Sergey Shykevich - What malware to use? – Cybercriminal’s perspective

tell you about the next talk it's going to be awesome we're going to go back to the criminal's perspective to see how cyber criminals do things and just imagine you're a cyber criminal how do you decide which malware to go with this is what the next speaker is going to tell us all about sergey you can come and join me here so please welcome sergey shaike [Applause] sergey is a fred intelligence leader for q6 cyber and what he does all day every day is to monitor analyze and research criminal communities so sergey is going to show us how criminals decide which malware to use take it away sergey hey hello good afternoon everyone thanks for having me here

second yeah i'm excited to be here on besides stage for a second time and so first of all in short about me i'm director of intelligent acoustic cyber as karen mentioned what we do all the day is to understand how cyber criminals are working what they are thinking and to understand their point of view we are dealing a lot with the botnet data and the different botnets and banking malware payment card data money mules and the strategies themselves to understand what they are doing how they are thinking and who they are so what we will talk about it today we will talk about malware but that we know all that it's a basic and key part of any cybercrime

operation and chain but we will talk about it not from a perspective of researcher we will talk about it from perspective of underground how cyber criminals view it in the beginning i will list you how they view the malware world what how they divide it what types of malware available in the underground and then i will move to the their consideration how they choose what to use and it's a this perspective in many cases is quite different than what you see as the ones who research it

so what do we need to run botnet operation malware is definitely one of the components of it but it's not enough as you see there are three additional important components to run a button a successful botnet operation it's a malware it's a crypt crypt is a underground the term for obfuscation of the malware file and making it full and detectable by antiviruses it's a very basic and important term in the underground because otherwise after one two campaign in two three days each model will be detected by all the antivirus engines the third part is the infrastructure the c2 servers all this part and the last part and maybe the most complicated is the traffic basically how the cyber criminals in uh

get their victims how they do the infection part so those are the four parts that when cyber criminal starts his malware operation botnet operation he has to consider he has to understand how he builds all these to one big operation so i divided this world of malware in the underground to to two or even three parts first of all it's a division between desktop malware and mobile and the desktop part the most common division is between full take malware and skillers while talking about the mobile malware it's important to mention that in the cybercam underground it's a solar android malware it's almost doesn't exist in the cybercrime under and ios malware it's extremely rare i would say almost too non-existent very

rare so what's the difference what are the key features of those malwares and why cyber criminals divide it and build all those here i listed only several of the key features so full take malware is basically a malware that has a app i would say in many cases some will call to it apt malware that has all the capabilities like a common apt that operated by nation state actors it has a credentials grabber it has a keylogger cookie grabber it it is able to capture screenshots from the victim's machine it has a vnc model virtual network computing model that allows cyber criminals to remotely connect to victims machine and do all their for example fraud

activity account takeover activity from victims machine and web injections that i will talk in a bit distillers are much more common and much more basic they have very basic capabilities like credentials grabbing it it allows cyber criminals to still browse browser history crypto wallet that's something very common to steal a the files of a called crypto wallet from the desktop or folders of the infected machines and cookie grabber while the android malware has quite different capabilities it's also very lucrative to cyber criminals but with android it's not so simple and i will show you it in in several minutes why but the main features of android malware or sms sending an interception that's something cyber criminals like a

lot it's a key logger it's ability to lock the device and overlays so now i want to talk a bit what are web injections or overlays as technologically they are a bit different but their goal is the same the goal is to trick the user into entering certain sensitive information and giving it to cyber criminals and what is required to use web injection on full tech malware or over overlay on mobile malware that the malware is already running on victims machine that there is already an infection it's not like fishing or something like this and this mod those models make the full tech malware and mobile malware so lucrative for cyber criminals how does it work so here i want to

provide you some example about how web injections work the overlay from the conceptual perspective are relatively similar but technologically they work different so when the victim's machine is already infected so when the victim visits a specific website that matches a pattern for example has the part amazon the keyword amazon so then what happens is men in the browser attack and this web injection model injects html or javascript code to the content before it's rendered on the web browser and what the user sees is basically a different page it's a fake page of amazon and not the original one and mostly it'll it allows the cyber criminals to add additional fields and questions for example if the real amazon

pays ask just for username and password so using web injects the web the cyber criminals will ask for username password and also for payment card number cvv expiration and maybe also some secret questions to bank account that's kind of the trick and that's why cyber criminals like so much to use it well there are three main types of web injections it's the one the basic ones that i described those are information skillers basically really to steal the information like i described to you the second one is token interception because think about it it allows cyber criminals also to trick the users to enter also the secret code or one-time code part of it because most of the web injections

