Darknet Marketplace InTheBox Sells Mobile Malware Web Injects

By Ava McKinneyOnline Safety

Darknet Marketplace InTheBox Caters to Mobile Malware Operators

Security experts from Resecurity have reported the discovery of a new darknet marketplace called InTheBox, which is specifically designed for operators of mobile malware. The platform has been active on the darknet since early 2020 and offers buyers more than 400 custom web injects, organized by geographic region.

According to the researchers, โ€œThis level of automation allows cybercriminals to place orders for up-to-date web injects for further integration into mobile malware. InTheBox can be considered the largest, and likely the only, marketplace in its category that provides high-quality web injects for popular types of mobile malware.โ€

In this context, web injects are packages used by financially motivated malware for adversary-in-the-browser (AitB) attacks. These injects deliver malicious HTML or JavaScript overlays that appear when a victim interacts with banking, cryptocurrency, payment, e-commerce, email, or social media applications.

How the Web Injects Work

These overlays are designed to look like legitimate login pages and prompt users to enter sensitive information such as credentials, payment card data, Social Security numbers, CVV codes, and more. All of this information is then captured by cybercriminals and used to compromise the victimโ€™s bank account or commit other types of fraud.

Access and Pricing

InTheBox sells various web inject templates, but access to the marketplace is only granted after new users are vetted and their accounts are activated by the administrators. The cost of access to InTheBox starts at $100 per month. There is also an unlimited subscription tier, which allows users to create an unlimited number of injects while the subscription is active. The price for the unlimited plan ranges from $2,475 to $5,888, depending on the type of malware supported.

Supported Malware and Recent Updates

For example, InTheBox web injects support Android banking trojans such as Alien, Cerberus, ERMAC (and its successor MetaDroid), Hydra, and Octo. โ€œMost popular injects are related to payment services, including digital banking and cryptocurrency exchanges,โ€ the researchers note. โ€œIn November 2022, cybercriminals released a significant update to nearly 144 injects, improving their visual style.โ€

Leave a Reply