Malware-as-a-Service has a market: Kaspersky’s detailed analysis is an alarm

Money is often the driving force behind many criminal activities, including cybercrime. It was only a matter of time before malware creators started distributing malicious programs and selling them to less technically skilled attackers. This, in turn, has lowered the barrier to entry into the world of cybercriminals. 

#FortiGuardLabs Threat Signal Report: LilithBot Sold as Malware-as-a-Service (MaaS) ⮕ https://t.co/PWiQ5VsfNH pic.twitter.com/W591SRGsis

— FortiGuard Labs (@FortiGuardLabs) October 8, 2022

The emergence of the Malware-as-a-Service (MaaS) business model has facilitated this trend, allowing malware developers to share their tools with affiliate attackers and making it even easier to get involved. The analysis focuses on how MaaS operates, the types of malware commonly distributed through this model, and how external factors influence the MaaS market.

Securelist deep sweep

“We have identified 97 malware families spread through the MaaS model since 2015 by gathering data from various sources, including the dark web.” They are categorized into five groups based on their purpose: 

• ransomware, 
• info stealers, 
• loaders, 
• backdoors, and 
• botnets.

As anticipated, most malware families distributed through MaaS are ransomware (58%), with info stealers accounting for 24% of the cases. The remaining 18% are divided among botnets, loaders, and backdoors.

Source: Securelist

Interestingly, despite ransomware being the most prevalent malware type, info stealers receive the most mentions within dark web communities. Ransomware comes in second place in terms of activity on the dark web, showing an increase since 2021. On the other hand, mentions of botnets, backdoors, and loaders have been gradually declining.

The Financial Times has more details on the Pensions Regulator concerns about Capita’s data breach.

Includes an interesting line about Capita refusing to confirm or deny something they (Capita) have specifically, provably known about since March 31st. https://t.co/MyJICtxAjF pic.twitter.com/CDakk8RTXE

— Kevin Beaumont (@GossiTheDog) April 30, 2023

In the case of ransomware, the dynamics of mentions for five notorious families: GandCrab, Nemty, REvil, Conti, and LockBit. 

Related: List of devastating Ransomware attacks 

The graph below illustrates the main events that significantly impacted the discussions surrounding these ransomware families.

How do they do it?

• Those offering Malware-as-a-Service (MaaS) are commonly known as operators. 
• The individuals using the service are referred to as affiliates, and the service itself is termed an affiliate program.

There are eight key components inherent in this model of malware distribution. MaaS operators typically comprise a team of 

• several individuals, each with specific roles.

Stages to join malware categories

This includes the process of joining the program and the ultimate objectives of the attackers. 

“We have found out what is included in the operators’ service, how the attackers interact with one another, and what third-party help they use. Each link in this chain is well thought out, and each participant has a role to play.”

YouTube could be a significant threat

Cybercriminals frequently exploit YouTube to disseminate info stealers. They gain unauthorized access to user accounts and upload videos containing cracked advertisements and instructions on hacking various programs. 

In the case of MaaS info stealers, the distribution relies on attackers known as traffers, who are hired by the affiliates. 

Insight to have

Monitoring the darknet and comprehending the structure of the MaaS model and the capabilities possessed by the attackers enables cybersecurity professionals and researchers to gain insights into the thought processes of malicious actors. 

This understanding assists in predicting their future actions and helps mitigate emerging threats.