Season’s Stealings – The Dark Side of Holiday Shopping

Elena Koldobsky, Threat Intelligence Analyst

Offering holiday discounts to potential customers is a known marketing strategy – selling products, be it chocolate, clothes, or perfumes, for a decreased price, to increase sales during the holiday season. Unsurprisingly, the unwritten marketing laws have not skipped cybercrime communities. During this time of the year, threat actors get “cheerful” and post creative promotion ideas, offering malware, botnets, and encryptors for a decreased price as a holiday sale. 

For instance, on December 11, 2021, the threat actor “Grimxploit” posted a Christmas offer on the cybercrime forum RaidForums – an English-speaking forum focusing mostly on data breaches – promising to sell his products for a 20% discount to all those who use the coupon code “CHRISTMASS20”. Among the products sold were his Grimxploit branded crypter, worm, keylogger, and others, as well as a “remoded” version of Anubis botnet.

Grimxploit Announcement about Christmas sale

New Year’s, which is widely celebrated in CSU countries, is also popular in Russian-speaking forums. For instance, on December 6, 2021, the user RaccoonStealer, the ‘official’ distributor of the “Raccoon Stealer” information stealer, offered the malware for rent for a 10% discount to celebrate the New Year. The malware was offered on both Exploit and XSS, the most high profile Russian-speaking cybercrime forums. The user also stated that every new customer renting the stealer for a month will receive a clipper as a gift and that every user who rents the malware for two months will receive a private proxy until New Year’s. As expected, a surge of ‘interested’ comments appeared following the offer, asking the seller for the price, and inquiring about any updates to the malware.

RaccoonStealer’s announcement about New Year’s discounts

Similarly, on December 25, 2021, the user SnowFlake offered the SnowFlake stealer for sale on XSS, stating that to celebrate New Year’s, all users who purchase a subscription to the stealer from December 25 to January 15, 2022, will receive additional 15 days as a gift. The stealer, which is capable of collecting information from the victim’s system, taking screenshots, and sending information to the admin panel, is also promised to receive a “New Year-themed design”.

On December 27, 2021, the author X-Ware, a known malware seller active in various Russian-speaking forums, published a post on Exploit, offering X-MapAdmin, which allows actors to gain access to admin panels via SQL injection, for sale, to celebrate the New Year. The first five buyers who will purchase the Russian version of the software before December 31 will receive it for 400 USD. Users who will purchase the Russian version before January 10 will pay 450 USD. Users who are interested in the English version of the software will pay 700 USD if the purchase is made before January 10, 2021.

X-Ware’s announcement about New Year’s discounts

KELA noticed that malware is not the only thing one can purchase on this “dark web holidays sale”. Malicious64, for example, is selling “every country’s passports, ID, driving license, and utility bill” on RaidForums. While the post was originally uploaded on August 6, 2021, the actor commented on the post on December 9, 2021, offering the “whole package” for 25 USD until Christmas.

To exemplify the demand, Employer569, a user who was selling stolen credit card information on Exploit, stated that the cards were an order from a regular client for “New Year’s” shopping. These “CCs+CVVs” are now being sold, as the original buyer has gone “deep offline”. 

Cybersecurity-related holidays recommendations often encourage users to look out for the increasing ransomware and phishing attacks. For 2022, however, be sure to look out for information stealers, botnets, and encryptors as well.

We wish you a Happy, Attack-free New Year!

See KELA’s dark web threat intelligence product suite in action!

Click here to watch a demo