Some of the most popular malware on underground forums are open source or cracked versions of malicious software that use exploits that are years old but still effective.
Cybersecurity researchers at Recorded Future analysed almost four million posts made on dark web forums in several languages between May 2018 and May 2019, correlating their findings in a new report: Bestsellers in the Underground Economy.
The languages analysed include English, Russian, Chinese, Spanish, Arabic and others – but within the different forums, many of the forms of malware discussed were universally popular.
The top choices were simple-to-use, readily available forms of malware, suggesting that for many cyber criminals, getting their hands on malware is the main goal – it doesn’t necessarily have to be sophisticated.
Some of the most popular forms of malware discussed across all the analysed languages include:
- njRat – a Windows remote access trojan that first emerged in 2012. Its source code is available online and, despite its age, it remains a popular form of malware – especially for those targeting older systems.
- SpyNote – an openly available Android-based RAT containing keylogging and GPS functionality, which first emerged in 2016.
- GandCrab – a highly prolific form of ransomware which offered an affiliate scheme allowing users to easily distribute file-locking malware. The Gandcrab authors announced their retirement in June 2019, claiming affiliates had made billions of dollars. It’s the only ransomware strain that was highly popular with dark web forum users.
- DroidJack – an Android trojan from 2014 which sold lifetime licenses for just over $200. However, cracked versions of it are far cheaper on underground forums.
The way that these particular forms of malware are cheap – or free – demonstrates how cyber criminals want to pay as little as possible and, because they’re criminals, they’re not beyond using ripped or stolen versions.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
“Forum members are eager to discuss and use tools readily available to them rather than pay for or invent new tools,” Winnona de Sombre, threat intelligence researcher at Recorded Future told ZDNet.
“While open-source tools are free, many non open-sourced entities, like SpyNote, have been previously cracked, meaning that multiple forum members now distribute unauthorized copies of the malware, usually at cheaper prices than the original seller, and even altered to benefit their own customers,” she added.
However, not only is cracked malware bad for the original malicious developers, it’s bad for victims, as more versions of the malware are in the wild.
But while some of the most popular forms of malware are many years old and take advantage of vulnerabilities that have long had fixes issued, they remain both effective and popular because there are still plenty of systems that haven’t been patched in years – leaving them open to old malware using simple attack techniques like phishing, bruteforcing passwords, or scanning for RDP reports.
“The continued advertisements of these malware families suggest that individuals are still successfully infecting victim hosts with the malware mentioned. This further suggests that there are still vast numbers of poorly protected machines on the open Internet vulnerable to attackers with rudimentary tools,” said de Sombre.
To help protect against attacks, Recorded Future recommends that defenders should monitor underground forums to be aware of high-frequency, low-medium grade cyber attacks.
READ MORE ON CYBERSECURITY