Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
123 tokens/sec
GPT-4o
11 tokens/sec
Gemini 2.5 Pro Pro
47 tokens/sec
o3 Pro
5 tokens/sec
GPT-4.1 Pro
3 tokens/sec
DeepSeek R1 via Azure Pro
33 tokens/sec
2000 character limit reached

The Malware as a Service ecosystem (2405.04109v1)

Published 7 May 2024 in cs.CR

Abstract: The goal of this chapter is to illuminate the operational frameworks, key actors, and significant cybersecurity implications of the Malware as a Service (MaaS) ecosystem. Highlighting the transformation of malware proliferation into a service-oriented model, the chapter discusses how MaaS democratises access to sophisticated cyberattack capabilities, enabling even those with minimal technical knowledge to execute catastrophic cyberattacks. The discussion extends to the roles within the MaaS ecosystem, including malware developers, affiliates, initial access brokers, and the essential infrastructure providers that support these nefarious activities. The study emphasises the profound challenges MaaS poses to traditional cybersecurity defences, rendered ineffective against the constantly evolving and highly adaptable threats generated by MaaS platforms. With the increase in malware sophistication, there is a parallel call for a paradigm shift in defensive strategies, advocating for dynamic analysis, behavioural detection, and the integration of AI and machine learning techniques. By exploring the intricacies of the MaaS ecosystem, including the economic motivations driving its growth and the blurred lines between legitimate service models and cyber crime, the chapter presents a comprehensive overview intended to foster a deeper understanding among researchers and cybersecurity professionals. The ultimate goal is to aid in developing more effective strategies for combating the spread of commoditised malware threats and safeguarding against the increasing accessibility and scalability of cyberattacks facilitated by the MaaS model.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (94)
  1. Lawrence Abrams. LockBit ransomware recruiting insiders to breach corporate networks. https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/, 2021. [Accessed 05-03-2024].
  2. Ransomware double extortion and beyond: REvil, Clop, and Conti - Security News — trendmicro.com. https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti, 2021. [Accessed 05-03-2024].
  3. Seven months’ worth of mistakes: A longitudinal study of typosquatting abuse. In Proceedings of the 22nd Network and Distributed System Security Symposium (NDSS 2015). Internet Society, 2015.
  4. Under the shadow of sunshine: Understanding and detecting bulletproof hosting on legitimate service provider networks. In 2017 IEEE Symposium on Security and Privacy (SP), pages 805–823. IEEE, 2017.
  5. Cognitive security: A comprehensive study of cognitive science in cybersecurity. Journal of Information Security and Applications, 48:102352, 2019.
  6. Jungsoo An Asheer Malhotra, Vitor Ventura. Lazarus and the tale of three RATs. https://blog.talosintelligence.com/lazarus-three-rats/, 2022. [Accessed 06-03-2024].
  7. Large language model lateral spear phishing: A comparative study in large-scale organizational settings. arXiv preprint arXiv:2401.09727, 2024.
  8. Black Lotus Labs. Emotet illuminated: Mapping a tiered botnet using global network forensics. https://blog.lumen.com/emotet-illuminated-mapping-a-tiered-botnet-using-global-network-forensics/, 2019. [Accessed 04-03-2024].
  9. Jack Cable. Ransomwhere — ransomwhe.re. https://ransomwhe.re/. [Accessed 04-03-2024].
  10. Mapping the defi crime landscape: An evidence-based picture. arXiv preprint arXiv:2310.04356, 2023.
  11. Intercepting hail hydra: Real-time detection of algorithmically generated domains. Journal of Network and Computer Applications, 190:103135, 2021.
  12. Unearthing malicious campaigns and actors from the blockchain dns ecosystem. Computer Communications, 179:217–230, 2021.
  13. Sok: cross-border criminal investigations and digital evidence. Journal of Cybersecurity, 8(1):tyac014, 2022.
  14. Chainalysis. The chainalysis 2023 crypto crime report. https://go.chainalysis.com/2023-crypto-crime-report.html, 2023.
  15. Check Point. Check Point Research exposes new versions of the BBTok banking malware, which targets clients of over 40 Mexican and Brazilian banks. https://blog.checkpoint.com/security/check-point-research-exposes-new-versions-of-the-bbtok-banking-malware-which-targets-clients-of-over-40-mexican-and-brazilian-banks/, 2023. [Accessed 08-03-2024].
  16. Inside residential IP proxies: Lessons learned from large measurement campaigns. In IEEE European Symposium on Security and Privacy, EuroS&P 2023 - Workshops, Delft, Netherlands, July 3-7, 2023, pages 501–512. IEEE, 2023.
