Analysis of the emerging Darth Maul eCrime Market

-

Background

Active since at least August 2021, a new English-speaking threat actor calling themselves "1977" has developed and advertised a new eCrime market on multiple underground forums called Darth Maul Shop. This blog aims to highlight some of the key aspects of a new emerging eCrime market, analyze its reception by other threat actors, and discuss the underground cybercrime communities making money buying and selling credentials without launching any intrusions themselves.

If you want to learn more about Initial Access Brokers (IABs), SentinelOne recently shared a good up-to-date overview of this type of threat actor and how they interface with various ransomware groups and the types of services they offer. These IABs can be just as dangerous as the ransomware groups themselves, as they are capable of infiltrating a target network and achieving the privileges of "Domain Admin (DA) access with reach to over 10,000 hosts."

The eCrime market has also shifted recently with the arrival of a new and improved Genesis market, which has been active since 2017 and is one of the largest of the underground economy alongside RussianMarket, 2EasyShop, and xLeet. Sophos researchers recently covered how Genesis sells stolen credentials, cookies, and digital fingerprints that are gathered from compromised systems, providing not just the data itself but well-maintained tools to facilitate its use.

Darth Maul (aka 1977.SH) eCrime Market

The interesting thing about Darth Maul shop is there are very little mentions of it across the usual OSINT sources, despite existing for around one year. A cursory search across some of the eCrime forums, paired with a little Google dorking, revealed over a dozen accounts for the admin of Darth Maul market.

Figure 1: Google Dork for 1977 aka Darth Maul

The admin, who goes by "1977" (aka "1977ko", “000x0”, or “darth1977maul”), has been active on these forums since around February 2022. One thing that stands out about the admin's forum activities is that they rarely interact with other forum members outside of their own threads. This is purely a marketing campaign instead of looking to make connections or build relationships with the forums they advertise on.

Figure 2: Forum account profiles of Darth Maul admin

The new market (Darth-Maul[.]top) has been around for about one year according to WHOIS data (it also uses 1977[.]sh as a mirror). The registrant org is called "Hakintoshionio", apparently based in Kazakhstan, and has "afakjbfkhbjqkbwe1@hotmail.com" as the tech contact email. The admin has also created a Telegram channel that has over 2,300 users at the time of writing.

Figure 3: Telegram channel and Whois Record

The advertisements of the Darth Maul market highlight some of the main items that are purportedly for sale on the site. In order to compete with some of the other eCrime markets, the admin has created attractive posters to catch the attention of other forum members. This type of marketing is often used cybercriminal services, one that always stood out was the Cerberus Android Malware-as-a-Service (MaaS) platform, which used similar attractive graphics and banners on various Russian-speaking forums.

Figure 4: Items allegedly for sale on Darth Maul market (March 2022)

Figure 5: Additional items advertised on Darth Maul market (May 2022)

The Darth Maul Shop itself honestly looks like it was designed by someone straight out of college and appears to be still in the early stages of development. However, some of the things for sale (or claimed to be for sale) are interesting and worth covering.

Figure 6: Darth Maul eCrime market (August 2022)

Another post on the forums, where "1977" advertises the market, highlights the rules for the market members, which were last updated in May 2022. These are fairly normal for underground markets that offer a platform for buying and selling credentials and other stolen digital goods.

Figure 7: Site rules for Darth Maul market

Like other eCrime markets selling data and credentials, Darth Maul market permits other threat actors to sell their items and use the site as a digital middleman for buyers and sellers.

Figure 8: Darth Maul market 

The presence of a user called KapustaWorld (although unconfirmed if it actually is them) on the Darth Maul market is also notable and also potentially shows that the market is gaining traction among established cybercriminals. 

Rivals on other Underground Forums

The basis of this blog actually began because a 106.42MB file called "darth-maul_shop_logs.txt" was uploaded to VirusTotal on 13 May 2022 containing what appears to be (unconfirmed) all the scraped logs stored in the site.

Further research into the TXT file, uncovered that the Darth Maul market got off to a bit of a rocky start. Back in February 2022 when the market was trying to attract new users, some members on the infamous Breached[.]co forum leaked the entire collection of logs from the site for anyone to download from anonymous file-sharing Cloud services, such as Mega[.]nz and Anonfiles[.]com. Looks like there really is no honor among thieves.

Figure 9: Darth Maul market logs dumped to Breached[.]co

This is a hugely embarrassing event for the Darth Maul market admin "1977" who will now been by other cybercriminals as an incompetent threat actor who cannot secure the data of their market's users. The market is seemingly struggling to grow as a result.

Analysis

At Black Hat USA 2022, former director of CISA, Chris Krebs, said he believes that we as a cybersecurity community have "over-fetishized the APT threat. We’ve over-rotated on the SVR and MSS while cybercriminals have been eating our lunch in the meantime". This aligns with the fact that there is a staggering number of stolen credentials fuelling various eCrime markets that have been an often ignored, but persistent threat for years.

The threat of eCrime markets was especially demonstrated by the LAPSUS$ cybercrime group from late 2021 to early 2022, who managed to gain access to some of the top technology firms in the world, such as Microsoft, Vodafone, Samsung, Nvidia, Okta, and Globant - who you'd think are some of the organizations spending the most of cybersecurity in the world - using credentials and cookies available via the underground, similar to Darth Maul market.

The future of Darth Maul market and "1977" remains to be seen and looks bleak due to the data dump. But one thing is for sure, launching your own cybercrime has become more accessible than ever before and organizations need to wake up to this threat before it is too late.

Obligatory Phantom Menace gif

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more