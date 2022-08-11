A new as-a-service offer has already won thousands of customers in the underground within a few months.

Cisco’s security specialists at Talos describe a new platform called Dark Utilities, which appears to be rapidly increasing in popularity. It offers cyber criminals the opportunity to use their server infrastructure for little money. Talos then calls this “ & Control as a Service” – C2aaS for short. This is an offer that further simplifies entry into the cybercrime business.

One of the first malware actions after successfully infecting a system is typically contacting an external server where the malware registers and asks for updates and further instructions. It then often receives the command from this Command & Control server (C2) to download and execute the actual malware as a payload. Further, the malware maintains continuous communication with its C2 to keep the infected system available for the activities of the new owners.

To do this, the criminals usually have to operate and maintain their own server infrastructure, including suitable client software. Dark Utilities relieves you of this effort: For a starting price of 9.99 euros, they offer the use of the C2 infrastructure, suitable client software and ready-made payloads for crypto mining and DDoS attacks, among other things.

Dark Utilities supports Windows and Linux equally as targets; the modules are typically implemented in Python and independently determine what kind of system they are currently running on. Talos has also identified active malware campaigns that use the platform’s modules – on both Windows and Linux systems.

Tor and IPFS abused

Some of the platform’s servers run on the normal Internet, but some also run on the Tor network. Dark Utilities uses the Interplanetary File System (IPFS) to host the payloads. This is a peer-to-peer distributed file system specifically designed to make tracing and, most importantly, content removal by central authorities as difficult as possible. Ultimately, enthusiast-run services like Tor and IPFS deliver cheap bulletproof hosting to criminals for free.

Talos has been watching Dark Utilities since February 2022; the service currently has more than 3,000 registered users. The security researchers see dark utilities as another component of the cybercrime ecosystem. It further lowers the barrier to entry for newcomers and gangs without much know-how and resources. Talos expects Dark Utilities to continue to grow in popularity, especially in the entry-level cybercrime segment.

It is interesting that Talos locates the operator of the platform, who appears under the pseudonym Inplex-sys, in France and publishes an image in his report that shows a view of the Dark Utilities front end with the greeting “Welcome back, Inplex-sys”. indicates. The fact that this clear reference to a concrete trace of Inplex-sys is presented so openly opens up a lot of room for speculation.

