Cybercriminals shopping for malware tools and services can find plenty of wares available for free or next to nothing in emerging Middle East and North African cybercrime underground marketplaces.
Shopping these markets can be tricky for outsiders and often involves a vetting process, a joining fee, and more than just a passing knowledge of Arabic. But those that do manage to become members often can get a range of malware tools including SQL injection tools, keyloggers, crypters and instruction manuals for free, a study by Trend Micro has revealed.
"The most interesting driver here is the deep permeation of religious influence – from what is sold to how users and sellers interact," says Ed Cabrera, chief cybersecurity officer for Trend Micro.
The trend is significant. The Middle East and North Africa is a young but emerging cybercrime region. It is increasingly thriving as a place where threat actors can coordinate and launch attacks against targets around the world. As underground markets and threat actors in the region develop and diversify, expect to see cyberattacks that go well beyond the usual Web defacements and denial of service attacks, Trend Micro said.
Expect also to see continued and closer coordination with the Russian underground, which has shown a tendency to hire malware coders from the Middle East and North Africa, the report says. Already, one of the underground sites that Trend Micro studied had advertisements promoting Russian and China-based underground forums.
Trend Micro studied Middle East and North Africa’s online underworld between July 2016 and December 2016. During that time the security vendor examined things like the kind of merchandise available for sale in these markets, average prices for malware tools, and the interactions between buyers and sellers.
What Trend Micro discovered was a marketplace that was both similar to and very different from other underground markets elsewhere around the world.
Many of the malware products and services available in Middle East and North African markets were the same as that available elsewhere. Products included credit card and credential dumps, malware tools, and stolen identity information including passport scans and driver's license data. Several markets that Trend Micro studied also supplied do-it-yourself kits for launching malware schemes.
The general offerings between the underground markets in the Middle East and North Africa and elsewhere were relatively consistent, Cabrera says. "Differences that we see stem from the societal influences that drive each of the economies," he says.
Unlike cyber underground markets in Russia and China for instance, profit did not appear to be a primary driving factor behind many of the Middle Eastern and North African operations. Instead, a spirit of sharing and a sense of brotherhood appeared to be the primary drivers behind the distribution of crimeware.
Many of the sellers and buyers in these digital souks appear gathered around a common cause and ideology. In addition to members readily handing out malware tools for free, they also tended to cooperate with each other in planning and launching malicious campaigns such as Web defacement and distributed denial-of-service attacks.
While such sharing exists in other forums as well, the sheer prevalence of it on Middle Eastern and North African digital souks is interesting, Cabrera says. "Other underground marketplaces provide support to members, but the extent and willingness in this region is unique," he notes.
Significantly, none of the marketplaces that Trend Micro studied was involved in the sale of weapons or drugs. Visitors looking to buy these items were directed to forums in the North American underground instead.
Prices for individual malware and hacking tools in these markets tended to be more expensive than in other regions. For example, keyloggers that sell for between $1 and $4 in the North American underground can cost as much as $19 in Middle Eastern and North African forums. But because members are willing to share their malware for a mutual cause, the price difference is usually balanced out, Cabrera said.
In some cases, tools and information that fetch a hefty price in other markets were available for free. Port numbers for Internet-connected Supervisory Control and Data Acquisition (SCADA) system, for instance, were available for free in the cybercriminal underworld in this region, while the WannaCry ransomware sample was available for just $50.
"There is a broad range of technical capabilities seen among actors in this underground." Cabrera observes.
"The culture allows for budding script kiddies to get their feet wet, while some of the larger Hacking as a Service and defacement campaigns are run by more experienced, sophisticated actors. This is similar to what we’ve seen in the North American or Russian underground that foster a breadth of malicious actors."
- Malware Investigation Leads to Sophisticated Mideast Threat Network
- Report: ‘OilRig' Attacks Expanding Across Industries, Geographies
- 7 Indicted Iranian Nationals Now Hit with Sanctions by US Treasury
- Meet Some Of The Emerging Israeli Cybersecurity Firms
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.