Cisco Talos analysts have discovered a new Dark Utilities service that provides hackers with an easy and inexpensive way to set up a command center for their malicious operations.
The researchers report says that the service, which hit the scene in early 2022, already has about 3,000 active subscribers, and its operators have already earned about 30,000 euros.
Dark Utilities provides attackers with a payload-enabled platform for Windows, Linux, and Python, and eliminates the need for hackers to think through their own C&C infrastructure and communication channels.
Experts characterize Dark Utilities as a C2-as-a-service (C2aaS), which is advertised as a reliable and anonymous C&C infrastructure that has all the additional features that hackers need. At the same time, the price of a subscription to the service starts from 9.99 euros.
Dark Utilities provides its customers with full C&C capabilities on both Tor and the public internet by hosting payloads on the Interplanetary File System (IPFS), a decentralized system for storing and exchanging data.
As mentioned above, Dark Utilities already supports several architectures, and it seems that C2aaS operators plan to expand this list further so that their clients can attack a wider range of devices.
As you can see in the illustration above, after selecting an operating system in Dark Utilities, a command line is generated, which hackers “usually embed in PowerShell or Bash scripts to make it easier to find and execute payloads on victims’ computers.” The selected payload also ensures a stable presence on the target system by creating a registry key on Windows, a Crontab entry, or a Systemd service on Linux.
According to the researchers, the admin panel comes with several modules for various types of attacks, including DDoS and cryptojacking.
Researchers have already published on GitHub a list of indicators of compromise that should help protect against campaigns that rely on Dark Utilities.