  17. Catalin Cimpanu. Secret backdoor in some low-priced Android phones sent data to a server in China. https://www.bleepingcomputer.com/news/security/secret-backdoor-in-some-low-priced-android-phones-sent-data-to-a-server-in-china/. [Accessed 04-03-2024].
  18. Catalin Cimpanu. Source code of Dharma ransomware pops up for sale on hacking forums. https://www.zdnet.com/article/source-code-of-dharma-ransomware-pops-up-for-sale-on-hacking-forums/, 2020. [Accessed 04-03-2024].
  19. Wild patterns reloaded: A survey of machine learning security against training data poisoning. ACM Comput. Surv., 55(13s), jul 2023.
  20. Computer Emergency Response Team of Ukraine. CERT-UA#7469). https://cert.gov.ua/article/5702579, 2023. [Accessed 06-03-2024].
  21. Computer Emergency Response Team of Ukraine. CERT-UA#7627). https://cert.gov.ua/article/6123309, 2023. [Accessed 06-03-2024].
  22. Cyble. DuckLogs – New malware strain spotted in the wild. https://cyble.com/blog/ducklogs-new-malware-strain-spotted-in-the-wild/, 2022. [Accessed 05-03-2024].
  23. Elliptic. Financial crime typologies in cryptoassets. https://www.elliptic.co/resources/typologies-concise-guide-crypto-leaders, 2020.
  24. Europol. DarkMarket: world’s largest illegal dark web marketplace taken down. https://www.europol.europa.eu/media-press/newsroom/news/darkmarket-worlds-largest-illegal-dark-web-marketplace-taken-down, 2021. [Accessed 04-03-2024].
  25. Europol. 288 dark web vendors arrested in major marketplace seizure. https://www.europol.europa.eu/media-press/newsroom/news/288-dark-web-vendors-arrested-in-major-marketplace-seizure, 2023. [Accessed 04-03-2024].
  26. Europol. Takedown of notorious hacker marketplace selling your identity to criminals. https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-notorious-hacker-marketplace-selling-your-identity-to-criminals, 2023. [Accessed 04-03-2024].
  27. Fortune. Microsoft says iran, north korea, russia and china are beginning to use generative ai in offensive cyberattacks, 2024.
  28. Di Freeze. Cybercrime to cost the world 8 trillion annually in 2023. https://cybersecurityventures.com/cybercrime-to-cost-the-world-8-trillion-annually-in-2023/, 2022. [Accessed 04-03-2024].
  29. Gemini Advisory. FIN7 recruits talent for push into ransomware. https://geminiadvisory.io/fin7-ransomware-bastion-secure/, 2021. [Accessed 05-03-2024].
  30. Botnet business models, takedown attempts, and the darkweb market: a survey. ACM Computing Surveys, 55(11):1–39, 2023.
  31. In the market for a botnet? an in-depth analysis of botnet-related listings on darkweb marketplaces. In Symposium on Electronic Crime Research 2023, 2023.
  32. Max Goncharov. Criminal hideouts for lease: Bulletproof hosting services. Forward-Looking Threat Research (FTR) Team, A TrendLabsSM Research Paper, 28, 2015.
  33. Google Security Blog. PHA Family Highlights: Triada. https://security.googleblog.com/2019/06/pha-family-highlights-triada.html, 2019. [Accessed 04-03-2024].
  34. Artem Grischenko. Godfather: A banking trojan that is impossible to refuse. https://www.group-ib.com/blog/godfather-trojan/, 2022. [Accessed 08-03-2024].
  35. Mordechai Guri. Air-fi: Leaking data from air-gapped computers using wi-fi frequencies. IEEE Transactions on Dependable and Secure Computing, 2022.
  36. air-jumper: Covert air-gap exfiltration/infiltration via security cameras & infrared (ir). Computers & Security, 82:15–29, 2019.
  37. Bridgeware: The air-gap malware. Communications of the ACM, 61(4):74–82, 2018.
  38. Fansmitter: Acoustic data exfiltration from air-gapped computers via fans noise. Computers & Security, 91:101721, 2020.
  39. Powerhammer: Exfiltrating data from air-gapped computers through power lines. IEEE Transactions on Information Forensics and Security, 15:1879–1890, 2019.
  40. Halcyon. Cloudzy with a chance of ransomware, 2023.
  41. Graphsense: A general-purpose cryptoasset analytics platform. Arxiv pre-print, 2021.
  42. Heimdal. Ransomware gangs are now using new recruitment strategies. https://heimdalsecurity.com/blog/ransomware-gangs-recruitment-strategies/, 2021. [Accessed 05-03-2024].
