Ever wondered where all of the malware and ransomware is coming from? The answers may surprise you, and that enigma of the hacker that we have heard so much about will become more human and closer to home. Most of it comes from the collective efforts of people with a variety of intentions. Malware is usually developed for trolling, activism, sabotage, or to make money. In some cases authors of legitimate open source software will create a new tool for other programmers with malicious intentions. In this article we will explore the Darknet’s role in malware development and how your insiders could potentially participate.

Image courtesy of IT Security Central

Malware Actors

Who exactly are the authors of malware. Well it could be anyone with a basic command of programming, however they often fall within a few categories. The motivation for hacking can often predict how skilled the hacker will work to become.

Recognition and Trolls

Some hackers are people simply looking for validation and recognition of their ability while others are trolls. People new to programming may be inclined to see just how far they can penetrate security systems. Often these amateurs will create faulty malware that have a host of errors that prevent them from working properly. These are often students, bored people, or just your everyday person trying to develop a hobby, Often the most malicious the intention becomes with this group is to “troll” somebody or an organization. These hackers are heard about the most among the general public, yet a majority of them are amateurs who pose the least threat to organizations.

Political Hackers

This group of malware authors is very diverse in agenda but the underlying motivation for malware development is political in nature and their work seeks to achieve a particular socio-political outcome. Malware developers who have political motivations can come from the entire political spectrum globally. With some politically motivated cyber attacks the intention may not be made as clear as a financially motivated attack, so speculation often runs rampant after the attack. One of the strongest indicators of a politically motivated malware attack is when the malware is intended for sabotage and not an extortion. However in some cases extortion based malware (ransomware) can be used as a cover for a politically motivated attack, as was speculated during the NotPetya outbreak.

Professional Hackers

On the darknet it is not hard to find professional hackers who will develop launch an attack on someone else’s behalf, if the price is right they’ll even develop some malware for a client. These hackers are the online equivalent of mercenaries and will usually do the work that may be too complex for others to accomplish. These hackers often will work hand in hand with insiders and often payment arrangements can be made based on how much data is stolen and sold on the darknet. Professional hackers can be involved in both politically motivated attacks and financially motivated attacks.

State Actors

Countries are actively in conflict with each other right now on the darknet, with many developing new malware or cyber weapons daily. One of the first state developed malware operations to be named a cyber weapon was Stuxnet. Recently the NotPetya and WannaCry ransomware cases were the result of hackers stealing a number of advanced cyber weapons from the United States National Security Agency (NSA). The group who had possession of them called themselves the Shadow Brokers. These cyber weapons were put up for sale to the highest bidder, which then led to their implementation into malware that would be the cause of the world’s deadliest cyber attacks. State actors may develop malware for a specific intent, but when those weapons falls into the wrong hands it is devastating. Sadly, this happens way more often than it should.

Motivations for Malware Creation

As stated above the motivations for hacking boil down to trolling, activism, sabotage, and profit. Each of these motivations can involve any combination of the actors listed above. Some of the motivations may even overlap. For example when a DDoS attack is launched, the intention is usually a combination of trolling or activism. Decentralized groups such as Anonymous for example refuse to do cyber attacks unless it is for the “lulz” too as stated below.

Image courtesy of IT Security Central

Most organizations do not need to worry about groups such as Anonymous, however they do need to worry about insiders collaborating with professional hackers. This is because if the insiders pays enough or comes to a good agreement, the hacker can develop custom malware that may be something the your cyber security team has never come across before. Profit may be combined with a motivation to sabotage your organization. Due to the combination of actors involved, their may be a varying degree of motivations for each actor.

Decentralized Development, Forums, & Darknet Githubs

Malware development today is very decentralized, although with state actors and some professional hackers they can be closed source. Open source software is any code that is open and free for anyone to access and modify to their liking, often there is a stable release which has been validated by a core team of developers and tested for bugs. The key thing to understand here about open source development is that there is a source code that is always available free to the public and constantly updated, refined, and validated by anonymous users. To understand how malware is developed collectively but yet anonymously, you first need to understand open source software development models. On the clearnet many professional engineers rely on Github and others like it. However on the Darknet many are coming to rely on their own version only accessible by Tor or I2P. There are many others like this one too. When malware is developed on the darknet it is normally done based on some version of open source code shared by a community. Below is an example of open source code for building an anonymous email service. The same type of structure can be expected when there is a collective malware being developed.

Photo courtesy of IT Security Central

The other type of development of malware happens behind closed doors. Usually there is a core team who may or may not be financed externally. This is often the situation with state actors and some professional hackers. Hackers who develop malware behind closed doors often do visit open source communities to have some basis for their code or to add features to an already existing malware. The difference is that any improvements these hackers make they do not share with a community and will use it exclusively for themselves or for their client.

Post Development

After malware has been developed it is either put up for sale to novice programmers or to insiders looking to take matters into their own hands. Earlier in the series we mention how markets work and how these cyber weapons are sold. After development is when live testing may begin on a few unfortunate victims. Once testing results show positive results the cyber attack is launched. This of course is a very brief overview of malware development. There is no secret process only channels of information. If someone knows the development process for programmers then they will be very familiar with malware development on the darknet. Please stay tuned for more articles about how insiders navigate and use the Darknet. We will be focusing more on how insiders who understand the darknet will use it against your company.

This post was originally published in IT Security Central and was reprinted with permission.