Malware: A Growing Economy 💰
The good ol’ VX Days…
“This is a down and dirty zine on wich gives examples on writing viruses
and this magazines contains code that can be compiled to viruses. If you are an anti-virus pussy, who is just scared that your hard disk will
get erased so you have a psycological problem with viruses, erase these
files. This aint for you.” — 40H Vmag Issue 1 Volume 1 @ https://www.textfiles.com
I wanted to take us back to VX (Virus Share) which was a nostalgic time in infosec. Let’s go back to the 90’s where these zines were published and distributed, malware recorded in the size of bytes! Some smaller than a message sent via Social Media.
These are nostalgic to read as they highlight a shift in malware writing since then, back then it seems as though it was a hobby and a culture, especially in the states which became contagious across Europe and other areas of the globe. Some zines show malware that would activate on Friday the 13th and wipe the users computer or damage their files. The zine would contain the entire payload required and include compilation instructions. Neat, right?! Some malware was also written to see how far across the states they could get their pseudo-name heard about, some of which ended up on state wanted lists as young as 15 years old.
Fast forward to 2020, where we are now. Malware writing has become a rare skill that drives the underground and also infosec research. It’s becoming a business like model in the underground and we’re seeing constant changes in that space that threaten businesses, as they continue to innovate their operations from being more customer centric, bringing in managerial strategies and creating hierachy in their ‘business’.
Money money money! ft. Dark web recruitment
So straight away, this isn’t a new thing. KrebsOnSecurity written up a really good piece in June of 2011 (Criminal Classifieds: Malware Writers Wanted). This highlighted the same issue that malware authors are being sourced from genuine enterprise environments due to having the correct developer traits required.
As you can see below, here are one of the adverts hosting on a .onion link. This is an ‘Experienced Hacker’ offering his services in a freelance dev style that we normally see on the ClearNet.
You can also see this person describes there target cruiteria as “could earn 50–100 euro an hour with a legal job” and “im not from some crappy eastern european country” which indicates this person based on currency, is Western European and seems to know their target market.
This ones a lot less sophisticated but so is the aim of the attack. They’re looking for students (likely impressionable young people) and those who are looking to break into the mould of the underground economy.
Telegram — Ideal for transmitting encrypted messages, perfect for this scenario.
They also seem to work off a commission basis i.e. Minimum 50 messages and payment is based on number of messages sent. This makes me feel there is a hierarchy here just like any other business, the people running these scams for the OP will merely just be footsoldiers.
The benefits of this trend for the blue team
So all in all, business is booming! However, on the defence forefront we can certainly deduce that for as long as this is a ‘business’ per say… Human mistakes will be made.
Analysing these ‘job ads’ we see they are structured very much like a silicon valley dev job ad. Some ask for particular personality traits and some notables such as experience with JIRA and Confluence, odd right? Seems it’s not just the blue team using these.
With the underground malware community moving towards a more business/focused strategy, they will attract devs that commonly make mistakes found in enterprise environments such as exposing ports/services, slipping up with PerSec (Personal Security) and leaking information or crossing over account details which can link them back to their part of the dark roles in malware writing.
Ransomware-As-A-Service (RaaS)
Touch on the ease for a customer to go to malware writers now who don’t need their own motive to act upon.
RaaS has been a growing change in the past 5 years in the underground scene. Quite a simple concept actually. Supply & Demand.
Why, a threat actor or APT would you spend all this time writing your own payloads, when you need time to distribute, manage and move to the next phase in your attack. Don’t re-create the wheel!
Now malware authors have started to go solo in their operation and offer malware as a service, whether that’s a DDoS botnet, Ransomware or other side functions for an attack such as an encrypter which can be embedded into a custom payload.
They seem to charge differently from model to model, subscription based, success based, one time payment based, offers such as buy 50 get 50 free etc. See below for an example of some of the adverts…
“I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We’ve created life in our own image.” Stephen Hawking 01.08.1942–03.14.2018