are complicated and multi-staging and in very kind of sophisticated cases it's also what is called atf automated transfer system that when a cyber criminal for example let's take now an example of bank account when he visits tries to build his real bank account so he is a fake page of the bank provides his credential secret question and answer and then this web index automatically logins into account and conducts a transfer from his account in the same moment and all this is built in and that's why cyber criminals like it so much uh so that's how you have injections work overlays are pretty similar just on mobile so what's the offer of those as you can see here there are several

types of full-tech malware those are the the most rare and complicated and i will show you why it's very easy to really be user of those but the most common that i'm sure you heard about those it's trigger dry decks gaussian sfb z loader and others well on the steeler parts the offer is i would say huge you see there is red line raccoon towers with our other predator the thief osce and other versions and the and each one of those also has many forks for example ezra that is already let's say a deadman sealer but it has a lot of different forks that's quite similar to azeroth so the offer here is very wide of

steelers and why because basically the the effort to build and develop a good sealer is 100 times less than to develop a good full tech malware that's basically the the reason and on the mobile malware side the offer is very limited even less than full-tech malware it's servers anubis and alien while service source code was leaked a year and a half ago so it's i would say most people do not use any more servers so it's even as an anubis and alien the offer is very limited here you can see that many of the cyber criminals also having those discussions what to choose especially about distillers by the way because the entry point to use distiller

is very low you can see here from their real forms which tiller to choose in 2021 hello to all goat people i'm looking now and there are a lot of steelers but i don't know which one is the best for hackers which one is the most relevant and causes the highest damage a real post from a big russian underground forum and another one which still is better my goal is to use my landing page also please write one of why one or another is better what are the pros and cons there are a lot of discussions around it in the underground what to use because there are a lot of consideration and it's not easy for especially entry-level

cyber criminals to choose what to use now let's talk about how they actually choose which one of those that i described you there to use whether to use full-tech malware steeler or a mobile mother and what to use inside each category there are four main considerations what to use the one is a monetization goal why they want to use it what's their goal what they how they get the money in the end of the day the second is availability what is available and what can uh they get the pricing i will show you that the price ranges are very wide between different categories and malwares and the business model and maintenance of the malware each malware vendor and

developer has a different business model how he sells it how he maintains it and what he provides to his clients so the first consideration are the monetization goals each cyber criminals when he starts his malware operations he has specific goal what will he what will he do with when he will infect the endpoint users so the i would say the least sophisticated and basic goals are mostly or to steal gaming accounts of fortnite or any other stuff it's very common very popular by the way those accounts do not cost a lot in the underground but it's easy and it provides money to steal payment card and crypto wallets becomes a bit more difficult mostly from

a monetization perspective while i'm saying monetization it's what they now steal the account what they do with it because it's not enough just when you still payment card you should be able to understand also how to use it how to beat different anti-fraud controls of the bank payment card companies so that's what i mean by monetization the more complicated monetizations goals and and mostly they are applied to more sophisticated cybercrimes our banking account because mostly the anti-fraud controls and cyber security controls in banking accounts are much more sophisticated than for example in gaming industry and even if you get the password for some account it doesn't mean you will be able to log into the account and

steal the money you need much more ecommerce merchants there is a huge market for uh credentials to admin panel of e-commerce merchants for admin for a password to magento open card panels why because they cyber criminals can install different sniffers and this way still payment cards on a scale and maybe the most complicated monetization goal those are the cyber criminals who infect with malware to get access to corporate networks because maybe it sounds great you have now an access to big corporation big bank but now to monetize it it's not so easy because mostly the controls are pretty sophisticated and many people for example cyber criminals deploy a ransomware but also rent to deplorance or you need a lot of

knowledge how do you propagate in the network how you you identify the backups and et cetera et cetera so that's i would say the most sophisticated uh goal of cyber criminals and i would say the vast majority of the cyber criminals are not able to monetize corporate networks okay even they get access to some nice server in a big company or something mostly they will sell it just because the monetization is very difficult so that's a basic consideration when someone chooses what malware to use what they will do with the victims the second consideration is the availability there is a very common term in the underground of public versus private so what does it mean public it doesn't

mean that you can find this malware on google what does it mean that you can find the malware developer and just rent on buy the malware on the underground forums it's easy you just pay the money and you get the malware while the term private that means that developers and those who are behind the malware families are not in our own forums mostly and you can't just find them and say i'm paying now this amount of money and i'm getting this that's the difference between those terms so the second part of the availability for mostly the private malware is to understand who is the developer because for example if the malware is trigboot many people and many law enforcement and

