Commercial Malware Makes a Comeback in 2016

Among the trends identified in the IBM X-Force Threat Intelligence Index for 2017 was the notable reemergence of commercial malware in the fraud underground. Commercial malware is defined as malicious code that can be purchased or rented in software-as-a-service (SaaS) mode, sometimes in SaaS models, by cybercriminal buyers.

The most popular types of malcode we observed in 2016 were Android malware, banking Trojans, ransomware offerings and DDoS-as-a-service vendors. Since DDoS tools are mostly sold as a service and not as malware per se, we will focus here on banking Trojans, Android malware and ransomware.

Banking Trojans

Many antifraud professionals remember that banking Trojan sales saw a sharp dip in most underground boards ever since law enforcement infiltrated the ranks of the internet’s underbelly in 2010 to 2012. It was a time when the Zeus Trojan’s author made the FBI’s most wanted list, SpyEye’s creator got sentenced to jail time in the U.S. and Gozi’s mastermind got picked up by U.S. law enforcement.

With an increasingly palpable fear of law enforcement, most of those selling malware in the underground, aside from Citadel’s vendor, scattered, leaving only some low-level Zeus vendors to sell executable files generated from their existing malware builders. By 2014, even Citadel stopped selling in the underground and no actual developers were willing to openly sell full-kit banking Trojans with a modules package, a proper license, and the bug fixes and tech support fraudsters got used to buying directly from the malware’s own author.

But commercial banking Trojans have since found a way to make a comeback of sorts. In 2016, we witnessed a few notable occurrences in that regard…

Dear reader: these special research article and report are part of my work with IBM X-Force. Read the complete post and download my final report here.