  43. Detecting and characterizing lateral phishing at scale. In 28th USENIX Security Symposium (USENIX Security 19), pages 1273–1290, 2019.
  44. Systematically understanding the cyber attack business: A survey. ACM Comput. Surv., 51(4), jul 2018.
  45. Joint Task Force Transformation Initiative et al. SP 800-39. managing information security risk: Organization, mission, and information system view. National Institute of Standards & Technology, 2011.
  46. Ransomware as a service using smart contracts and ipfs. In 2020 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), pages 1–5. IEEE, 2020.
  47. Kaspersky. Understanding Malware-as-a-Service. https://securelist.com/malware-as-a-service-market/109980/, 2022. [Accessed 05-03-2024].
  48. Hiding in plain sight: A longitudinal study of combosquatting abuse. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 569–586, 2017.
  49. Aswatch: An as reputation system to expose bulletproof hosting ases. In Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication, pages 625–638, 2015.
  50. Invoice# 31415 attached: Automated analysis of malicious microsoft office documents. Computers & Security, 114:102582, 2022.
  51. Ralph Langner. Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security & Privacy, 9(3):49–51, 2011.
  52. Operation Triangulation: What you get when attack iPhones of researchers. https://media.ccc.de/v/37c3-11859-operation_triangulation_what_you_get_when_attack_iphones_of_researchers, 2023. [Accessed 08-03-2024].
  53. Robert Lemos. Emotet rises again with more aophistication, evasion. https://www.darkreading.com/threat-intelligence/emotet-rises-again-with-more-sophistication-evasion, 2022. [Accessed 08-03-2024].
  54. A reexamination of internationalized domain names: The good, the bad and the ugly. In DSN, pages 654–665, 2018.
  55. Investigating iptv malware in the wild. Future Internet, 15(10):325, 2023.
  56. The cynicism of modern cybercrime: Automating the analysis of surface web marketplaces. In 2023 IEEE International Conference on Service-Oriented System Engineering (SOSE), pages 161–171. IEEE, 2023.
  57. MANDIANT. Unc2452 merged into APT29: Russia-based Espionage Group, 2023.
  58. Alexander Martin. LockBit takedown: Police shut more than 14,000 accounts on Mega, Tutanota and Protonmail. https://therecord.media/lockbit-ransomware-takedown-mega-tutanota-protonmail, 2024. [Accessed 05-03-2024].
  59. The ransomware-as-a-service economy within the darknet. Computers & Security, 92:101762, 2020.
  60. Microsoft Security. Define ransomware, human-operated ransomware, and how to prevent ransomware cyber attack. https://learn.microsoft.com/en-us/security/ransomware/human-operated-ransomware, 2024. [Accessed 04-03-2024].
  61. Beheading hydras: performing effective botnet takedowns. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 121–132, 2013.
  62. I know what you streamed last night: On the security and privacy of streaming. Digital Investigation, 25:78–89, 2018.
  63. Bitsquatting: Exploiting bit-flips for fun, or profit? In Proceedings of the 22nd international conference on World Wide Web, pages 989–998, 2013.
  64. Cybereason Nocturnus. PowerLess trojan: Iranian APT Phosphorus adds new PowerShell backdoor for espionage. https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage, 2022. [Accessed 06-03-2024].
  65. Platforms in everything: Analyzing {{\{{Ground-Truth}}\}} data on the anatomy and economics of {{\{{Bullet-Proof}}\}} hosting. In 28th USENIX Security Symposium (USENIX Security 19), pages 1341–1356, 2019.
  66. A Tale of Two Markets: Investigating the Ransomware Payments Economy. Communications of the ACM, 66(8), 2023.
  67. Quantifying dark web shops’ illicit revenue. IEEE Access, 11:4794–4808, 2023.
  68. Pierluigi Paganini. Lapsus$ ransomware group announced recruitment of insiders. https://securityaffairs.com/128912/cyber-crime/lapsus-ransomware-is-hiring.html, 2022. [Accessed 05-03-2024].
  69. Exploiting statistical and structural features for the detection of domain generation algorithms. Journal of Information Security and Applications, 58:102725, 2021.
  70. Analysing the fall 2020 emotet campaign. arXiv preprint arXiv:2011.06479, 2020.
  71. Cashing out crypto: state of practice in ransom payments. International Journal of Information Security, pages 1–14, 2023.
