Some of the most popular strains of malware on underground forums are open-source or cracked versions of malicious software that use exploits that are years old, but still effective.
Cybersecurity researchers at Recorded Future analyzed almost four million posts made on dark web forums in several languages between May 2018 and May 2019, and set out their findings in a new report: Bestsellers in the Underground Economy.
The languages analysed include English, Russian, Chinese, Spanish, Arabic and others. Across the different forums, many of the forms of malware discussed were universally popular.
The top choices were simple-to-use, readily-available forms of malware, suggesting that for many cybercriminals, getting their hands on malware is the main goal -- it doesn't necessarily have to be sophisticated.
Some of the most popular forms of malware across all the analysed languages include:
The way that these particular forms of malware are cheap -- or free -- shows cybercriminals want to pay as little as possible and, because they're criminals, they're not beyond using ripped or stolen versions of the software.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
"Forum members are eager to discuss and use tools readily available to them, rather than pay for or invent new tools," Winnona de Sombre, threat intelligence researcher at Recorded Future, told ZDNet.
"While open-source tools are free, many non open-sourced entities, like SpyNote, have been previously cracked, meaning that multiple forum members now distribute unauthorized copies of the malware, usually at cheaper prices than the original seller, and even altered to benefit their own customers," she added.
However, not only is cracked malware bad for the original malicious developers, it's bad for victims, as more versions of the malware are in the wild.
While some of the most popular forms of malware are many years old and take advantage of vulnerabilities that have long had patches issued, they remain both effective and popular because there are still plenty of systems that haven't been patched in years – leaving them open to old malware using simple attack techniques like phishing, bruteforcing passwords, or scanning for RDP reports.
"The continued advertisements of these malware families suggest that individuals are still successfully infecting victim hosts with the malware mentioned. This further suggests that there are still vast numbers of poorly protected machines on the open Internet vulnerable to attackers with rudimentary tools," said de Sombre.
To help protect against attacks, Recorded Future recommends that defenders should monitor underground forums to be aware of high-frequency, low-medium grade cyberattacks.
READ MORE ON CYBERSECURITY