The term “Malware as a Service” is being coined a lot recently and has frequently been making headlines in cyber security news feeds, but why is this? And are new threats being introduced to the threat landscape that did not exist with the standard malware delivery model?
What is Malware as a Service?
Malware as a Service (MaaS) is where an anonymous illicit party provides or hosts malicious software and sometimes hardware products to other threat actors, which can then be used to perform illegal activities against other organisations in attempts to steal information and disrupt services.
Malware as a Service differs from standard malware in the same way as genuine Software as a Service (SaaS) products. They offer more flexibility by providing software products “on demand”, mitigating the need for these products to be hosted or developed locally. An example of this is Salesforce where company records and employee data can be hosted and accessed in the Salesforce “cloud”.
How Has This Changed the Threat Landscape?
When MaaS is used, the party that provided the malware doesn’t necessarily carry out the attack – they only provide it as a service. This makes it harder to trace the malware back to the source, for example it took a team of experts to uncover the identity of the “ Golden Chickens” malware service provider (during which a rigorous “16-month-long investigation” took place).
Comparatively, back in 2020 the hacking group Nobelium launched the infamous SolarWinds Cyber Attack where a supply chain attack was carried out to plant malware on SolarWinds servers. Even though this attack had considerable consequences, with work from cyber response teams it was possible to trace this attack back to Nobelium as the originator of the attack and identify the originator of the threat at its source.
The act of providing Malware as a Service essentially decouples the malware creator and threat actor, making it more difficult for response teams and security analysts to track these threats to their source. Simply targeting the threat actor in this case may not be enough to prevent attacks of similar impact from happening again and more frequently – meaning it may be easier for multiple threat actors to launch similar attacks if one is deemed to be successful.
What Does a Typical MaaS Offer?
Most MaaS frameworks offer a multitude of malicious tools that would usually take accomplished developers a considerable amount of time to make. Consider the botnet infrastructure whereby multiple infected computers from various locations can be used to target a specific server or infrastructure. Since these computers (bots) are difficult to block as they are originating from various locations, they can often be used to cause Distributed Denial of Service (DDoS) conditions. Having botnets available from a MaaS can significantly speed up this process as the threat actor is not required to develop these themselves. Since it would be considerably more difficult to track the source of where these botnets originate, it may be harder to prevent further similar attacks.
As an extension to MaaS, there have also been reports of Phishing as a Service (PhaaS) and Ransomware as a Service (RaaS) becoming increasingly popular. Phishing is the method of targeting an organisation with links to intended to direct a victim into visiting a web server that downloads malware to their device or reveal sensitive information, and is often used by threat actors to gain a foothold into the victims network. The configuration to set up a phishing campaign, including obtaining legitimate looking hostnames and bypassing email spam filters can be complex, but when this is provided as a service it can make launching these campaigns fairly straightforward for a threat actor to carry out.
Ransomware is malicious software that, once installed, can encrypt files and require a ransom to be paid (usually in cryptocurrency). Again, a considerable effort is required to develop software that can be delivered to a victim and bypass local anti-virus methods; but providing this as a service would save a threat actor a lot of time.
In most cases MaaS is available to obtain through anonymous sources, for example the Dark Web has various tools that are available to purchase with just a click and can be provided at a one-off cost, or on a subscription based model. Providers such as DarkSide, Lockbit and REvil are well known to provide services described above. In most cases, however, it won’t be as simple as a point and click. To deliver a mass phishing campaign or DDoS using off the shelf bot-nets will still take some ingenuity to set up especially when used against larger corporations. But does appear to help automate the tedious parts of these attacks which could make them more prevalent.
What Can We Do?
Ultimately it is becoming more apparent that cyber-attacks are still prevalent and the web is still a dangerous place. With services such as MaaS, these attacks may be on the rise or at least aren’t going anywhere, and it’s now more important than ever to ensure your organisation is suitably protected.
There are various methods to ensure this is done correctly. User education is a must; ensuring that your users are aware that they should not click links or open attachments sent to them from untrustworthy sources and should not connect devices to the network without prior consent.
Also, assessing your internal network infrastructure for vulnerabilities may be worth considering, but moreover, an assumed breach may also give you an indication on what an attacker could do should they infiltrate your network. Read our blog on why you should consider assumed breach testing.
Defence is a good offense too, having 24-hour threat detection from services such as a managed SOC is a must for large corporations.
If you’re looking to complete an Assumed Penetration Test, or would like to assess where your organisation may be vulnerable to MaaS, see our range of penetration testing services.