Tracking the work of malware writers has given security researchers a window into the complicated and largely hidden world of buying and selling Windows exploits.
The researchers from security company Check Point focused on two of the most prolific creators of Windows exploits, who between them were responsible for at least 16 different Windows Kernel Local Privilege Escalation exploits, many of which were zero-days at the time of development.
These exploits – weaponised security flaws – are an important part of how malware achieves its aims.
While the report shows how it's possible to track the fingerprints of malware writers – one known as Volodya and another known as PlayBit in this case – through their habits and practices in developing exploits, it also gives an insight into the complicated economics of the hidden world of malware.
Each piece of malware is often thought of as a single piece of code created by a single person or team. Yet in reality, creating the malware – especially the sophisticated stuff used by nation states or criminals – involves many different groups.
In this example, discovering a particular software flaw and turning that into an exploit, which can then be bolted onto an existing piece of malware to enhance its capabilities, requires coordination between groups. Exploit writers and malware developers – either state-backed or criminals – will agree on an API to allow the different components to connect.
"This integration API isn't unique to state actors, but is a common feature in the 'free market' of exploits. Whether it involves underground forums, exploit brokers, or offensive cyber companies, they all provide their customers with instructions on how to integrate the exploit in their malware," the Check Point report said.
These developers – who may themselves either be individuals or teams working together – will sell the exploits they develop both to ransomware gangs and to state-backed groups, who will then incorporate them into their own malware projects. While it's hard to know how much they sell for, they've certainly put some high price tags on exploits in the past.
As the Check Point researchers note, the client list for one of the exploit developers includes banker trojan authors such as Ursnif, ransomware authors such as GandCrab, Cerber and Magniber, and APT groups such as Turla, APT28 and Buhtrap (which started in cybercrime before moving into cyber-espionage).
Zero-day exploits are more likely to be sold to APT groups, in this case Russian ones.
"The APT customers, Turla, APT28, and Buhtrap, are all commonly attributed to Russia and it is interesting to find that even these advanced groups purchase exploits instead of developing them in-house. This is another point which further strengthens our hypothesis that the written exploits can be treated as a separate and distinct part of the malware," the report said.
SEE: Security Awareness and Training policy (TechRepublic Premium)
While state-sponsored groups are willing to pay a premium for zero-day exploits, criminal gangs are also willing customers for less state-of-the-art attacks, and are more likely to buy so-called '1-days' (vulnerabilities that have been reported). These are in some cases the same zero-days being resold later down the line.
"Without further intel, we can only assume that once a 0-day is detected by the security industry, the exploit is then recycled and sold at a lower price as a non-exclusive 1-day," the report said.
The two exploit writers (or groups) tracked by the researchers are likely to account for a significant share of the market for Windows Kernel Local Privilege Escalation exploits, though of course there may be many more zero-day exploits in use, as the whole point of a zero-day is that nobody knows about it, as the researchers note.
"It is impossible to tell the overall number of Windows kernel zero-day vulnerabilities that are being actively exploited in the wild," the report said.
"Nation-state actors are less likely to get caught and thus the infosec community does not have clear visibility to their ammo crate."