You may have heard of ransomware-as-a-service, a potent method of hacker collaboration causing billions of dollars in damage around the globe. This is actually just one example of a broader range of cyber criminal activity known as Malware-as-a-Service (MaaS). Malware being any program installed with malicious purposes on a computer system.
Malware-as-a-Service entails cybercriminals providing access to such malicious software and related infrastructure for a fee. From another perspective, Malware-as-a-Service is a malicious and/or criminal form of Software-as-a-Service (providing a client with remote access to an application most often hosted on the service provider’s cloud resources). This malicious trend is not unlike the strategies seen in big game hunting in the cybercrime arena.
MaaS Operators are cybercriminals who provide the Malware “services” which they term as affiliate program, to a client termed an Affiliate. These operators often use sophisticated attack staging techniques to maximize the impact of their operations.
The Affiliate Program consists of three stages:
- Developing the Malware, often leveraging exploits connected to ransomware for effective system intrusion.
- Discovering vulnerabilities in computer systems.
- Administration of overall operation and collection of fees.
The Affiliate need not have any coding or technical skills. These are the responsibilities of the Operator. The Operator provides the infrastructure and support for a technically unskilled person to access and employ Malware. Thus MaaS “democratizes” cyber crimes and cyber attacks for any demographic to engage in.
A recent example is the Qakbot banking Trojan eradicated in August 2023 by a large-scale law enforcement operation. The FBI-led enforcement action took down Qakbot’s command-and-control servers in August. This however did not eliminate its phishing structure. Thus, on 5 October of that year, the Talos research group at Cisco warned that the people behind it are still active and pose a threat to users. Talos said that the Qakbot actors are unlikely to be the masterminds behind the Knight ransomware service itself, and are instead probably customers, i.e., Affiliates.
The Maas Operators charge the Affiliate for a one-off purchase of malware, or for a subscription for a set period. A third option is to charge a percentage of a profit that the MaaS generates, like the ransom in Ransomware-as-a-Service (RaaS).
Types of Programs
A few of the most common types of MaaS include:
- Ransomware where the malware blocks access to and/or steals data. The cyberattacker then demands a ransom to restore access.
- Infostealer malware collects data on the user’s system and sends it to the cyberattacker.
- Loader malware downloads unwanted software (including other malware) onto the victim’s system.
- Backdoor malware gives attackers remote access to the victim’s system.
- MaaS operators can also lease out botnets — networks of devices infected with malware. Botnet follows the hacker’s orders, sends spam emails, stores illegal materials, and runs a side business. Alarmingly, the victim does not even suspect the hacking despite these threats. Experts who can identify some of these bots may not find the actual criminals controlling the whole bot army.
The extent of MaaS attacks is mind boggling. There are 1.7 million ransomware attacks every day, equating to 19 ransomware attacks per second. This excludes other forms of attacks beyond ransomware. The first half of 2022 saw nearly 236.7 million ransomware attacks worldwide. Ransomware is expected to cost its victims around $265 billion (USD) annually by 2031. The frequency of attacks is also projected to increase to one attack every two seconds by that year.
Even individual attacks can be exceptionally costly. A 2011 infostealer malware attack cost the email marketing juggernaut, Epsilon, close to $5 million.
Other alarming statistics:
- Every day, 560,000 new pieces of malware are detected.
- There are now over 1 billion malware programs in existence.
- Every minute, four companies fall victim to ransomware attacks.
- Nearly every second computer in China is infected with some form of malware.
- Over the past decade, there has been an 87% increase in malware infections.
MaaS operations are not exclusively targeted at traditional computer systems. Attacks are innovative, and newer technology is also targeted. A report circulated in October 2023 of Malware Backdoors installed on Android TV Boxes.
The report of researchers at Human Security detailed the scope of infected media streaming sticks and boxes. They found seven Android TV boxes and one tablet with backdoors installed that can lead to the devices being infected with malware.
“They’re like a Swiss Army knife of doing bad things on the Internet,” said Gavin Reid, chief information security officer at Human Security. “This is a truly distributed way of doing fraud.”
Its team observed at least 74,000 Android-based mobile phones, tablets, and TV boxes that show signs of Badbox infection. Badbox infections relate exclusively to compromised Android devices and how they are linked to fraud and cybercrime.
Regarding the team’s research into advertising fraud in at least 39 Android and iOS apps, Google says it removed the 39 problematic apps from the Google Play Store, while Apple notes that it found issues in several apps.
MaaS can have serious effects on any technology user if not properly protected, from individuals to large corporations. Damages are not limited to financial figures, but can include time, productivity and personal trauma. MaaS is innovative is both the programs that are developed as well as the medium that is targeted.