Accessing sophisticated malware in dark web marketplaces used to be a commoditized business in which developers sold software offerings to their criminal customer base. Over time, these commodities have turned into services, which reduce costs and keep the malware’s code in developers’ hands.
Threat actors are increasingly using malware builder services, also known as malware-as-a-service (MaaS), to buy one-off binary files, allowing them to easily use sophisticated malware suites at cost-effective price models. At the same time, IBM X-Force research has observed underground markets selling infrastructure-as-a-service (IaaS), facilitating their deployment and use by threat actors.
This trend of outsourcing malware and infrastructure development reduces the technical skills requirement for advanced attacks, allows cybercriminals to scale their operations without added effort, and challenges network defender responses and attribution. However, on the flip side, this increased centralization can also make blocking malicious activity more effective.
What Are Cybercriminals Selling on the Dark Web?
In general, the dark web market of online fraud services is geared toward offering the help of technically skilled criminals to their less skilled counterparts. As such, paying customers can get access to any facet of the cybercrime supply chain of their choice.
What Is Infrastructure-as-a-Service (IaaS)?
Infrastructure-as-a-Service (IaaS) is an offering in which a threat actor is selling access to infected devices that can be used to facilitate malicious campaigns, gain direct access to the device owner’s data or access the network that device is part of, including enterprise networks.
This infrastructure includes varying numbers of compromised machines spread throughout different parts of the globe. It would typically rely on servers hosted in hard to reach locations (think Syria or Darfur), or servers hosted by internet service providers that cannot or will not shut down malicious activity, or where that activity is not illegal.
By outsourcing the development of infrastructure to a dark web service provider, a threat actor can start planning their campaign without the skill or time required to set up a robust back-end infrastructure.
What Is Malware-as-a-Service (MaaS)?
Malware-as-a-service (MaaS) is a common offering found on underground forums and marketplaces to sell prepackaged malware to other threat actors.
Instead of paying thousands of dollars for the malware kit, a threat actor can purchase the same malware in its MaaS model for a fraction of the cost and receive a malicious file, often in a format specified by the buyer, that can be immediately used in an infection campaign. MaaS affords the vendor the agility to frequently update its code with exploitable vulnerabilities, allowing the same service to maintain potency over a long period of time and keep its customer base satisfied.
The price point for these services varies based on factors such as the reputation of the seller and the sophistication or modularity of the malware being sold. MaaS offerings often include add-ons, like the infrastructure used to host the malware and command-and-control (C&C) server. Such a package constitutes a joint MaaS/IaaS offering.
A Dark Web of Supply and Demand
Nowadays, the dark web is a vibrant market for cybercrime services where many MaaS, IaaS and combined products are sold.
For example, X-Force observed a MaaS provider selling the more_eggs Jscript backdoor, as well as associated network infrastructure to download malicious payloads and provide command and control. Multiple threat actors have been using this tool since early 2018. Sold in underground markets, more_eggs is designed to help attackers remotely control compromised devices, enabling them to drop and execute additional payloads on the machines and their underlying networks.
The vendor selling this product reportedly also offers document exploit kits to deliver the more_eggs payload, including the Taurus Builder to generate documents using malicious macros and VenomKit, which can exploit several vulnerabilities on targeted devices.
In a nutshell, a threat actor using this MaaS provider would have everything they need to gain entry and establish a foothold in a victim environment. Beyond infecting individual users, the more significant implications can come in the shape of a data breach, enabling an attacker to expand and entrench their presence on a network infected with more_eggs.
Why Dark Web Offerings Are a Blessing and a Curse
As MaaS and IaaS continue to gain traction in underground channels, the security implications multiply.
With access to higher-quality malware, more threat actors will be able to engage in increasingly sophisticated attacks. The growing popularity of MaaS and IaaS also has the potential to increase the number of incidents over time.
Additionally, malware and network indicators will be less reliable for attack attribution since the same malware and infrastructure could be used by multiple actors. Those looking to attribute malicious activity will have to examine other elements of the attack, such as additional malicious payloads and tactics, techniques and procedures (TTPs) related to escalation, persistence, perceived motivations or objectives, and lateral movement techniques.
Furthermore, threat actors will be able to specialize more because they no longer need to code their own malware — meaning each cybercriminal can become a little bit better at what they do.
Not all the news is bad, though; there are some potential benefits to this state of affairs in the underground economy. The shared use of infrastructure or malware can make blocking activity more efficient, since more threat actors may be using the same centralized resources for their attacks. Blacklisting a set of indicators could in turn block other actors using the same servers.
Similarly, once a particular malware builder is detected, blocking subsequent versions may be easier because there is likely to be common code and indicators between versions.
Finally, prebuilt malware can often be noisier than custom-built versions because pregenerated malware is deployed indiscriminately, without the attacker knowing what systems or processes are in the targeted environment. This can make malware obtained from a MaaS provider easier to find and neutralize.
How to Mitigate the Threat of MaaS and IaaS
What can defenders do to protect their networks from MaaS, IaaS and other services purchased from dark web marketplaces? Here are some tips from the X-Force Incident Response and Intelligence Services (IRIS) team:
- Use the X-Force IRIS Cyberattack Preparation and Execution Framework to detect and mitigate threat actor activity.
- Use threat intelligence on the latest malware-as-a-service offerings to inform endpoint protection mechanisms and on known malicious infrastructure-as-a-service indicators to augment network security solutions.
- Focus on blocking higher-level indicators, such as infrastructure, threat actor motivations and objectives, as well as broad TTPs, rather than individual hash values for malware, since hashes are the easiest component for threat actors to change.
- Recognize the limitations of antivirus and static signature protection and institute a defense-in-depth strategy.
Senior Cyber Threat Intelligence Analyst - IBM
Cyber Threat Hunt Analyst, IBM Security