Introducing our newest research “The seven faces of darkness”

We talk about the commercial malware that is most common in attacks on Russian organizations

November 24, 2023

ol:not([class])>li:before { font-size: 20px; color: #000; font-weight: bold;}

Our experts at BI.ZONE Threat Intelligence have published their new research The seven faces of darkness that analyzes seven malware families being distributed via the MaaS (malware‑as‑a‑service) model. The research includes the malware that is heavily used in attacks against Russian companies. Its traces are found in more than 80% of malicious traffic to corporate mail servers. In 2023, over 100,000 organizations around the world were attacked using the malware described in the report.

There are many threads on underground forums and in Telegram channels where developers offer subscriptions to their malware through the MaaS model. The malware is often purchased by attackers who lack the expertise to develop on their own. Commercial malware significantly lowers the entry threshold to cybercrime. With MaaS, attack tools are becoming more accessible, making it ever more easy to infiltrate a corporate perimeter.

One of the easiest ways to gain initial access to an infrastructure is to distribute phishing emails with commercial malware. The black market for such products will continue to grow and evolve. Some of the offers already include builders for creating instances of malware, access to the control panel of compromised devices, not to mention updates and messenger support. The situation is further complicated by the low cost of certain malware: there are cracked samples going for as little as 299 rubles, and in some cases available for free.

Oleg Skulkin

Head of BI.ZONE Threat Intelligence

Generally, with the MaaS model, developers will offer one of three types of malware: loaders, RATs, or stealers. Sometimes, the malware can include all three types at once. Because of their accessibility, the tools have become widespread among hacktivists, cybercriminals, and state‑sponsored hackers.

The most prominent commercial malware families used in attacks against Russian companies and their fraction in the malicious email traffic:

AgentTesla (40% of traffic)

This spyware steals user credentials from various sources: browsers, mail clients, FTP/SCP clients, remote access programs, VPNs, and several messengers. The spyware is capable of logging clipboard data, capturing device screenshots, recording keystrokes, and transmitting all this information to the attacker’s C2 server. A free cracked version is now circulating on underground forums.
FormBook (20% of traffic)

The product was positioned as spyware to intercept usernames and passwords. It could retrieve stored data from Edge, Firefox, Chrome, Internet Explorer, Outlook, Thunderbird, as well as intercept traffic and record keystrokes. At the end of 2018, sales of FormBook ceased, but a cracked version is nonetheless freely available.
White Snake (15% of traffic)

The stealer collects credentials from Chromium and Firefox‑like browsers, registry data, documents and other files. Moreover, it has the ability to record screen video, execute commands, and download additional malware.

A thread on the sale of White Snake on a popular underground forum was suspended after BI.ZONE had reported the stealer being spread under the guise of Roskomnadzor requirements. Now it is being distributed through a Telegram channel. The cost starts at $140 per month and can go up to $1,950 for a lifetime license.
RedLine (7% of traffic)

This stealer is capable of extracting credentials from browsers, emails, messengers, VPNs, etc. Its monthly subscription sits at $150 while a lifetime license can be purchased for $900. On top of the official offers, a lifetime license is available for resale in the underground segment of the Internet for $500.
Snake Keylogger (1% of traffic)

Another stealer that can retrieve credentials from over 40 browsers, as well as applications such as Discord, Outlook, Foxmail, and FileZilla. It is also capable of intercepting user keystrokes, capturing screenshots, and collecting system data. Subscription prices range from $40 per month to $195 for six months. The source code and modifications of one of the stealer’s earlier versions are publicly available.
DarkCrystal (1% of traffic)

This is a modular trojan being sold on underground forums since 2019. All news and updates are published in a special group on Telegram. The trojan is provided on a subscription basis: upon purchase, the user receives a builder and a dedicated C2 server from which attackers control the infected devices.
DarkGate (1% of traffic)

This malware can obtain user credentials from browsers, cryptocurrency wallets, Telegram and Discord apps, intercept keystrokes, and collect system data such as installed antivirus versions, user and device names. Besides, DarkGate can manage device files, processes, and power supply, install proxy servers and malicious browser extensions, and utilize the Remote Desktop Protocol. DarkGate is designed to implement sophisticated attacks, with a monthly license set at $15,000.

Phishing emails are one of the primary ways to compromise target systems. We recommend using specialized solutions that block spam and malicious emails to protect against such campaigns. One such solution is BI.ZONE CESP. Furthermore, continuous IT infrastructure monitoring services, for example, BI.ZONE TDR, can help to effectively respond to new threats, allowing you to quickly recognize advanced attacks and neutralize threats without delay.

Download the full research on the seven most popular types of malware and learn more about the tactics, techniques, and procedures employed by cybercriminal groups.