companies wish to know who exactly is the developer of trigbot or drydex and how to approach him here we come to the vetted approach even if you now get the jabber jabber is the common uh mean of communication in the russian underground even if you know the jabber of the developer of trigbot if you now just start a conversation with him and ask to get to be affiliate of uh trigboot he will just say ignore you he definitely will ignore you he will ask you who are you who recommended you why how you find my jabber and how i know you are not working with law enforcement or cyber security companies so you need also some very solid

reputation especially for full tech malware families like trigbot and drydex you just can't out of never come to the developer and get this smaller that's one of the reasons by the way why they fight with those malware families is so complicated because also the developers and the people behind it are not mostly are not in the forums you can't find the information about what they are doing how they are working just passively collecting in forums you can see here several examples now of people looking for different malware families so in the beginning those are more the full take malware the more uh vetted and sophisticated model for example someone that is looking for immortal owner the

emote is one of the common loaders of trigbot that was taken down about eight ten months ago but he continues operating the takedown was successful for several months but uh the same by the way trick but it was successful several months but it continues operating and maybe even on the higher scale than it was previously so some cyber criminals in april this year looking for owner of imitate and ask so send him private message by the way at least in this this thread no one answered him because most likely even if the owner of imitate and the developer will see it he will he will not answer the same about gauzy isfv another cyber criminals is looking for the developer

of gaussia isob and even specific version of gaussian issb the redeveloped version also but no one answered him the same he wants to rent but again he needs someone to who will recommend him to the developer of gaussian sfv provide him with contact details and then provide the vetting for him on the other side with the sealers it's much more easier there is relatively easy to find in different underground communities just threads of developers of uh steelers that just advertising it and offering it for the cyber criminals you can see here a thread of towers stealer a thread of raccoon a very common sealer last year that is running for a last since the beginning of 2019

and has about dozens of pages of people who are buying it the same about thread of redline it's a just a small effort and the cyberpunk find distillers because those people who developed them they just want to offer it to wide audience let's call it this way they do not vet and anyone who pays for it will receive it and get it and you can see here in the pricing for example redline 150 for a month relatively not expensive i would like to talk a bit now on this point about mobile malware because there is a huge demand of it a lot of people talking about it you can see here at least several uh

four different threads from last month's about people talking about it asking what's there servers is dead what are alternative android botnets is it possible to find anything there or another guy tells all went private due to the fact that it's impossible to create any more background services in most of the samsung devices so no one now offers really mobile malware in the underground as i mentioned previously only alien and mostly it's now even alien i would say this way but does it worth it are there a lot of really successful cyber criminals who operate the mobile malware from my experience no it's much more difficult to run successful campaign and operation of mobile malware than

desktop ones mostly due to the infection vector it's much more difficult to do infections on a high scale and on wide scale because based on most of the mobile controls now in the end of the day you need the you have to trick the end user the victim to download some application and it's not very easy in most cases what we see and even if the endpoint user the victim downloads it and is being infected so the average lifetime of such victim is mostly less than 72 hours because mostly those malicious applications don't have real functionality they are just malicious and after several hours or day or two the victim understands even if he doesn't

understand he downloaded the malware but he doesn't send the application he downloaded doesn't work as expected so he just deletes it and there is a live malware most of the mobile malware families we observed have dozens up to small hundreds of victims while just for comparison triggered last four years had about five million victims immature has every year millions of victims stealers have thousands in some cases tens of thousands of victims that it's very rare that a mobile malware or someone who runs it gets even to a several thousand thousand victims it's rare i won't say it never happens but it's rare the operation is very difficult and many cyber criminals kind of see this locative try it

and then understand that they are not able to do anything successful because in the end of the day they need a live bots victims that are infected for a long time mostly and it doesn't happen

the third consideration is the price and that's an important consideration but i listed it as number three not the first and not the second the most of the models have two types of pricing one-time payment just to be part of the to be the really the the user or affiliate of specific malware and then you pay on a monthly basis for updates for uh such stuff so the the pricing is really on this huge range when we start with steelers or towers redline raccoon it's mostly several hundred dollars at most per month when we go to mobile malware it becomes more expensive it can be two three thousand dollars around this depends on which malware who

is the vendor when we go to full take malware for example one time one month of uh use of or sniff goes the sfv it's about 3500 and on the other side really really expensive but maybe the most sophisticated and successful malware on the market now is strict boot one month of use cost 153 000 out of this the one-time payment just to start using it is one hundred fifty thousand dollars just to be affiliate someone who is allowed to use trigbot and then every month you pay between three to five thousand dollars to to be a user of the trigger it's very expensive and most of the let's call them entry-level cyber criminals just

even if they pass all the previous steps like to get wetted approach to understand who is the developer they want to infect big networks they just don't have such money it's very expensive and the users of trigbot all the cyberpunks who use it they do know what they do and they know how they will monetize it otherwise they will not pay such a high sum just to be a user of this malware because mostly the revenue of the users of trigbots are in millions in months or in some cases even more it it starts from a fraud account takeover and uh elc transfer in big banks in europe in the us in some cases one transfer they

do we observe the several cases of half million dollar in one transfer for example successful transfer they do all the big ransomware attacks like reveal like igregor or another that in many cases they they run some demand it starts from several million dollars up to 20 25 billion dollars so they know what they do so they are able also to pay this uh rent fee and the last consideration is the business model and maintenance different malware families and developers have different business models what they sell the most basic one and the least sophisticated that most of the really serious cyber criminals will not uh use this model and will not rent malware under those conditions

it's one type time malwarebuilt if you just receive one executable you can run one campaign and most likely after this campaign it won't be relevant anymore it will be undetectable detected by many antivirus engines the second is malware build support for end support for specific typeframe for example for months two three most in the essential part of this support is to keep the malware fully undetectable by uh engines mostly cyberknows what they do they use the same virustotal as we are we are using or other similar engines and run their build of the malware before they do a campaign and check how many antiviruses and security solutions sign and detect their build that's what they are doing so

that's the key part that the vendor and the malware developer provides support and mostly it's a what i mentioned previously crypt obfuscation of the malware file the a bit more sophisticated part it's only also includes a new features because there are a lot of demand for different stuff for example a year ago most of the steeler and marvel families didn't have a dedicated model to steal cold wallets of crypto now almost each and every stealer has such models for specific uh cryptocurrencies and the same full-tech malware that's for example a feature so that's another subscription and the more sophisticated and the interesting one is malware as a service and bots as a service malware is a service basically when a

developer provides a malware as part of malware service model he provides the malware the executable the crypt the support to keep the executable undetectable and the infrastructure he is the one who provides all the infrastructure of c2 servers he's the one who maintains it he's the one who changes it will require his one who looks for a bulletproof hosting where to host it and all this mostly this model is a common for a full take malware but there are also some steelers like vidar for example that provides it in partial model also in this case basically the cyber criminals needs much less knowledge especially technological knowledge to use the malware the only thing he has to do is basically

the traffic to think how he infects for example spamming campaigns or different areas uh other chains of infection and the last model the the most sophisticated and the maybe the coolest one for cyber criminals but also the most expensive is bots as a service this model exists i would say ultimately and only with the full tech malware families while the cyber criminal the endpoint cyber criminals orders not in the pace not only for the malware crypt infrastructure but he pays also for the traffic and what he gets in the end of the day he doesn't need to have any technological knowledge he just gets a c2 panel with the infected machines that's what he gets but he also pays

accordingly mostly for example in some models of ursif the cost of 1 000 both victims is 20 000 for example some groups provided because someone is doing all the work all the difficult to work technological work infection and you get the bots but many cyber sophisticated cybernetics work this way so that's those are the main models and the ways so before i summarize i wanted to agree to give you two short snapchat about how cyber criminals view what is ideal android malware and what is the ideal steeler because there are also a lot of discussions about it what cyber criminals really want to see in those malware families so ideally android malware mostly will include at least from cyber

criminals perspective by the way i will tell it in advance i think such malware does not exist at all with all those capabilities they would like to see modularity and minimum required functionality because in this case it will be much more difficult to detect it they want hidden vnc that will allow remotely connect easily contact and conduct any activity for malware for a victim's phone web index for payment cards they want to root permission capabilities of the malware they want sms sending an interception and anti-slim function such malware as my best knowledge currently doesn't exist and especially publicly is not offered in the underground and i think maybe the most complicated part is root permission capabilities

from there what is ideal steeler it's much more simpler the cyber commas looking for a sealer that will be fully undetectable all the time will have high quality locks parsing admin panel with variety of filters and ability to grab cold wallets as you can see two out of the four features here connected to data mining currently that's maybe one of the biggest obstacles of cyber criminals they are able to get over most of other stuff but their difficulty is how they mine all the big data because some of the panels have hundreds of thousands of victims millions of victims billions of records how to mine the data that's the biggest obstacle now for cyber criminals

and just to summarize so a full take malware is expensive is mostly vetted and or private but it has a very sophisticated capabilities and very lucrative for seasoned cyber criminals distillers are cheap there is a very wide offer of those but their capabilities are pretty limited and the mobile modeler there is very limited offer and low success rate thank you any questions thank you sergey i have a question for you what's your favorite malware blue blue okay i like the color thank you so much sergey we appreciate it