Cybersecurity reports often talk about threat actors and their malware/hacking operations as self-standing events, but, in reality, the cybercrime ecosystem is much smaller and far more interconnected than the layperson might realize.
Cybercrime groups often have complex supply chains, like real software companies, and they regularly develop relationships within the rest of the e-crime ecosystem to acquire access to essential technology that enables their operations or maximizes their profits.
According to cybersecurity firm CrowdStrike, these third-party technologies can be classified into three categories: services, distribution, and monetization.
Breaking down each, the services category usually includes:
- Access brokers – threat actors who breach corporate networks and sell access into a company’s internal network to other gangs.
- DDoS attack tools – also known as DDoS booters or DDoS-for-hire, these groups provide access to web-based panels from where anyone can launch a DDoS attack against a target.
- Anonymity and encryption – threat actors who sell access to private proxy and VPN networks, so hackers can disguise their location and origin of their attacks.
- Phishing kits – threat actors who create and maintain phishing kits, web-based tools used to automate phishing attacks, and the collection of phished credentials.
- Hardware for sale – threat actors who sell custom-made hardware, such as ATM skimmers, network sniffing devices, and more.
- Ransomware – also known as Ransomware-as-a-Service, or RaaS, these groups sell access to ransomware strains or a web-based panel where other gangs can build their own custom ransomware.
- Crime-as-a-Service – similar to RaaS, but these groups provide access to banking trojans or other forms of malware.
- Loaders – also known as “bot installs,” these are threat actors who already infected computers, smartphones, and servers with their own malware and offer to “load/install” another group’s malware on the same system, so the other group can monetize it through ransomware, banking trojans, info-stealers, etc.
- Counter antivirus service/checkers – these are private web portals where malware devs can upload their samples and have them tested against the engines of modern antivirus systems without the fear of the malware’s detection being shared with the AV maker.
- Malware packing services – these are web-based or desktop-based tools that malware developers use to scramble their malware strain’s code and make it harder to detect by antivirus software.
- Credit/debit card testing services – these are tools that hackers use to test if the payment card numbers they acquired are in a valid format and if the card is (still) valid.
- Webinject kits – these are specialized tools, usually used together with banking trojans, to allow a banking trojan gang to insert malicious code inside a victim’s browser while they visit an e-banking (or any other) site.
- Hosting &…