Accessing the sophisticated malware in dark web marketplaces used to be a commoditized business in which the developers sold software offerings to their criminal customer base. Over time, these commodities have turned into the most important services, which reduce costs and keep the malware’s code in developers’ hands. The threat actors are increasingly using malware builder services, which is also known as malware-as-a-service (MaaS), to buy one-off binary files, permitting them to easily use sophisticated malware suites at cost-effective price models. At the same point of time, IBM X-Force research has observed the underground markets selling infrastructure-as-a-service (IaaS), facilitating their deployment and use by the threat actors. This trend of outsourcing malware and infrastructure development reduces the technical skills required for advanced attacks and permits the cybercriminals to scale their operations without any added effort and as well as challenges the network defender responses and attribution. Nevertheless, on the flip side, this increased centralization can also make blocking malicious activity more effective.
Generalizing everything, the dark web market of online fraud services is geared toward offering the help of technically skilled criminals to their less-skilled counterparts. As such, the paying customers can get access to any facet of the cybercrime supply chain of their choice.
Infrastructure-as-a-Service (IaaS) – An Idea
Image Source: https://themarketresearchnews.com
Infrastructure-as-a-Service (IaaS) is an offering in which a threat actor sells access to infected devices that can be used to facilitate malicious campaigns, gain direct access to the device owner’s data or access the network that the device is a part of, including enterprise networks. This infrastructure includes varying numbers of compromised machines spread throughout various parts of the globe. It would typically rely on servers hosted in hard to reach locations (like Syria or Darfur), or servers hosted by internet service providers that cannot or will not shut down any malicious activity or where that activity is not illegal. Taking the help of outsourcing the development of infrastructure to a dark web service provider, a threat actor can start planning their campaign without the skill or time required to set up a robust back-end infrastructure.
Malware-as-a-Service (MaaS) – An Idea
The Malware-as-a-service (MaaS) is a pretty common offering found on the underground forums and marketplaces in order to sell prepackaged malware to other threat actors. With MaaS, instead of paying thousands of dollars for the malware kit, a threat actor can purchase the same malware in its MaaS model for a fraction of the cost and receive a malicious file, often in a format that is specified by the buyer and can be immediately used in an infection campaign. MaaS affords the vendor the agility to frequently update its code with exploitable vulnerabilities, permitting the same service to maintain potency over a long period of time and keep its customer base satisfied in general. The price point for these MaaS services varies based on several factors such as the reputation of the seller and the sophistication or modularity of the malware being sold. MaaS offerings often include add-ons, such as the infrastructure used to host the malware and command-and-control (C&C) server. Such a package constitutes a joint MaaS/IaaS offering.
Image Source: https://ubuntu.com
Currently, the dark web is a vibrant market for cybercrime services where several MaaS, IaaS and the combined products are sold. As for an example, X-Force has observed a MaaS provider that sells the more_eggs JScript backdoor and as well as associated network infrastructure in order to download the malicious payloads and also provide command and control. Multiple threat actors have been using this tool since early 2018 and being sold in the underground markets, more_eggs is designed to help attackers remotely control compromised devices, enabling them to drop and execute additional payloads on the machines and their underlying networks. The vendor who is selling this product is known to reportedly offer document exploit kits in the bid to deliver the more_eggs payload, which includes the Taurus Builder to generate documents using malicious macros and VenomKit, which can exploit several vulnerabilities on targeted devices.
Mitigating the Threat of MaaS and IaaS
Is there any way by which the defenders can protect their networks from MaaS, IaaS and other services that are purchased from the darknet marketplaces? Well, the X-Force Incident Response and Intelligence Services (IRIS) team have come up with the below-mentioned tips:
- The defendants need to use the X-Force IRIS Cyber attack Preparation and Execution Framework to detect and mitigate threat actor activity.
- The defendants must use threat intelligence on the latest malware-as-a-service offerings to inform endpoint protection mechanisms and on known malicious infrastructure-as-a-service indicators to augment the network security solutions.
- They must focus on blocking the higher-level indicators, such as the infrastructure, threat actor motivations and objectives, as well as broad TTPs, rather than individual hash values for malware since hashes are the easiest component for threat actors to change.
- Last but not least is to recognize the limitations of antivirus and static signature protection and institute a defense-in-depth strategy.
Source: Security Intelligence
Disclaimer: Darkweblink.com does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither Darkweblink.com nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation with the reliance on or usage of any content, goods or services mentioned in this article.