The Possibilities of Malware Outsourcing
Outsourcing malware development to legitimate coders may be a losing tactic for criminals – if only it could be exploited.
Searching through job postings at various coder markets was bound to turn up some interesting items. Sure enough, a search for terms like “C/C++”, “assembler”, “embedded” came up across little gems like this one.
A job to build a ring0 driver may not sound so odd, but when the sole function of the driver is to download and execute something in usermode (ring3) well, then the plot thickens and we may be in the presence of someone trying to outsource malware creation.
Further digging produced job postings for the creation of a crypter/packer/binder which should “use inject file for bypass avs on run-time”, an executable packer and a downloader. Keep in mind that these are only a few examples, extracted from just a couple of the many websites where coding projects are posted.
By splitting malware projects, job takers can reasonably claim innocence, while full ‘design knowledge’ remains with the originator. Moreover, the variety introduced by varying coding styles, compilers, languages used and so on makes analysis of the ‘finished product’ somewhat harder.
A first, easy step towards stopping such schemes would be a small extension to the reputation system already in place on outsourcing websites, whereby people looking for work might flag some posted projects as “possible black-hat work” for review by site administrators.
Given how common such schemes are, maybe the time to add it is now. Tracing the money exchanged in such projects might even yield the identities of malware outsourcers.
BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign
December 06, 2022
Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild
October 05, 2022
A Red Team Perspective on the Device42 Asset Management Appliance
August 10, 2022
Vulnerabilities Identified in Wyze Cam IoT Device
March 29, 2022
New FluBot and TeaBot Global Malware Campaigns Discovered
January 26, 2022
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately
December 10, 2021