The Big Business of Crimeware

Updated: Jul 7

While organisations of every size and across every industry have shifted their security focus from financially-motivated cyber attacks to more advanced and sophisticated threats, bad actors have been developing well-run crimeware organisations that mirror any legitimate business model, along with their corporate management infrastructure.


These syndicates will have individuals who write and develop malware, and low-level workers whose job it is initiate the actual infection on target PCs, infecting users via a slew of vectors, including malware-riddled attachments, malicious links, infected social networking links, Internet-facing remote access protocols, and many more. There will also be recruiters, who dream up and execute massive malware campaigns, as well as recruit and manage the workers, affiliates whose job it is to infect as many machines as they possibly can, and money mules who serve as conduits between victims, attackers and members of illegal operations, and help launder the proceeds of cyber crime.


And as with every up and coming enterprise crimeware syndicates depend heavily on a range of services, including advertising, customer service, hosting providers, domains and more. These syndicates are extremely organised and effective, which has seen crimeware grow steadily year on year, and years of deploying large scale, untargeted attacks has taught bad actors how to optimize their attacks to get the most traction.

“Crimeware groups are ones of the most dangerous cyberthreats we are facing at the moment. Each year, their attacks grow exponentially in terms of both sophistication and frequency, and the APT-like methods they employ for information gathering, initial compromise, lateral movement and data exfiltration, are turning them into genuine APT groups with financial gain in mind. The co-ordination and management within these groups are also of a high level. They employ a structure-based responsibility, with strong coding capabilities and communication skills. Well-funded and dangerous, these adversaries have close connections with real world organised crime groups, and top players in the global threat landscape,” says Dasha Diaz, founder and CEO of itrainsec.

Unfortunately, while threat actors have been honing their techniques, law enforcement has been falling behind. Today’s attackers are motivated, cunning, have ample resource,s and adjust their tactics based on law enforcement's response, unencumbered by geographies that tie law enforcement’s hands when it comes to the successful arrest and prosecution of these crimes. All of this is helping the crooks stay one step ahead of the good guys.


Look at ransomware over the past few years. The first strains were seen around 2005 with the notorious CryptoLocker, followed by a leap in popularity some ten years later. By 2017, WannaCry proved to the world that criminal groups behind ransomware are fully aware that millions of euros can be extorted from large businesses. Entire, hospitals, commercial organisations and even cities were shut down due to ransomware, and it is only set to get worse.


The bottom line?

Businesses should be worried. While they tend to focus on more advanced and targeted threats, too often they are under the impression that financially motivated cyber criminals are not as sophisticated as those carrying out APT campaigns. Nothing could be farther from the truth. Crimeware is highly effective and damaging, and it is growing in frequency, intensity and impact. Businesses that can't stop crimeware, have little to no hope of stopping an APT in its tracks.


So what do do?

Unfortunately, reports indicate that crimeware incidents are less likely to be formally investigated than other types of security events, mainly because it isn't viewed as feasible to undergo the same stringent procedures. It should be. If crimeware is introduced onto a company's network, a full investigation must be undertaken as these tools can be used as a method of performing reconnaissance and exfiltrating sensitive company information, even if they were not designed for this purpose.


Often, crimeware is distributed as part of an exploit kit, its discovery might be indicative of additional infections. As a business, it is critical to know how these infections happened in order to pinpoint any weak links in the security chain. Without an investigation, you will remain in the dark as to where your systems are most vulnerable.

itrainsec invites security researchers to up level their skills taking a reverse engineering course focused on analyzing various examples of crimeware and financial APTs.