How cybercriminals are still snaring victims using seven-year-old malware

Researchers analysed millions of posts made on dark web forums over a 12-month period -- here's what they found out and what it means for your security.
Written by Danny Palmer, Senior Writer

Some of the most popular strains of malware on underground forums are open-source or cracked versions of malicious software that use exploits that are years old, but still effective.

Cybersecurity researchers at Recorded Future analyzed almost four million posts made on dark web forums in several languages between May 2018 and May 2019, and set out their findings in a new report: Bestsellers in the Underground Economy.

The languages analysed include English, Russian, Chinese, Spanish, Arabic and others. Across the different forums, many of the forms of malware discussed were universally popular.

The top choices were simple-to-use, readily-available forms of malware, suggesting that for many cybercriminals, getting their hands on malware is the main goal -- it doesn't necessarily have to be sophisticated.

Some of the most popular forms of malware across all the analysed languages include:

  • njRat – a Windows remote-access trojan that first emerged in 2012. Its source code is available online and, despite its age, it remains a popular form of malware, especially for those targeting older systems.
  • SpyNote – a freely-available Android-based RAT containing keylogging and GPS functionality, which first emerged in 2016.
  • GandCrab – a prolific form of ransomware which offered an affiliate scheme that allowed users to easily distribute file-locking malware. The GandCrab authors announced their retirement in June 2019, claiming affiliates had made billions of dollars. It's the only ransomware strain that was highly popular with dark web forum users.
  • DroidJack – an Android trojan from 2014 which sold lifetime licenses for just over $200. However, cracked versions of it are far cheaper on underground forums.

The way that these particular forms of malware are cheap -- or free -- shows cybercriminals want to pay as little as possible and, because they're criminals, they're not beyond using ripped or stolen versions of the software.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

"Forum members are eager to discuss and use tools readily available to them, rather than pay for or invent new tools," Winnona de Sombre, threat intelligence researcher at Recorded Future, told ZDNet.

"While open-source tools are free, many non open-sourced entities, like SpyNote, have been previously cracked, meaning that multiple forum members now distribute unauthorized copies of the malware, usually at cheaper prices than the original seller, and even altered to benefit their own customers," she added.

However, not only is cracked malware bad for the original malicious developers, it's bad for victims, as more versions of the malware are in the wild.

While some of the most popular forms of malware are many years old and take advantage of vulnerabilities that have long had patches issued, they remain both effective and popular because there are still plenty of systems that haven't been patched in years – leaving them open to old malware using simple attack techniques like phishing, bruteforcing passwords, or scanning for RDP reports.

"The continued advertisements of these malware families suggest that individuals are still successfully infecting victim hosts with the malware mentioned. This further suggests that there are still vast numbers of poorly protected machines on the open Internet vulnerable to attackers with rudimentary tools," said de Sombre.

To help protect against attacks, Recorded Future recommends that defenders should monitor underground forums to be aware of high-frequency, low-medium grade cyberattacks.


Editorial standards