We all know the Dark Web above all for the appointment of "black market" where we find everything and more for sale. No less is the news that has been circulating in the last few hours, which sees the presence of a "hidden" forum, and reserved mainly for Russian hackers, where a resale of credentials on the DarkWeb for accessing Office 365 and Microsoft accounts is in progress. they would be owned by senior management figures from various companies around the world .
Spreading the news was a figure who has access to this material, and who tried to buy a couple of username / password pairs to verify their authenticity. Not surprisingly, they are legitimate and belong to the CEO of a US software house and a CTO of a European company.
Credentials for sale on the Dark Web: the prices would also reach 1500 dollars
Unfortunately, as is often the case in these cases, the identity of the seller (or sellers) is not known. It is not even known how the credentials were recovered, but apparently they were obtained thanks to computers infected with a trojan identified as AzorUlt .
As you can easily imagine, on the Dark Web forum, the credentials of executives are very important because they give the possibility to the bad guys to be able to attack a company “from inside”, posing as the manager under attack. They can therefore very easily spread other viruses or tamper with business processes.
Credentials on the DarkWeb thanks to AzorUlt: some information on the trojan
For the uninitiated, Aorult malware is currently one of the most bought and sold Trojans on Russian Darknets . Surely, one of the reasons for its success is the very low cost (we are talking about 100 dollars), but above all for its wide versatility of use, not to mention its high performance.
Among its features that distinguish it, there is that of offering the possibility of being used as a "downloader" of other malware. And it is not a trojan that far from us: only in the first quarter of 2019, in fact, the number of Italian users affected by this trojan, whose viral signature has been identified with Trojan-PSW.Win32.Azorult, amounted to more of 2000 .
The malicious campaign would begin with the appearance of a new domain, a certain protonvpn_dot_store, which simply leads back to a fake website, the clone of a well-known VPN service. The cloning would seem to have taken place using a well-known open source HTTrack crawler, cloning took place to call up the ProtonVPN home page in all respects.
The victim who, thanks to spamming and malvertising campaigns, was redirected to this site, downloaded a modified installer of the VPN service which also contained executable useful for activating AzorUlt, and thus insert the new infected computer to the criminal botnet connected to the trojan .
After installation and activation, the trojan is ready to steal as much data as it can. It then begins to collect all the user's confidential information, and to transmit them to the command and control server (C&C Server), listening in a subdomain of the main site account_dot_protonvpn_dot_store, so as to evade possible doubts about the veracity of the software.