Cybersecurity is often, and quite rightly, focused on the battle between ethical security experts and the malicious threat actors trying to break through their defenses. However, not all hackers are targeting corporations or governments, some are setting traps for their fellow criminals to lure these threat actors into compromising their own systems. For those with any experience in dealing in the murky world of the black market, the dark web or even peer to peer file sharing, they will let you know there are traps everywhere and no recourse once things go wrong.
In recent years, there has been a surge in cybercriminals deploying their malicious software to exploit other threat actors, potentially due to the rise in Cybercrime overall year on year, which is expected to surge by 15% throughout 2024.
The malicious software may appear as or within hacking tools, databases, or vulnerabilities that seem ripe for exploitation. The twist? They are not what they seem. Instead of delivering a reward, they turn the tables on the hacker, infecting their machines or siphoning valuable data.
Luring Threat Actors
One of the most common tactics involves offering fake hacking tools. Let’s say a hacker is searching for a tool that claims to hack accounts on popular social platforms. This hypothetical tool might promise to bypass login credentials or scrape content from restricted profiles. However, the moment the hacker downloads and runs the tool, they themselves become the target.
The malicious tool could be loaded with spyware, keyloggers, or even ransomware. Once installed, it may exfiltrate the hacker’s own sensitive information, including login credentials, private messages, cryptocurrency wallets, or other data that could be used against them.
Veriti’s cyber research team discovered a scheme on a prominent hacking forum where a user, going by the name Bilalkhanicom, offered a tool claiming to hack OnlyFans accounts. However, instead of delivering the promised functionality, the tool was actually a vehicle for distributing sophisticated malware known as Lummac Stealer.
The alleged OnlyFans checker (a tool used to bulk-verify the validity of stolen credentials), according to the individual offering it, would not only confirm if leaked or stolen account details were active but also reveal account balances and whether an account had creator status. Veriti states these checkers are "the digital lockpicks of the modern age," claiming they promise hackers quick access to sensitive information and potential financial rewards.
For cybercriminals targeting cybercriminals, the motivation is simple: access to other hackers' resources, skills, and information. In this shadowy economy, tools like fake hacking software or infected code repositories represent an easy way to "hack the hacker" and profit from their data.
Exploiting Trust in Underground Markets
Underground forums and marketplaces are the Wild West of the digital world. Here, cybercriminals trade everything from stolen credit card information to sophisticated malware kits. The anonymity of these spaces is both a shield and a vulnerability. Hackers must trust that the tools and services they purchase or download will work as advertised. However, that trust is easily exploited.
A hacker might purchase a tool that claims to allow them to exploit a zero-day vulnerability or hack into a specific system. Instead, what they get is a piece of software that turns around and targets them. This type of betrayal is common in underground markets, where there is no customer service, no legal recourse, and no protection for those who fall victim to scams. Cybercriminals using malicious software in these scenarios aren't just after personal data, they could be after the tools, techniques, and trade secrets of other hackers.
The use of malicious software to exploit other threat actors extends to software repositories as well. A hacker looking for open-source code to integrate into their malware might find a seemingly legitimate repository on a platform like GitHub. However, the code could be designed with malicious intent, injecting backdoors into the hacker’s own system once it's compiled or integrated into their project.
What Does This Mean For Organizations?
As a threat actor or group breach an organization's defences, additional hackers may hack the original threat actors and potentially force the organization to make a double payment. It may also require organizations to have a better quality of proof that the data is no longer stored or has been had any additional unauthorized access once recovered through paying the threat actors.
So, ironically, it appears that even threat actors need to be cybersecurity aware...
