Cybercrime is an industry, with its own service economy, tools for hire, solution providers and end users, and this shadow economy is growing. Over several years, the cyber-criminal underground has undergone its own industrial revolution, a profound and far-reaching process of modernization and innovation.
This change is driven by a remarkable commitment amongst cyber-criminals to adjust business practices to meet the needs of their customers and to scale operations. This has increased the overall sophistication of the threat landscape as actors of all levels – from novices to veteran cybercrime gangs – can now buy the tools, expertise and services necessary to launch malicious campaigns against businesses, governments and individuals with relative ease.
Any organization preparing to fight off cyber-attacks needs to first understand how this maturing cybercrime industry works. Investigating threat actors as well as identifying trends across the myriad services used by attackers helps businesses strengthen their own security posture and put in place stronger defense measures to both prevent and mitigate attacks.
Threat intelligence may often focus on malware and TTPs, but knowing how cyber-criminals use the services available to them can provide defenders with an enhanced understanding of the threats they’re up against.
A profitable business
Before the mid-2000s, the primary purpose of computer viruses was for their authors to gain notoriety. Then the first samples of malware seeking to turn a profit, such as Zeus, emerged. Supporting these new profit-seeking malware families was an expanding cyber-criminal underground boasting all manner of illicit products and services. Malware suddenly offered a lucrative business model, and threat actors were eager to cash in.
Entrepreneurial criminals have sought to capitalize on this by not only offering malware for sale, but also providing related services, such as tools to help attackers evade detection – complete with after-sales support. This has even led to scenarios where existing malware infections are now sold on to other actors to perform further campaigns.
Malicious coders for hire
With a range of services and products on offer in the cyber-criminal underground, preparing malware for an attack is incredibly easy. Actors can purchase ready-made code that’s advertised in underground forums and marketplaces, or contract a smaller subset of specialized malware developers who offer their services for hire.
Numerous forums include sections where users can market their coding skills to others, listed under ‘jobs’, ‘freelance’ or ‘services’. Although it is not very common to see such consultancy work advertised, perhaps due to the high level of interaction it requires between vendors and clients, there are a handful of prominent developers for hire – such as DR.PREDATOR, who sells programming services starting from $80 USD, payable in Bitcoin. To keep projects private, clients must often pay an additional charge.
At any given time, dozens of malware offerings are actively marketed in underground communities, each with its own aims, functionality, prices and sophistication. Such offerings encompass loaders, cryptojackers, ransomware, point-of-sale malware, banking Trojans, stalkerware and information stealers. Closely monitoring these offerings can help organizations strengthen cyber defenses in advance of an attack.
New business models
Communication between threat actors in the Russian-language underground is typically established via Jabber/XMPP, though Telegram is becoming more popular. Those selling malware in this space typically employ one of two business models: the outright sale of their product, or a Malware-as-a-Service (MaaS) model that bundles the malware with pre-established infrastructure offered on a monthly rental basis. This saves clients the need to buy servers, establish admin panels, and conduct other tasks related to preparing an attack.
As an example of costs, Vidar and RaccoonStealer are two information stealers that are offered using a MaaS model, and are available for a monthly price of $200 -$300 USD.
Many of the most notorious ransomware families including Sodinokibi (aka REvil) and Buran also operate under an as-a-Service model. Ransomware gangs recruit affiliates to aid in the distribution; profits from successful extortions are then split between the gang and the distributor.
Add-on services
Continued advances in the development of anti-virus solutions has forced threat actors to find new ways to bypass these tools, as well as complicate the work of malware reverse engineers. Many cyber-criminals take advantage of techniques and tools that legitimate software developers use to protect their intellectual property, such as packers, crypters, obfuscators and code signing.
Again, related tools and services are for sale in underground forums. One crypter, dubbed VIP Crypt, offers add-ons such as a polymorphic engine, which makes use of a technique that mutates the code in every execution without altering the algorithm function.
Finally, to ensure success, attackers test and tweak the finalized malware product and infrastructure prior to deployment. So called ‘no-distribute’ antivirus scanners, also known as Counter Antivirus Services (CAV), such as Dyncheck or Spyral Scanner allow users to test files, URLs, domains and IP addresses against dozens of antivirus solutions and may even allow illicit clients to set up regular monitoring in order to keep an eye on the impact of their ongoing campaigns.
These scanning sites are another way for certain cyber-criminals to earn money; while some are free to use, others offer single-scan pricing, multi-scan packages or subscription models and some are delivered through resellers – mirroring the legitimate IT ecosystem.
Understanding criminal collaboration
From a defense perspective, understanding the relationships between actors is key as it helps security practitioners make informed decisions. Notably, there is also a difference in cybercrime sophistication across regions.
For example, prefabricated phishing pages and kits – from as little as $50 USD – are particularly common in the Portuguese-speaking underground. Threat intelligence that reveals such geographical variation is immensely valuable, as it allows organizations to gauge their risk based on who might target them and how.
Threat intelligence providers track and interrelate different cyber-criminal actors, adding detailed context to new threats before they can have a significant impact. Alongside continuous cyber hygiene with an established process of updates, regular pen testing and patching and employee education, the insights provided help businesses strengthen their defenses and prevent attacks.
Above all, companies must not remain static: As the products and services traded on the criminal underground evolve, organizations must keep up, adjusting security protocols to keep systems and processes secure. In the same way that cyber-criminals collaborate today, we as an industry must work together in combating cybercrime. The dark commercial exchange of goods and services can be countered by legitimate organizations only if we collaborate.