As time passes, the security landscape keeps getting stranger and scarier. How long did the “not if, but when” mentality towards cyberattacks last — a few years, maybe? Now, security pros think in terms of how often will their organization be attacked and at what cost. Or they consider how the difference between legitimate Software-as-a-Service (SaaS) brands and Malware-as-a-Service (MaaS) gangs keeps getting blurrier.

MaaS operators provide web-based services, slick UX, tiered subscriptions, newsletters and Telegram channels that keep users up to date about new features. MaaS brands are nearly indistinguishable from their SaaS counterparts.

A recent Cyble Research report — about a new malware strain named DuckLogs — shows exactly how much cyber crime is looking like a mainstream digital business. And some other MaaS groups are boosting their offerings to an even higher level.

Malware-as-a-Service goes mainstream

As per Cyble, DuckLogs performs multiple malicious activities such as stealer, keylogger, clipper and remote access. The DuckLogs info stealer collects users’ sensitive information, such as passwords, cookies, login data, histories and crypto wallet details. DuckLogs then exfiltrates the stolen data from the victim’s computer to its own command and control server.

Check out one of the DuckLogs dashboard pages. It boasts a running tally of users, total victims, daily victims and total builds. There’s also a handy announcement board built-in:

Source: Cyble

DuckLogs has some pretty decent copywriters as well. See how they showcase their features.

Source: Cyble

You can even choose from a variety of DuckLogs subscription plans:

Source: Cyble

Actors can also build the malware binary by customizing the options provided on the Settings page of the web panel. Just look at how slick the customization is:

Source: Cyble

It doesn’t take long to realize that the DuckLogs cyber gang uses the same principles of user experience and customer satisfaction as many software vendors do. But the problem is that they are criminals selling damaging tools to other criminals. And legitimate businesses, government offices, organizations and individuals across the globe are paying for it.

User-friendly services and interfaces aren’t the only way threat actors are looking like mainstream companies, though.

Bug bounty for cyber threat groups

In late June 2022, ISMG reported that the Ransomware-as-a-Service (RaaS) LockBit was offering its own Bug Bounty Program. A Bug Bounty is a program offered by legitimate websites, organizations and software developers by which individuals can receive recognition and rewards for reporting bugs with an emphasis on security exploits and vulnerabilities.

The ISMG report says that LockBit announced it would pay anyone who finds exploitable vulnerabilities or bugs in the software it uses to maliciously encrypt files that would allow victims to rescue their data.

“We invite all security researchers, ethical and unethical hackers on the planet to participate in our bug bounty program. The amount of remuneration varies from $1,000 to $1 million,” the group posted on its website, according to malware repository vx-underground.

While white hat hackers take up legitimate Bug Bounty projects, the LockBit program proudly exclaims, “Make Ransomware Great Again!”

As per ISMG, Mike Parkin, senior technical marketing engineer at Vulcan Cyber, a risk management company, said, “Malware gangs have reached a level of maturity that they are, literally, professionally run businesses.” Bug bounties have been successful for major companies, including Microsoft and Google. If a bug bounty is good enough for Silicon Valley, “why wouldn’t it work for a criminal gang if they have both the maturity and the resources to do it?” said Parkin.

400,000 compromised systems and counting

There are even more signs of the growing professionalization and specialization of the cyber crime sphere. Recently, Sophos X-Ops cited a remarkable increase in median “dwell time” —  the amount of time attackers spend in a system before they’re removed or noticed. Part of the increase is due to the rise of initial access brokers (IABs). These services establish a foothold on a victimized system, find out what’s available on it and steal relevant cookies and other identifiers. IABs gain and maintain access which they can later sell to other criminals.

As per Sophos, one IAB, called Genesis, is especially noteworthy. Genesis is an invitation-only marketplace that steals credentials, cookies and digital fingerprints exfiltrated from compromised systems. The IAB provides the data as well as sophisticated tools to facilitate its use.

Active since 2017, Genesis lists more than 400,000 “bots” (compromised systems) in over 200 countries. Genesis carries out most of its attacks in Italy, France and Spain. As a MaaS group, Genesis doesn’t stand out due to hacking massive amounts of data. Instead, the IAB is known for its high-quality data and commitment to keeping stolen information up to date. Genesis claims that as long as it has access to a compromised system, the IAB’s customers have a backdoor to updated victim information at all times.

In other words, even if victims realize their credentials are stolen and change their passwords to block intruders, attackers can use complementary data to actively extort affected users. Even worse, as long as Genesis maintains a foothold on the compromised machine, the new credentials can be re-stolen.

Given that Genesis is invite-only, a cottage industry of fake Genesis sites has evolved. Now, fake-Genesis phishers are scamming other scammers.

Security pros must rise to the challenge

How can a security professional hope to withstand such highly advanced attacks from groups such as DuckLogs, LockBit and Genesis? The reality is that cybersecurity threats are becoming more dangerous and more persistent. This demands a huge effort by security analysts to sift through countless incidents.

Given the rising threat, many companies are pivoting to solutions such as Security Information and Event Management (SIEM). SIEM makes it easy to remediate threats faster and prioritizes high-fidelity alerts to discover hard-to-find threats.

When backed by artificial intelligence, SIEM is even more effective at monitoring threat intel, network and user behavior anomalies to prioritize where immediate attention and remediation are required. As intruders trigger detection analytics, move across the network or change behavior, SIEM can successfully track attacker movement.

What’s more, SIEM can correlate, track and identify related activities throughout a kill chain with a single high-fidelity case while automating prioritization.

As cyber threats reach higher levels of sophistication, security measures must step up to meet the challenge.