dog charity and you got your machines encrypted and you contact and say we can't really afford we're a

charity so what you could do is you could click on the ID say you say what's your ID ok find it click on the ID give mercy and it actually decrypt your files for free alright so now that we've done all this now that we're a cyber criminal and we've got all this money because it's just piling in now from our stolen identities and our be dossing and all the ransomware money that's coming in I think it's time for a bit of a vacation don't you so what you want to do is you want to go back on a dream market over here let's say you want to go somewhere hot so you probably going to need a few

things to do that one is you're gonna obviously need a new passport right and so you're gonna go to dream marketing and I search for a new passport and please don't are you Belgian passports I could pass for the Belgian I think but there's all sorts of different nights so if you ever wonder what happens when somebody at l'hotel takes your passport into the back and like takes a copy event probably ends up over here so we've got a new passport now we want to get some tickets to some place hot so we probably go over here and if you ever wonder where your British Airways account fish credentials end up they end up over here

so here you can actually buy accounts that have a bunch of miles in them and you pay by the amount of miles they're included in that account you can also get yourself some some hotel stays for example they have actually dark web travel agents that will give you apparently 30% off you know or 60% off hotel stays and car rentals and all this kind of stuff here you know the travel hacker there you go stay in all hotels for free and then finally we still need to get to the airport right so let's grab ourselves an uber and well okay that's not Ober but that's super okay so get unlimited uber and lyft rides for free you can actually

also learn how to become a fake uber driver if you want and just get the money piling in from that so now that we've done all that we're refreshed just make sure that you pick a country that doesn't have an extradition treaty with the USA because whenever these guys are getting caught that's exactly what's happening so the message at the end here is that all of this stuff that we find you know we try to work with the security community with law enforcement to get them to know what's going on and you know every time I get a binary and it says oh do not upload this virus total it's the first thing I do of

course I uploaded the virus total right because we want to be able to make sure that all this stuff gets tracked and and we're having a lot of success with this and we I mean law enforcement in the security industry in general in the cooperation that we're doing there was a bunch of arrests that were made in the last year of people the guy who ran the Alpha Bay market all the Hansa guys were also shut down there's a guy that was behind the yahoo breach and one behind the linkedin breach and all these guys were actually caught in in extradition treaty countries but that the the point is you know as you're going about your daily

jobs if you do find ways to help law enforcement to help the security industry if you see something say something and with that thank you very much [Applause]

in the interest of time I'll just I'll go out there and if you want to talk to me and ask questions I'm happy to do so afterwards so we get the next speaker up