Among the trends identified in the IBM X-Force Threat Intelligence Index for 2017 was the notable reemergence of commercial malware in the fraud underground. Commercial malware is defined as malicious code that can be purchased or rented in software-as-a-service (SaaS) mode, sometimes in SaaS models, by cybercriminal buyers.
The most popular types of malcode we observed in 2016 were Android malware, banking Trojans, ransomware offerings and DDoS-as-a-service vendors. Since DDoS tools are mostly sold as a service and not as malware per se, we will focus here on banking Trojans, Android malware and ransomware.
Many antifraud professionals remember that banking Trojan sales saw a sharp dip in most underground boards ever since law enforcement infiltrated the ranks of the internet’s underbelly in 2010 to 2012. It was a time when the Zeus Trojan’s author made the FBI’s most wanted list, SpyEye’s creator got sentenced to jail time in the U.S. and Gozi’s mastermind got picked up by U.S. law enforcement.
With an increasingly palpable fear of law enforcement, most of those selling malware in the underground, aside from Citadel’s vendor, scattered, leaving only some low-level Zeus vendors to sell executable files generated from their existing malware builders. By 2014, even Citadel stopped selling in the underground and no actual developers were willing to openly sell full-kit banking Trojans with a modules package, a proper license, and the bug fixes and tech support fraudsters got used to buying directly from the malware’s own author.
But commercial banking Trojans have since found a way to make a comeback of sorts. In 2016, we witnessed a few notable occurrences in that regard.
New Zeus Peddlers Sell Binaries of the Old King
2016 was a notable year for the Zeus Trojan. Although it is one of the oldest commercial codes out there, it is also one of the most financially damaging banking Trojans in cybercrime history. The leak of the Zeus v2 source code in 2011 gave rise to numerous projects based on that same code in its entirety.
Let’s take the latest of the bunch, FlokiBot, Zeus Panda and Zeus Sphinx, as examples. These three were featured in new attack sprees in 2016, keeping Zeus at the top of the list of 2016’s most active financial malware in the wild. Each of these live iterations of Zeus’s code was notable in its own way.
FlokiBot emerged in Dark Web marketplaces such as Alpha Bay in October 2016 with a $1,000 price tag. This malware improved on Zeus’s code and added the targeting of point-of-sale (POS) endpoints to steal payment card data. To date, FlokitBot was used mostly to target banks and payment card data in Brazil.
Zeus Panda botnets first emerged as a commercial offering in early 2016. As of February 2016, Panda variants were detected in actual infection campaigns, spread through poisoned Word macros and exploit kits.
By summer of 2016, Panda started appearing in Brazil, right on time for an international sporting event, which is an extremely busy time for any hosting country. X-Force research noted that Panda was already fitted with a special Boleto payments module to steal money via this popular platform in Brazil.
Zeus Sphinx is another commercial Trojan based on Zeus that emerged in the underground in 2015. It was offered to forum members for $500 per kit. Sphinx may have been active since 2015, but it started considerably ramping up its activity in 2016, targeting Brazilian banks starting in the summer of 2016. According to X-Force research, Sphinx also saw some code upgrades and a new targets lists that included Canada and Australia in late 2016 and early 2017.
Offered for sale in underground forums in 2016, these Trojans gave the Zeus code yet another run among cybercriminals, enabling both new and existing actors to mount and operate new banking Trojan botnets.
New Developer Rises to the Banking Trojan Challenge
In December 2016, a malware developer with an ongoing banking Trojan project showed up in underground forums, aspiring to sell some licenses as he worked on completing the development of all its modules. The actor promised to deliver future capabilities, such as a Socket Secure (SOCKS) proxy and hidden virtual network computing (hVNC) alongside technical support and free bug fixes. The malware was named Nuclear Bot, or NukeBot, at the time.
To start, the developer, who went by the online alias Gosya, boasted that he wrote the malware from scratch, not leveraging any code from leaked sources such as Zeus, Carberp or other Trojans. By January 2017, it appeared that Gosya decided to rename the malware and market it as Micro Banking Trojan. Gosya’s efforts to inform others about the malware in different forums eventually led to him being banned by forum administrators after he used multiple aliases to post more adverts.
This case is notable because it could bring a new banking Trojan into the cybercrime arena. Although we have yet to see NukeBot/Micro Bot active in the wild, analyses performed by X-Force and other vendors found that it has the potential to rise in 2017 and bring back commercial Trojan sales in the underground.
Android Overlay Malware Presents Fraudsters With New Options
Given the complexity associated with obtaining and operating banking Trojans, that endeavor is often left to a narrower crowd of particularly tech-savvy cybercriminals, leaving a void in the fraudster underground and a demand that is not met with sufficient supply. Enter Android banking malware.
In 2016, the ongoing evolution of Android malware and a breakthrough in the shape of overlay capabilities that can mimic Trojan webinjections marked the dawn of a new era for the commercial malware scene.
Overlay Android Trojans such as GM Bot and Marcher, provided they can properly infect targeted devices, can be very similar to banking malware for the PC. They have thus become quite popular among fraudsters looking to make an easy dollar and remain attractive to the more professional cybercrime factions that use them for online banking fraud.
