Whether known as commodity malware or “as-a-service,” threat actors have long been turning to their fellow adversaries in the hopes of selling off their tools and opening a new stream of revenue.
When used legitimately, as-a-service software is when a third-party company offers its software to another company based on a license that is renewed frequently (mostly monthly or yearly) for a fee. The software is centrally hosted on that third-party company’s servers. Think of cloud storage solutions like Dropbox or Plex, for example.
Threat actors have been using this business model for a decade-plus, originally known as commodity malware. This is when threat actors create a suite of malware tools and offer them up for sale on illicit websites. It can range from asking “customers” to pay a monthly fee for access to this set of tools to use in cyber attacks, or users can even pay the original creators to distribute the malware on their behalf and manage the infection.
Recently, this model for threat actors has come to be known as the “as-a-service" model, borrowing the term from the growing trend in the tech industry.
Ransomware-as-a-service is a relatively new version of these commodity groups, such as DarkSide, known for the cyber attack in 2021 that disrupted the Colonial oil pipeline and made gas more expensive for thousands of U.S. consumers.
But other bad actors have since adopted this businesses model, offering every from command and control servers to phishing bots-as-a-service. There are a few reasons why attackers may opt to pay for an as-a-service malware tool for their chosen campaign:
- As-a-service saves attackers time. When they pay for someone else’s malware kit, whether it be ransomware or a phishing bot, they don’t have to invest time, money or labor to write their own malicious code or tools and instead can hop right into deploying the malware.
- For the actors and groups who originally created the malware, it is a more reliable income stream for them. Usually, they’d have to hope a successful attack leads to a ransom payment or some sort of other financial windfall. Instead, they can make money by marketing their services to other bad actors for a fee.
- Bad actors who want to get into the cyber attack business need little to no technical skills to get started. When an attacker pays for an as-a-service malware, they often get an individual login with dedicated customer support, much like any user would with a legitimate piece of software. This way, they can ask questions and receive help if they get stuck during the deployment of the malware. This means that, conceivably, anyone with interest could get involved in starting a cyber attack.
- As Nick Biasini explained in a past episode of Talos Takes, name recognition also plays a major part in the rising popularity of this business model. Lesser-known threat actors want to piggyback off having a big name associated with them, like DarkSide, to intimidate their actors or lend more credence to the effectiveness of their threats.
Notable example: Greatness
Cisco Talos researchers recently discovered Greatness, one of the most advanced phishing-as-a-service tools ever seen in the wild. Our analysis indicates that attackers may have been using attackers since mid-2022.
Greatness offers the ability for users to bypass targets’ multi-factor authentication protections, IP filtering and integration with Telegram bots. Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots.
Greatness, for now, is only focused on Microsoft 365 phishing pages, providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages. It contains features such as having the victim’s email address pre-filled and displaying their appropriate company logo and background image, extracted from the target organization’s real Microsoft 365 login page. This makes Greatness particularly well-suited for phishing business users.
Any Greatness affiliates don’t need a specific set of skills. All they need to do is deploy and configure the provided phishing kit with an API key. If used successfully, the attacker can set up a proxy Microsoft 365 authentication system and steal a victim’s authentication credentials or cookies with a “man-in-the-middle" attack.
Greatness is specifically designed to work in a standardized way so that the experience is the same for each customer who buys into the service, potentially allowing anyone with a moderate amount of technical ability to carry out advanced, convincing phishing attacks.
Since as-a-service or commodity malware can include all types of malware, it can be tough to provide specific advice for detection and prevention. For Greatness specifically, anyone implementing multi-factor authentication should opt for code-based authentication through their MFA app of choice, such as Cisco Duo, rather than the easier-to-break method of a simple “yes” or “no” push notification.