More than 3.9 million posts during the May 2018 to May 2019 by all the underground hacking forum for Recorded Future platforms index analysis, Insikt Group identified the top malware variants underground hacker forum cited, Insikt Group also try to find those more on the forum malware references related to real events, as well as differences malicious software and tools of propaganda in the forums in different languages, to see if there are any differences.
Underground hacker forum is the cyber criminals to promote its various variants of malware and hacking tools market, Insikt Group addresses by analyzing various hacker forums over 3.9 million posts from May 2018 to May 2019 period, and identified a number of practical the most popular of the top malware variants related to the attacks.
Most malicious software is included in multiple languages, including dual-use publicly available tools to crack open source malware or malicious software, but malicious software system for three years of history.
Insikt Group also learned that the underground hacker forums in different languages, such as English, Chinese and Russian, and focus on different malicious software, including different categories of malware and attack vectors and so on.
Advertising on the underground hacker forum, the top ten ranking of the malware category includes MinerGate and Imminent Monitor and other dual-use tool, also including njRat, AhMyth, Mirai and more than three years of open source malware Gh0st RAT malware.
According to the report, various underground forums focus on different language goals and attack vectors, for example, speaks Chinese and English underground forums to focus more on Android devices, rather than the Russian counterparts, Chinese underground hacker forum includes three of the top ten malware a Trojan Android: SpyNote, AhMyth and DroidJack, English underground hacker forums, including two of the three are: SpyNote and DroidJack, which contrasts with Russian organizations, the top ten of the latter does not have any mobile malware.
Use the forum Top Ten Chinese malware mentioned, as follows:
Forum English using ten malware mentioned
Use the top ten malware Russian forum mentioned
We found a number of malicious software, malicious software was extensively discussed in more language groups, including the following:
1.njRat,2012年底创建的Windows RAT ,其源代码可在某些论坛上在线获取,这种RAT在英语,***语,西班牙语,俄语,中文(繁体)和波斯语帖子中很受欢迎
2.SpyNote,一种开放式基于Android的RAT,包含键盘记录和GPS功能,此应用程序在2016年开始的恶意软件论坛中找到,这种RAT在英语,中文(简体),中文(繁体),西班牙语,日语和***语帖子中很受欢迎
3.GandCrab是一个以同名作家闻名的勒索软件,于2018年1月初发现,GandCrab的主要供应商于2019年6月退休, FBI 于2019年7月发布了版本4,5,5.04,5.1 和5.2 的主解密密钥。这些勒索软件在俄语,中文(简体),西班牙语,波斯语和***语帖子中很受欢迎4.DroidJack是一款Android RAT,于2014年创建,其官方网站以210美元的价格销售终身许可证,但在地下论坛上使用破解版本便宜得多。这种RAT在中文(简体),中文(繁体),英文和***文帖子中很受欢迎
从上面可以发现最受欢迎的恶意软件为:勒索软件和远控RTA软件为主,主要的原因我想是因为:勒索软件能带来暴利,远控RTA主要用于APT攻击使用。
同时发现njRAT在英语论坛和俄语论坛中都很受欢迎,该RAT以其隐秘功能而闻名,它用于在后台静默运行,并且还能够禁用防病毒程序和其他Windows安全功能。
Insikt Group还确定了从2018年5月到2019年5月提到的顶级恶意软件类别,其中最主要的类别是:Ransomware、Cypter、Trigan、WebShell,如下所示:
顶级恶意软件HASH值 ,如下所示:
顶级恶意软件及其交付机制
详细的分析报告链接:
https://www.recordedfuture.com/measuring-malware-popularity/
报告下载链接:
https://go.recordedfuture.com/hubfs/reports/cta-2019-0724.pdf
有兴趣的朋友可以下载研究一下
这份报告虽然是统计过去一年地下黑客论坛中的恶意软件,但可以帮助安全研究人员更深入地了解恶意软件供应商和购买者的习惯,以及黑产团伙是如何通过地下黑客论坛上的特定活动使某些恶意软件比其他恶意软件更成功,讨论最多的恶意软件有可能就是未来一两年攻击最多的样本,这些数据都具有很高的参考价值。
追踪研究各种恶意软件一直是安全研究的重点,做安全这么多年我一直从事这方面的分析与研究工作,我也很喜欢研究各种不同的恶意样本,每次拿到新的样本,都有一种很想去研究一番的冲动,正如我前面的文章提到的,研究恶意软件可以得到很多有价值的信息,可以从样本的角度去了解一些黑产团队的活动,从而弄清整个黑色产业链是如何运作的,最近一两年针对企业的勒索病毒越来越多,新的勒索病毒家族不断涌现,背后还有多少黑产团伙正在开发新的勒索软件,以及他们打算如何运营这些恶意软件,以获取最大的利益?我想未来一定会有更多的恶意软件出现,会不断有新的变种产生,安全就是一个一直对抗的过程,基于无文件攻击技术也越来越成熟,成为了恶意软件攻击链中的重在一个环节,勒索软件也是最近一年地下黑客论坛最受欢迎的恶意软件,我们需要持续关注这些恶意软件的动态,及时做好相应的防御措施。