  72. A comprehensive measurement study of domain generating malware. In Proceedings of the 25th USENIX Conference on Security Symposium, SEC’16, page 263–278, USA, 2016. USENIX Association.
  73. Livia Tibirna Quentin Bourgue and TDR (Threat Detection & Research). Traffers: a deep dive into the information stealer ecosystem — blog.sekoia.io. https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem/, 2022. [Accessed 05-03-2024].
  74. It’s not what it looks like: Measuring attacks and defensive registrations of homograph domains. In 2019 IEEE Conference on Communications and Network Security (CNS), pages 259–267. IEEE, 2019.
  75. An analysis of anonymity in the bitcoin system. Security and Privacy in Social Networks, page 197, 2012.
  76. Quantitative analysis of the full bitcoin transaction graph. In Financial Cryptography and Data Security: 17th International Conference, FC 2013, Okinawa, Japan, April 1-5, 2013, Revised Selected Papers 17, pages 6–24. Springer, 2013.
  77. Stefanie Schappert. LockBit back online, already targeting hospitals with ransomware. https://cybernews.com/news/lockbit-back-online-already-targeting-hospitals-with-ransomware/, 2024. [Accessed 08-03-2024].
  78. Under false flag: using technical artifacts for cyber attack attribution. Cybersecurity, 3:1–20, 2020.
  79. Spamhaus. Russian registrar NAUNET knowingly harbours cybercriminals. https://www.spamhaus.org/resource-hub/service-providers/russian-registrar-naunet-knowingly-harbours-cybercriminals/, 2012. [Accessed 06-03-2024].
  80. Team Cymru. Tracking bokbot (IcedID) infrastructure. https://www.team-cymru.com/post/tracking-bokbot-icedid-infrastructuremapping-a-vast-and-currently-active-icedid-network, 2021. [Accessed 04-03-2024].
  81. The hacker news. QakBot malware operators expand c2 network with 15 new servers. https://thehackernews.com/2023/08/qakbot-malware-operators-expand-c2.html, 2023. [Accessed 04-03-2024].
  82. Ian Thornton-Trump. The politics of cyber. EDPACS, 59(3):1–17, 2019.
  83. ThreatFabric. Android banking trojan chameleon can now bypass any biometric authentication. https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action, 2023. [Accessed 08-03-2024].
  84. Opening a can of whoop ads: Detecting and disrupting a malvertising campaign distributing backdoors. https://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors, 2023. [Accessed 05-03-2024].
  85. Resip host detection: identification of malicious residential ip proxy flows. In 2021 IEEE International Conference on Consumer Electronics (ICCE), pages 1–6. IEEE, 2021.
  86. Bill Toulas. Knight ransomware source code for sale after leak site shuts down. https://www.bleepingcomputer.com/news/security/knight-ransomware-source-code-for-sale-after-leak-site-shuts-down/, 2024. [Accessed 04-03-2024].
  87. upstream. xHelper/Triada malware pre-installed on thousands of low cost Chinese Android devices in emerging markets - Upstream. https://www.upstreamsystems.com/press/press-releases/xhelper-triada-malware-pre-installed-on-thousands-of-low-cost-chinese-android-devices-in-emerging-markets/, 2020. [Accessed 04-03-2024].
  88. U.S. Department of Justice. Justice department investigation leads to shutdown of largest online darknet marketplace. https://www.justice.gov/opa/pr/justice-department-investigation-leads-shutdown-largest-online-darknet-marketplace, 2022. [Accessed 04-03-2024].
  89. Jai Vijayan. Zeppelin ransomware source code & builder sells for $500 on dark web. https://www.darkreading.com/ics-ot-security/zeppelin-ransomware-source-code-builder-sells-500-dark-web, 2024. [Accessed 04-03-2024].
  90. Behind the scenes: How criminal enterprises pre-infect millions of mobile devices. In BlackHat ASIA, 2023.
  91. Trojaning language models for fun and profit. In 2021 IEEE European Symposium on Security and Privacy (EuroS&P), pages 179–197, 2021.
  92. Sok: Decentralized finance (defi) attacks. In 2023 IEEE Symposium on Security and Privacy (SP), pages 2444–2461. IEEE, 2023.
  93. Zimperium. 2023 Global mobile threat report. https://get.zimperium.com/2023-global-mobile-threat-report/, 2023. [Accessed 08-03-2024].
  94. Konstantin Zykov. Hello! my name is Dtrack. https://securelist.com/my-name-is-dtrack/93338/, 2019. [Accessed 06-03-2024].
Citations (5)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now