TheRealDeal black Marketplace Offers Zero-Day Exploits

Pierluigi Paganini April 18, 2015

A new deep web marketplace dubbed TheRealDeal has appeared and it is offering a platform for both sellers and buyers of the zero-day exploits.

The anonymity ensured by the Dark Web and black markets it hosts is an element of attractive for cyber criminal and intelligence agencies. Black markets offer a wide range of illegal products and services, despite normal people believes that drugs and weapons are most popular goods, there is another family of products in high demand … the zero-day exploits.

The zero-day flaws are the most important component for the design of an efficient cyber weapon, governments have dedicated cyber units for the discovery and exploitation of unknown vulnerabilities (aka zero-day), this precious commodity is sold by private entities on the underground and Governments are primary buyers of the growing market of zero-day. Governments aren’t unique buyers, exploit kits including zero-day are acquired also by non-government actors, in 2013 experts at the NSS Labs estimated that the market is able to provide 85 exploits per day, a concerning number for the security industry.

zero-day vulnerability life cycle

Zero-day hunters are independent hackers but in the majority of cases are structured security firms that analyze every kind of software to discover flaws exploitable during a cyber attack and resell their knowledge to the highest bidder, no matter if it is a private company that will use it against a competitor of a foreign government.

Zero-day exploits were available in several underground Dark Web marketplace for a long time, but now a new deep web marketplace dubbed TheRealDeal, has appeared and it is offering a platform for both sellers and buyers of the precious goods.

TheRealDeal blackMarket

TheRealDeal appeared last month and it is focused on the commercialization of Zero-Day exploits, that are codes specific designed to exploit a zero-day vulnerability. An attack based on such kind of exploits could not be defeated by the majority of defensive measures.

TheRealDeal Market is hosted on the popular Tor network to protect the anonymity of the actors involved in the sales.

Analyzing the product listing of TheRealDeal Market it is possible to find zero-day exploits, source codes that could be used by hackers in cyber attacks and of course hacking tools. The list is still short because the market is still in an embryonic stage, but the policy of its directors is clear.

Welcome…We originally opened this market in order to be a ‘code market’ — where rare information and code can be obtained,” a message from the website’s anonymous administrator reads. “Completely avoid the scam/scum and enjoy the real code, real information and real products.

Among the products there are a new method of hacking Apple iCloud accounts and exploit kits that could be used to compromise WordPress based websites, and both mobile and desktop OSs (i.e. Android and Windows).

The price tag for the iCloud hack is $17,000 and as explained by the seller it is possible to compromise any account. The buyer could pay in Bitcoin to make hard their identification.

“Any account can be accessed with a malicious request from a proxy account,” reads the description of the hack available on TheRealDeal marketplace. “Please arrange a demonstration using my service listing to hack an account of your choice.”

The listing also includes an Internet Explorer attack that is offered for $8,000 in Bitcoin as reported by Wired.

“Others include a technique to hack WordPress’ multisite configuration, an exploit against Android’s Webview stock browser, and an Internet Explorer attack that claims to work on Windows XP, Windows Vista and Windows 7, available for around $8,000 in bitcoin. “Found 2 months ago by fuzzing,” the seller writes, referring to an automated method of testing a program against random samples of junk data to see when it crashes. “0day but might be exposed, can’t really tell without risking a lot of money,” he or she adds. “Willing to show a demo via the usual ways, message me but don’t waste my time!” read a blog post published by Wired.

The listing was recently updated, it also include an exploit for the MS15-034 Microsoft IIS Remote Code Execution vulnerability, a flaw that is being actively exploited in the wild against Windows 7, 8, and 8.1, Windows Server 2008 R2, 2012, and 2012 R2.

TheRealDeal market also offer other products very common in the criminal ecosystem, including drugs, weapons, and Remote Access Trojan (RAT).

TheRealDeal doesn’t implements a real escrow schema, instead it adopt a multi-signature model to make effective any financial transaction. Basically the buyer, the seller and the administrators control the amount of Bitcoin to transfer together, any transaction needs the signature of two out of the three parties before funds are transferred.Lets monitor the evolution of the TheRealDeal marketplace in the next weeks.

Pierluigi Paganini

(Security Affairs –  TheRealDeal , zero-day)

you might also like

leave a comment