Infiltrating the malware sales market

The objective of this study was to describe and understand the impacts of the private nature of chat rooms on the activities of their participants. Specifically, the researchers compared public and private chat rooms to describe and understand the types of malware their participants advertise, the infrastructure targeted by the malware, the date of first detection of the malware offered, the price, and finally the level of trust in the vendors.

To understand the impacts of the private nature of chat rooms, the researchers selected two chat rooms (one private and one public) available on the Internet whose main purpose is to sell malware. In this study, malware is to be understood as any software, code, or piece of code that performs harmful operations on a third party’s computer system (e.g. ransomware, worms, and spyware). This definition therefore excludes phishing software, spamming software, and encryption services that facilitate the infection and spread of malware. A private Russian-speaking discussion forum with over 62,000 members and 1,100,000 public messages (average of 18 messages per member) was selected, infiltrated, and observed. The public discussion forum was chosen because of its similarities to the private one. The public discussion forum had many more observers—over 185,000 members—but only 345,000 posts (average of 2 posts per member).

Data from threads whose last post was made between 1 June 2020 and 10 February 2021 was collected. A total of 362 threads were analysed on the public chat room, and it was confirmed that 86 of them offered the sale of malware as defined above. On the private discussion forum, the researchers examined 806 threads and found 136 malware advertisements.

The researchers observed that participants in the private discussion forums adhered to a code of conduct regarding the use and targeting of malware, e.g. one vendor prohibited the use of its software against public facilities such as hospitals or schools.

The study developed the following results:

• Malware that allows access to computers accounted for just over half of all malware for sale (56% and 57% for public and private forums, respectively);
• Telephone malware represented only a small proportion of all software for sale (6% of public chat rooms and 13% of private chat rooms), with other software targeting computers;
• In both public and private discussion forums, around one third of malware was detected for the first time in 2020. In general, malware sold on private forums appeared to be more recent, with 56% detected in 2019 or later, compared to 44% on public forums;
• Many ads did not display any prices. However, price transparency was much higher in the private forum (94%) than in the public forum (40%);
• In the public discussion forum, 77% of sellers received a rating of 0, compared to only 35% in the private discussion forum. Almost all the ads in the private discussion forum mentioned that a guarantor must be used to finalise the sale; in the public forum this was only a very small percentage (N = 10).

In conclusion, both public and private discussion forums sell basic and sophisticated malware without significant price differences. The major difference between private and public forums is the trust between the participants. This is more important in the private forum, where sellers are not worried about hiding and share videos of their malware on public services. A sense of impunity is present among participants in both public and private discussion forums and is a reminder of the large number of malicious actors online and the lack of resources to combat them.

Authors

Renaud Zbinden, Institute for Combating Economic Crime, HEG Arc // HES-SO, Switzerland

Olivier Beaudet-Labrecque, Institute for Combating Economic Crime, HEG Arc // HES-SO, Switzerland

Cristina Cretu-Adatte, Institute for Combating Economic Crime, HEG Arc // HES-SO, Switzerland