An analysis of 3.9 million online posts published on underground forums found that ransomware, crypters and trojans were the most frequently referenced categories of malware and malicious tools – an indication of their popularity among forum visitors and potential cybercriminals.
Web shells, remote access trojans, adware, computer viruses, FUD (fully undetectable) crypters, exploit kits and rootkits – in that order – were the next most frequently mentioned over an approximately year-long period from May 2018 through May 2019, according to Recorded Future's new report, "Bestsellers in the Underground Economy."
Recorded Future's Inskit Group threat research team also kept tabs on how many times specific malware names were referenced in the same collection of posts. The most frequently mentioned malware program was the remote access trojan njRAT. Rounding out the top 10 were the Predator the Thief (data stealer), Spynote (RAT), AZORult (data stealer), NLBrute (brute-force attack tool), GandCrab (ransomware), XRumer (spammer), DarkComet (RAT), Imminent Monitor (RAT) and WarZone RAT.
The researchers also sorted the forum postings by language and found that a majority of the top 10 most commonly cited malware in multiple languages were openly available dual-use tools (meaning they began as legitimate, but can be abused and weaponized), open-source malware or cracked malware, some over three years old" and easily detected by up-to-date antivirus solutions. "This likely demonstrates that underground forum members are eager to discuss and use tools readily available to them rather than pay for or invent new tools," the report states.
The report cites the MinerGate cryptominer and Imminent Monitor as examples of dual-use tools; njRat, AhMyth, and Mirai as examples of open-source malware; and SpyNote, Trillium, NLBrute, and RDPBrute as examples of cracked malware.
In a corresponding blog post this week, Insikt Group assessed with medium confidence that the voluminous number of references to various top-10 tools resulted in them more frequently being used in attacks. However, some of them tend to be low-to-moderate threats compared to other malware due to their age, ineffectiveness without a delivery vehicle or crypter, and existing antivirus detections."
While ransomware was the most frequently discussed category of malware, roughly 50 percent of all ransomware-related activity in the forums were requests for any generic, non-branded ransomware or sales posts from lower-level vendors, as opposed to references to specific malware strains like GandCrab, WannaCry and Cryptolocker.
Recorded Future also found certain types of activities in underground forums triggered spikes in malware references. These activities included sales of malware bundles, advertisements of malware updates, malware being advertised on a new forum, the sharing of news articles pertaining to a particular malware program, and underground community engagement.
Altogether, the posts contained references to 61 malware categories and 101,124 malware names.