Elena Koldobsky, Threat Intelligence AnalystOffering holiday discounts to potential customers is a known marketing strategy – selling products, be it chocolate, clothes, or perfumes, for a decreased price, to increase sales during the holiday season. Unsurprisingly, the unwritten marketing laws have not skipped cybercrime communities. During this time of the year, threat actors get “cheerful” and post creative promotion ideas, offering malware, botnets, and encryptors for a decreased price as a holiday sale. For instance, on December 11, 2021, the threat actor “Grimxploit” posted a Christmas offer on the cybercrime forum RaidForums – an English-speaking forum focusing mostly on data breaches – promising to sell his products for a 20% discount to all those who use the coupon code “CHRISTMASS20”. Among the products sold were his Grimxploit branded crypter, worm, keylogger, and others, as well as a “remoded” version of Anubis botnet.
KELA Cyber Intelligence CenterAs part of KELA’s continuous monitoring of communities and markets in the cybercrime underground, KELA identified a rise in the activity of a relatively new market of stolen user information, called “2easy”. The market is an automated platform where different actors sell “logs” – data and browser-saved information harvested from machines (bots) all over the world infected with information-stealing malware. Currently, the market offers information stolen from almost 600,000 bots. Based on analysis of the data collected by KELA’s systems from this market, as of December 2021, the market hosts 18 sellers offering their infostealer logs for sale. Investigation of these sellers’ activities in the cybercrime underground, as well as feedback about the market posted to dark web sources, indicates that the market has a certain recognition among cybercriminals that deal with stolen credentials; they provide mostly positive feedback. As such, KELA assesses that credentials sold in 2easy are generally valid and may present a direct threat to organizations. KELA’s analysis of the market finds that RedLine information stealing malware is the most popular choice for the market’s vendors – with over 50% of the machines offered for sale on the market being infected with RedLine.