The Rising Tide of Crimeware-as-a-Service
Malware, botnets, phishing and backdoors are all offered on the cheap as subscription. These days even crime is in the cloud.
June 13, 2017
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt23b6d37b85b2434b/64f0d89ff169c5643e886b03/01-service.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Today's successful malware writers are remarkable in their ability to adjust not only their technical capabilities to evade the latest security technologies, but also their business practices to meet the needs of money-motivated criminals across the globe.
So it's no surprise that so many cybercriminal ventures today have adjusted both their technology stacks and their revenue models to service clients with crimeware in the same way that your average software vendor does. Crimeware, stolen data, and other salable items on the Dark Web are increasingly sold as a service.
Here are some facts and figures that show how pervasive the SaaS mentality has become in the cybercriminal underground.
WannaCry was one of the best marketing vehicles that the crooks behind the Shadow Broker threat actor group could possibly have hoped for. The ransomware outbreak was spread through a special exploit stolen by Shadow Broker from the NSA. Now the group appears to be hoping to make some hay while the sun shines. Last week it announced it was launching a new monthly data dump service for customers to access exploits, zero-days, and hacking tools stolen from the U.S. government. The asking price: $23,000 per month.
It's gotten to the point now where the typical exploit kit is completely offered up on a SaaS basis. Interestingly, the subscription prices for these kits follow a number of market trends - including one unique to the cyber black market: takedowns and mysterious disappearances of criminal competition.
Last year, when the Angler exploit kit disappeared from the market, monthly prices for the Neutrino kit doubled nearly overnight, from $3,500 to $7,000, according to CheckPoint researchers.
Given this trend, it'll be interesting to see what happens to the market now that the RIG exploit kit was dealt a big blow with a domain takedown of over 40,000 shadow domains.
Botnet rentals are getting even more interesting now that Mirai-style IoT DDoS attacks are upping the stakes. Following massive attacks against a number of high-proifle targets including DNS provider Dyn, news on the street was that a number of Mirai botnet subscription services were advertising their wares. One of the largest claimed to offer up 400,000 devices for rent. Pricing ranges anywhere from $3,000 for a two week campaign with 50,000 compromised devices to $7,500 for a 100,000-bot service.
Just as legitimate services provide a la carte selections and add-ons to mix and match to buyers' needs, so to do crimeware services. Last month Terbium Labs and CheckPoint researchers detailed a modular botnet service called DiamondFox that offers up a ton of different options, fronted with a highly professional and user-friendly management panel.
"This highly modular malware seems to cover everything from keylogging and browser password stealing, all the way to a variety of Distributed Denial of Service (DDoS) attack techniques through crypto currency wallet stealing," the report on DiamondFox explained. Starting prices for the services were at around $300, with plug-ins offered for $150.
The incipient rise of ransomware has occurred in lockstep with the increasing occurrence of ransomware-as-a-service. One of the first cropped up in 2015; Tox was remarkable for its unique business model. It was offered up on a profit-sharing basis. Its writers asked no up-front fee but did request 20% for any ransom paid by victims to its users. Tox dropped off the scene fairly early on, but its been followed by plenty of copycats. The profit-sharing must be lucrative for everyone involved because malware writers have significantly upped their vig. According to reports last summer, Cerber authors were charging a 40% cut in ransoms paid to users of their services.
Phishing is a numbers game, so it follows that it is one of the most affordable cybercriminal services out there. One platform discovered by Fortinet offered VIP subscriptions to a marketplace for phished credentials for as little as $3.50 per month, with average credentials on the platform costing anywhere between $0.15 to $15.39 each. https://blog.fortinet.com/2016/08/31/fake-game-the-emergence-of-a-phishing-as-a-service-platform.
Whether known as JSocket, jRAT, AlienSpy, or Adwind, one of the most popular Java-based backdoor services gives criminals cheap access to the advanced capabilities of a remote access trojan (RAT) with very little need for upfront capital. Most recently researchers found the service available for $45 per month
Whether known as JSocket, jRAT, AlienSpy, or Adwind, one of the most popular Java-based backdoor services gives criminals cheap access to the advanced capabilities of a remote access trojan (RAT) with very little need for upfront capital. Most recently researchers found the service available for $45 per month
Today's successful malware writers are remarkable in their ability to adjust not only their technical capabilities to evade the latest security technologies, but also their business practices to meet the needs of money-motivated criminals across the globe.
So it's no surprise that so many cybercriminal ventures today have adjusted both their technology stacks and their revenue models to service clients with crimeware in the same way that your average software vendor does. Crimeware, stolen data, and other salable items on the Dark Web are increasingly sold as a service.
Here are some facts and figures that show how pervasive the SaaS mentality has become in the cybercriminal underground.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024