Webhose Top Cyber Updates

Posted on October 7, 2021 by yafit

read the article

This week we cover the dramatic announcement of one of the largest darknet marketplaces, and a new emerging ransomware group site. We also reveal the dark web chatter we discovered about a renowned password-stealing malware that returned to target Android users these days.

But first, let’s start with the posts Anonymous published in the lead up to their latest mass leak.

Revealed: Anonymous’ Posts in Lead Up to 480GB Epik Leak

Anonymous claims to have stolen over 480GB of data belonging to Epik, a web hosting company used by large right-wing clients, in reaction to a new controversial law in Texas. 

Epik is known to work with right wing websites and social media platforms, such as Parler, Gab, 8chan as well as the Republican Party of Texas. The hacktivist group has so far claimed to have leaked “decades of data” belonging to Epik in a series of leaks over the past few weeks,  as part of their Operation Jane campaign against a new Texas law prohibiting abortions.

The first leak consisted of 180GB of stolen data on more than 15 million of Epik’s business and customers, which included email addresses, names, phone numbers, physical addresses and passwords. The leaked data also included details of millions of other non-customers who had their information scraped via the company’s WHOIS privacy service.

We were able to crawl a post rallying support for Operation Jane on a paste site called Ghostbin already on September 7, six days before the first leak:

We also found another post by Anonymous with PR information on 4chan, dated September 11:

The official news of the breach was first reported a couple of days later, on September 13, on Twitter. A day later, we already saw the news across the web.

We were also able to find in our API a comment on Raddle social network, that offers  a link for download of the data Anonymous leaked. Within a day, we were able to find the leak on the popular hacking forum Raidforums. By that point, the leak spread even faster across the web, appearing on several other platforms and networks.

The post offering a link to the first leak

We are still following some discussions on various darknet forums around Anonymous’ ongoing “Operation EPIK FAIL”, which the hacktivist group claims  includes Epik’s entire server, mounting to 300GB of data. The chatter also centers around link requests to the latest leaks, including the leak reported on October 4, which according to Anonymous, includes a large cache of Epik data with an unknown volume of private documents belonging to the Republican Party of Texas. 

White House Market Shuts Down

White House Market (WHM), one of the largest darknet marketplaces, announces the market is retiring in a post on Dread forum.

Similarly to other dark web marketplaces, WHM features posts on drug sale, fraud, software and more. WHM, which in early October numbered 900,000 users, is considered as a relatively secure market, using Monero as the only form of payment.

In a post dated October 2, the market management published an announcement on their decision to close on a Dread site section which is dedicated to the White House Market, which has more than 15,000 subscribers. 

In the announcement, they mention they are retiring because they have “reached their goal”. In their post, they say that new orders and user registration were disabled but the site will remain live for a limited amount of time to allow for the completion of active orders:

Although the website is in process of shutting down, Webhose is keeping the historical data from the website as we do with all other websites we cover. This type of data can be used for actor profiling, risk assessment and more.

To see more content from White House Market use the query:
site.domain:zefmozbmelwjc4elhoim2q3t3y4z3yoodczvqagtquvwzhx763f4jtyd.onion

New Source on Webhose: AtomSilo Ransomware Site

We have added the website of a new ransomware group known as AtomSilo to our coverage. Like other ransomware, the AtomSilo was developed to encrypt all types of files, such as documents and images, adding a unique extension “.ATOMSILO” to each one of them. Once the file is encrypted, its owner will no longer be able to open it, unless he pays ransom to the ransomware gang.

Similarly to other ransomware groups, AtomSilo, which began operating in September 2021, operates their own blog. It runs on the TOR network and is used as a platform to publish a list of victims they attacked. So far, they feature one company they attacked (see the screenshot below), Cristália, which is a pharmaceutical company in Brazil. AtomSilo has already released a large sample of the breached data, including client data as well as legal and business documents. Yet they are still threatening to leak additional information unless the company pays ransom.

The new AtomSilo blog

Another interesting observation our cyber team has made is that there are several similarities between AtomSilo and other ransomware gangs, including visual similarities between their blog and the blog of BlackMatter ransomware group, and an identical ransom note page to the one used by Cerber 6 ransomware.

To see more content related to AtomSilo ransomware group: AtomSilo OR site.domain:mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion

Revealed: The Darknet Chatter About Re-emerging Password-Stealing Android Malware

The FluBot is a malware that first surged in early 2021, targeting android devices in Europe and later in Australia. The malware first targets Android phones with a simple text message containing a malicious link to a website, which asks you to download and install an app. 

Now the malware has reappeared, it uses a fake message warning users that their phone was infected with the FluBot malware (see below). It then asks the users to click on a link to take action against the virus, but in reality, by clicking on the link users install the malware on their devices.

A screenshot of the fake alert FluBot sends to users

The FluBot spreads by sending text messages from the device to the user’s contacts. It can damage the device by disabling the Google play protection, adding phone numbers to the device blacklist, uninstalling apps, and stealing credit card information.

Our team found early mentions of the malware in dark web forums like Raidforums, XSS and paste sites going back six months. The majority of discussions on these sites and forums centered around the impact of the malware. Yet we were able to find posts of threat actors who offered FluBot botnets for sale back in May 2021:

Looking ahead, the dark web includes important signals that can provide early indication of emerging cyber threats to organizations, commercial enterprises and others. Companies using an analytics solution that integrates quality data feeds, can gain valuable insight into cyber threat trends and discover new malware attacks in the making.

The FluBot mentions we tracked going back to March 2021, showing a spike around May 2021

This wraps it up for this week. If you enjoyed it, remember to stay tuned and read about our new discoveries and updates from the ever changing cyber world by following us on social media (via the links below). For any questions or comments you may have, feel free to email us at: cyber@webhose.io.

Until next time, 

Team Webhose