Malware-as-a-Service boasts users and victims

As time goes on, the security landscape becomes more and more bizarre and frightening. How long has the “when not if” mentality to cyberattacks lasted? A few years? Or consider the increasingly blurred line between legitimate Software as a Service (SaaS) brands and Malware as a Service (MaaS) gangs.

MaaS operators offer web-based services, a polished UX, tiered subscriptions, newsletters, and a Telegram channel that keeps users up to date on new features. The MaaS brand is almost indistinguishable from its SaaS counterpart.

A recent Cyble Research report (on a new malware strain named DuckLogs) shows exactly how cybercrime looks like a mainstream digital business. And some other MaaS groups have taken their offerings to the next level.

Malware as a Service Goes Mainstream

According to Cyble, DuckLogs performs multiple malicious activities, including stealers, keyloggers, clippers, and remote access. The DuckLogs information stealer collects sensitive user information such as passwords, cookies, login data, history, and cryptocurrency wallet details. DuckLogs then exfiltrates the stolen data from the victim’s computer to its own command and control server.

Check one of the DuckLogs dashboard pages. It boasts total users, victims, daily victims and builds. A handy announcement board is also included.

Source: Thybulle

DuckLogs also has some pretty decent copywriters. See how we showcase those features.

Source: Thybulle

You can also choose from various DuckLogs subscription plans.

Source: Thybulle

The actor is the web panel’s[設定]You can also create a malware binary by customizing the options provided on the page. See how smooth the customization is.

Source: Thybulle

It doesn’t take long to realize that the DuckLogs cyber gang uses the same user experience and customer satisfaction principles as many software vendors. But the problem is they are criminals selling harmful tools to other criminals. And legitimate businesses, government agencies, organizations, and individuals around the world are paying the price.

However, easy-to-use services and interfaces aren’t the only things that make attackers look like mainstream companies.

Cyber ​​threat group bug bounty

In late June 2022, ISMG reported that Ransomware-as-a-Service (RaaS) LockBit is offering its own Bug Bounty Program. Bug Bounty is a program offered by legitimate websites, organizations, and software developers that allows individuals to receive recognition and rewards for reporting bugs with a focus on security exploits and vulnerabilities. can.

According to ISMG’s report, LockBit will contact anyone who finds an exploitable vulnerability or bug in the software it uses to maliciously encrypt files to allow victims to rescue their data. I announced that I would pay.

“We invite every security researcher, ethical and unethical hacker on the planet to join our bug bounty program, with rewards ranging from $1,000 to $1 million,” the group said. Posted on website. vx-underground.

While white hat hackers work on legitimate Bug Bounty projects, the LockBit program proudly yells, “Let’s make ransomware great again!”

According to ISMG, Mike Parkin, senior technical marketing engineer at risk management firm Vulcan Cyber, said: Bug bounties have been successful with big companies such as Microsoft and Google. If bug bounties are good enough for Silicon Valley, then “if criminal gangs have both the maturity and resources to do it, why can’t it work?” Perkin said.

400,000 compromised systems and how many

There are further signs of increasing specialization and specialization in the cybercrime field. Recently, Sophos X-Ops noted a significant increase in median ‘dwell time’. This is the amount of time an attacker would take before being removed from the system or discovered. Part of the increase is due to the rise of Initial Access Brokers (IABs). These services gain a foothold on the victim system, find out what is available on that system, and steal relevant her cookies and other identifiers. The IAB obtains and maintains access rights that can later be sold to other criminals.

One IAB, called Genesis, is particularly noteworthy, according to Sophos. Genesis is an invite-only marketplace that steals stolen credentials, cookies, and digital fingerprints from compromised systems. The IAB provides data and advanced tools to facilitate its use.

Genesis has been active since 2017 and lists over 400,000 “bots” (compromised systems) in over 200 countries. Genesis conducts most of its attacks in Italy, France, and Spain. As a MaaS group, Genesis is hacking a lot of data, so it doesn’t stand out. Instead, the IAB is known for its high quality data and commitment to keeping stolen information up to date. Genesis claims IAB customers have a backdoor to constantly updated victim information as long as they have access to compromised systems.

This means that even if the victim finds their credentials stolen and changes their password to block the intruder, the attacker can still use the supplemental data to actively extort the affected user. . Worse, as long as Genesis maintains a foothold on the compromised machine, new credentials can be stolen again.

Given that Genesis is invite-only, a cottage industry of fake Genesis sites is developing. A fake genesis phisher is currently tricking other scammers.

Security professionals must meet the challenge

How can security professionals withstand highly sophisticated attacks from groups such as DuckLogs, LockBit, and Genesis? The reality is that cybersecurity threats are becoming increasingly dangerous and persistent. I’m here. This requires a lot of effort from her security analysts who sift through countless incidents.

As threats grow, many companies are moving to solutions like security information and event management (SIEM). A SIEM helps you remediate threats faster, prioritizes high-fidelity alerts, and detects elusive threats.

A SIEM powered by artificial intelligence is even more effective at monitoring threat intelligence, network and user behavior anomalies to prioritize where immediate response and remediation is needed. As intruders trigger detection analytics, move around the network, or change their behavior, SIEMs can successfully track their movements.

Additionally, a SIEM can correlate, track, and identify related activities across the kill chain with a single high-fidelity case while automating prioritization.

As cyber threats become more sophisticated, security measures must be strengthened to meet the challenges.

keep reading