Threat actors have launched a new marketplace called Industrial Spy that sells stolen data from breached companies, as well as offering free stolen data to its members.
While stolen data marketplaces are not new, instead of extorting companies and scaring them with GDPR fines, Industrial Spy promotes itself as a marketplace where businesses can purchase their competitors’ data to gain access to trade secrets, manufacturing diagrams, accounting reports, and client databases.
However, it would not be surprising if the marketplace is used to extort victims into purchasing their data to prevent it from being sold to other threat actors.
The Industrial Spy marketplace offers different tiers of data offerings, with “premium” stolen data packages costing millions of dollars and lower-tier data that can be bought as individual files for as little as $2.
For example, Industrial Spy is currently selling an Indian company’s data in their premium category for $1.4 million, paid in bitcoin.
However, much of their data is being sold as individual files, where threat actors can purchase the specific files they want for $2 each.
The marketplace also offers free stolen data packs, likely to entice other threat actors to use the site.
Some of the companies whose data is offered in the “General” category are known to have suffered ransomware attacks in the past.
Therefore, the threat actors may have downloaded this data from ransomware gang’s leak sites to resell on Industrial Spy.
Promoted through cracks and adware
When executed, these malware files will create the text files in every folder on the device, containing a description of the service and a link to the Tor site.
“There you can buy or download for free private and compromising data of your competitors. We public schemes, drawings, technologies, political and military secrets, accounting reports and clients databases,” reads the README.txt text file.
“All this things were gathered from the largest worldwide companies, conglomerates and concerns with every activity. We gather data using vunlerability in their IT infrastructure.”
Upon further investigation by BleepingComputer, we discovered that these executables are being distributed through other malware downloaders commonly disguised as cracks and adware.
For example, the STOP ransomware and password-stealing Trojans, commonly distributed through cracks, are installed along with the Industrial Spy executables.
Furthermore, VirusTotal shows that the README.txt files are found in numerous collections of password-stealing trojan logs, indicating that both programs were run on the same device.
This indicates that the operators of the Industrial Spy website likely partner with adware and crack distributors to distribute the program that promotes the marketplace.
While the site is not widely used at this point, companies and security researchers need to keep an eye on it and the data it purports to sell.