The Market of Malware: Buying, Selling and Collaborating in the Criminal Underground

Published by:
Published on:
October 28, 2016

The Dark Web is a fascinating, confusing and for some, a shocking place. Amongst the plethora of forums discussing, selling and sharing drugs, guns, pornography, credit cards (the list goes on), cybercriminals of all levels of sophistication also seek to acquire, enhance, and profit from a variety of hacking tools.

This post provides examples of trading and collaboration that lie behind development of malicious software (malware), as well as providing examples of how it can be rapidly upgraded and changed. It argues for the necessity for organisations to have intelligence-driven measures to keep abreast of these developments, and to tune their detection systems accordingly.


The darker places of the internet act as forums for buying and selling of malicious computer-based tools and scripts. Darknet marketplaces, such as The RealDeal Market or Crime Network allow cybercriminals to buy exploit kits, malware, access to botnets, as well as seek advice.

One example is the ransomware that is currently being traded on the darknet called Stampado. According to Heimdal Security, the ransomware costs a mere $39, and the package comes with “how-to” guides and support from the creators.

Stampado Ransomware
Stampado ransomware advert [Source: Heimdal Security]

Another example is the more advanced ransomware trojan named Cerber, which has also been available on Russian underground forums. The cybercriminals operating Cerber offer it as a ‘service’, whereby they take around 40% of the profit acquired by whoever has purchased access to it. The emergence of ransomware-as-a-service means that “wannabe cyber fraudsters” are able to piggyback on the sophisticated delivery and operational infrastructure created by skilled cybercriminals, to easily make their own profits.

New versions of this ransomware have emerged following decryption keys being made available by the security industry.

CollaborationAside from ransomware, the reign of the SpyEye banking trojan acts as an example of the profitability and level of criminal collaboration surrounding malware. One Russian and one Algerian cybercriminal were responsible for creating and selling the malware that stole more than a billion dollars from its victims.

They sold SpyEye on “invitation-only” forums for between $1,000 and $8,500. One interesting aspect of this episode was the ultimate collaboration between the authors of SpyEye and the infamous Zeus malware. Subsequent to SpyEye outshining Zeus on its sales and performance, there was a moment in 2010 where the former absorbed the code of the latter to create “one powerful trojan”.

There have also been cases of authors leaking the source code of their malware for others to incorporate into theirs. This happened when the author of the Android malware GM Bot leaked his own code on darknet forums, apparently for no other reason than to gain credibility in the hacking community, which was dutifully exploited by others.

More recently, Kaspersky discovered Brazilian threat actors using Russian and Eastern European underground forums to develop their wares. This kind of collaboration allows malware authors to take inspiration and even copy aspects of other widely used malware into their own. Not only this, but the threat actors were utilising an already established cybercriminal technical infrastructure in Eastern Europe, which allowed for more effective delivery and use of counter-surveillance tactics, such as fast flux DNS.

Finally, there is evidence that cybercriminals are using their different areas of expertise to create and distribute malware in order to maximise profits. The two hackers known as Peace (aka peace_of_mind) and Popopret (aka BestBuy) have come together to create - and sell access to - the remote access trojan known as GovRAT. It is believed that Popopret is the hacker that had the technical expertise to create the RAT, and Peace used his/her reputation as a highly ‘credible’ vendor of stolen user accounts to distribute it, forming a relatively competent cybercriminal team.

Value of Intelligence

What these examples show is the level of cybercriminal collaboration, which leads to more effective malware, greater operational security, and ultimately greater profitability. Ultimately, the rapid development and proliferation of malware necessitates more robust, agile, and effective defensive countermeasures, underpinned by intelligence capabilities. It is imperative that organisations understand how malware is traded, developed, and ultimately used by cybercriminals, so adequate defensive measures can be taken.

If utilised properly, cyber threat intelligence can be a key component in keeping up with the changing threat landscape. Having a cyber threat intelligence capability will allow for two things:

  • An awareness of the current developments in malware collaboration on darknet marketplaces
  • Feeds of the most current indicators, behaviours, and subsequent defensive courses of action for an organisation’s Intrusion Detection Systems and Incident Response Systems.

Find out more about our cyber intelligence services: