InTheBox is a darknet marketplace created solely to serve mobile virus operators, according to cybersecurity specialists.
More than 400 custom web injects, organized by area, are being sold by the actor behind the criminal storefront, who is thought to have been active since at least January 2020. These inject can be acquired by other enemies wishing to launch their own attacks.
“The automation allows other bad actors to create orders to receive the most up to date web injects for further implementation into mobile malware,” Resecurity said.
“InTheBox may be referred to be the largest and most likely the only provider of high-quality web injects for well-known forms of mobile malware in its marketplace category.”
When victims open banking, cryptocurrency, payments, e-commerce, email, or social networking app, web injects, a type of financial malware, employ the adversary-in-the-browser (AitB) attack vector to send malicious HTML or JavaScript code in the guise of an overlay screen.
Inadvertent users are prompted to provide sensitive information such as login passwords, credit card information, Social Security numbers (SSN), and card verification values (CVV) on these sites, which are subsequently utilized to hack the bank account and commit fraud.
A number of web inject templates are offered for sale on InTheBox, which can only be accessed via the Tor anonymity network after a customer has been verified by the administrator and had their account approved.
The cost of the web injects is $100 a month, or they can be purchased as part of an “unlim” tier that allows the subscriber to create an infinite number of injects throughout the subscription time. Depending on the supported Trojans, the unlim plan can cost anywhere from $2,475 and $5,888.
Alien, Cerberus, ERMAC (and its sequel MetaDroid), Hydra, and Octo are a few of the Android banking trojans supported by the service, according to the California-based cybersecurity firm.
“The majority of high-demand injects is related to payment services including digital banking and cryptocurrency exchangers,” the researchers said. “During November 2022, the actor arranged a significant update of close to 144 injects improving their visual design.”
The development coincides with Cybele’s recent disclosure of DuckLogs, a new malware-as-a-service (MaaS) offering that costs $69.99 for lifetime access and gives threat actors access to sensitive data, bitcoin transactions, and remote control of the devices.
Interested in the article? For access to more of our posted unique material, follow us on LinkedIn and Twitter.
