New trends in the underground market, the offer of cybercrime

One of most prolific market is related to the rent of preconfigured botnets, vendors sell directly hacking services or control for malware-infected machine for their customers.

In a recent post the cybercrime expert Dancho Danchev reported the launch of a new E-commerce platform for the sale of compromised hosts, the singularity of the case is the innovative approach for calculating the going rate for the hacked PCs.

The vendor has started to sell the execution of malicious code Basically, they’re selling actually malicious binary “executions” on the hosts that the vendor is managing, instead of just selling access to them. The novice monetization schema has been deeply analyzed by Danchev that excluded a  diversification for international underground market proposition or the introduction of a new approach to monetize malware-infected hosts.

The Terms of Service proposed by the author doesn’t allow monetization of the compromised PC  through ransomware and forbid the cleaning of the host from existing malware using competing bot ‘killers’.

The author claims the right at any time to control the malware-infected host for various purposes such as monetization of presence of a malicious agent on  the PC or through the establishment of new services to provide within the cybercrime ecosystem. In short, the service provider offers the possibility to install other malware that did not undermine the agents already resident on the PC and prohibiting any way to update it.

The unusual model seems to result in un-materialized revenue streams that could be directed in just one direction. Danchev described the model in this way:

“Furthermore, a potential cybercriminal and a customer of the service, would never pay for, let’s say, three executions of three separate binaries on the same host. He’ll basically purchase one execution, and take advantage of the matryoshka malware concept, ultimately delivering his payload in a cost-effective way, while using this particular service. Now that’s of course unless the vendor stars verifying that as well, for a second time undermining the logic behind the proposition and the TOS. We’ll continue monitoring the development of this service, and post updates as soon as new pricing schemes get introduced.”

Another interesting news found the underground proposal is related the payment methods implemented by vendors, in 2013 Liberty Reserve and Web Money remain preferred currency schema for Russian/Eastern European cyber criminals meanwhile international sellers accept PayPal payments and consequently all major credit card circuits. Recently is emerging the possibility to pay with Bitcoin, the pseudo anonymity of the virtual currency schema.

A keylogger, for example, is sold for $35 and the author also accept PayPal, Liberty Reserve, Moneypak, and Bitcoin. The author seems OPSEC-unaware, the use of Bitcoin appears a way to propose more payment channels rather than a practice aimed at improving his OPSEC (Operational Security) or anonymity.

According Danchev the adoption of Bitcoin seems to be limited to the international marketplace, meanwhile the majority of Russian/Eastern European cyber criminals continues to accept usual currencies such as Liberty Reserve and Web Money because cybercriminals in that area have practiced to perfection over the years these processes of payment.

I never tire of emphasizing the importance of the study of the criminal underground, thanks to the work of specialists as Danchev is possible to fully understand the dynamics of cybercrime.

Pierluigi Paganini

(Security Affairs – Cybercrime)