Overlay Trojans have notable capabilities that resemble banking Trojans from the PC:
- They can present users with fake messages that appear to come from their banks, like webinjections do.
- They conduct real-time theft of banking and payment card credentials, like banking Trojans do, by hooking the web browser.
- They use SMS hijacking to steal multifactor authentication codes sent to mobile phones, something banking Trojans do with a dedicated mobile component or social engineering injections.
These capabilities can enable Android overlay malware operators to defraud victims’ bank accounts, making them very popular among cybercriminals.
IBM X-Force researchers followed the trend in 2016 and found that the Android malware market is constantly evolving with new vendors coming into the scene, but also leaving quickly most times. The reason this happens is not new: Malware authors may be good developers, but they are not necessarily good customer service personas. Developers often attempt to sell the malware, but become overwhelmed with customers’ demands for technical support. This sometimes causes developers to stop selling their malware publicly.
Another way to spread Android malware is to leak Trojan source codes in the underground. In fact, this is often done intentionally. One such case took place in early 2016, when the GM Bot source code was leaked by one of its developer’s customers.
A number of other Android Trojans are already based on GM Bot’s source code, and this leak only meant more hands on the same code. But GM Bot went nowhere after the mishap. By March 2016, its author released version 2 of the code, continuing to sell it in the underground just before being banned. Nonetheless, by October 2016, X-Force researchers had discovered a new GM Bot upgrade capable of operating on Android M distributions.
Since GM Bot is still an active project, the developer will likely continue to offer it commercially, if not in underground forums, and then offer it to new, trusted buyers referred by existing ones.
Ransomware and RaaS: Low-Cost Money Makers
Another strong rising contender in the underground arena has been ransomware. A variety of commercial ransomware models were offered to cybercriminals of all skill levels in 2016.
Ransomware saw exponential growth in 2016. With over 4,000 attacks per day, reported losses rising 770 percent since 2015, and a 6,000 percent hike in spam-carrying ransomware, law enforcement warned that there may be no end in sight.
One of the most notable things about ransomware’s sustained popularity is its widespread availability for cheap — sometimes even for free. Some ransomware codes are available as open source code that malicious developers can pick up and render operational. As such, these codes are free to obtain, test and even illicitly use.
Lower grade codes are offered for a low cost, sometimes under $100. Second-rate ransomware such as Alpha Locker, for example, is sold for $65.
Figure 1: Alpha Locker ransomware code selling for $65 in bitcoin (Source: IBM X-Force)
Commodity sale of the ransomware kit is available through a variety of vendors. For example, the popular Cerber ransomware was offered to fraudsters on a Russian-speaking Dark Web forum.
Ransomware-as-a-service (RaaS) vendors make their malware available over a platform that can accommodate numerous criminals. Some RaaS offerings, such as Ransom32, allow fraudsters to pay periodically to use the vendor’s malware.
Figure 2: Ransom32’s ransomware-as-a-service offering (Source: IBM X-Force)
Ransomware affiliates and profit-share vendors pull in a large number of collaborators to spread the malware and gain illicit profits from the operation of ransomware. A fraudster might join a profit-share scheme in which the original vendor, for example, maintains the malware’s code and cryptocurrency receipt infrastructure while the accomplice uses the malware at no cost, infecting as many victims are possible.
In return for infecting new victims, partners in such profit-sharing arrangement receive 70 percent of whatever payments victims send, and the vendor keeps a 30 percent cut. Take, for instance, the Satan ransomware, which was advertised on the Dark Web in the summer of 2016.
Figure 3: Satan ransomware affiliates with a profit-share element (Source: IBM X-Force)
These models, which often come with technical support, offer yet another way for cybercriminals to fill the void left by the low supply of banking Trojans in the underground. They also add diversity in malware types, which enables more malicious actors to find the right fit for their own nefarious goals.
Ransomware lowers the bar for cybercriminals in the underground because it is relatively easy to infect users and quite simple to operate, especially compared to banking Trojans. Judging by the numerous spikes in ransomware attacks in 2016, this malware type has allowed more newcomers to join the ranks of cybercrime and reinforced the interest of veteran attackers.
Cybercrime is a vast, dark economy that is expected to cause an estimated $2 trillion in losses by 2019. The commercial underground, where cybercriminals buy, sell and exchange information, tools, and accomplices, is a worldwide network that supports its own growth. In 2016, Arizona State University researchers used Dark Web crawling and mining to discover that over 300 different offerings emerge each week in forums and hosting sites hidden via Tor services and other anonymizers.
Commercially available malware is only one of the types of offerings up for sale by cybercrime vendors. When it comes to real-world losses, however, it is one of the most significant threats, affecting consumers and businesses alike.
Seeing the growing popularity of what’s considered to be lower grade malware in the underground, X-Force research expects to see this trend continue and intensify in 2017. To read additional observations about shifts in the security landscape, read the full IBM X-Force Threat Intelligence Index.