What is Malware-as-a-Service (MaaS)?

The cybercrime economy evolved rapidly in recent years. Gone are the days when threat actors were lonely hackers sitting in a basement. Modern cybercriminals act within highly organized enterprise structures and exercise the same sophisticated business tactics as regular companies.

Mirrored after the Software-as-a-Service business model, Malware-as-a-Service (MaaS) is an increasingly popular service cybercriminals offer, which involves selling and distributing malware to other individual hackers or ransomware groups for profit. Selling MaaS allows cybercriminals to maintain their anonymity and evade law enforcement while still generating profit from their activities. Threat actors may also be interested in sabotaging your organization's reputation or getting a hold of sensitive data to sell later.

The rise of MaaS has lowered the entry barrier for threat actors with little technical knowledge or expertise. As a result, your organization is more exposed than ever to opportunistic cyberattacks that can disrupt your business operations, cause downtime, damage your reputation, and lead to revenue disruption.

In this blog post, we explore MaaS in more detail and provide actionable cybersecurity recommendations s to minimize the risks of disruption from malware attacks.

Definition of Malware-as-a-Service (MaaS)

Malware-as-a-Service (MaaS) is a type of cybercrime that involves the sale and distribution of malicious software or malware. With the rise of MaaS, threat actors can monetize their skills by creating sophisticated malware that enables serious cyberattacks and causes severe damage to organizations.

As a security leader, you must be aware of the potential dangers MaaS poses and the necessary steps to protect against them.

Types of Malware Sold as Malware-as-a-Service

MaaS vendors often offer two different types of malware for lease or sale on the Dark Web: DIY malware packages and hosted management services for malware distribution. The DIY malware packages often include all the necessary information to help the less-savvy threat actors adapt the malware to meet the specific demands of the attack, while the hosted packages allow threat actors to distribute malware to a broad group of users.

The types of malware sold as MaaS can vary significantly, depending on the malicious intent behind it. Common types of malware sold through MaaS include:

• Ransomware: used to encrypt data and demand a payment in exchange for access
• Banking Trojans: malware that mimics a legitimate computer program or software used to gain access into a device (hence being called a “Trojan”) to steal financial data.
• Spyware: used to monitor user activities and collect data by using a tool like keyloggers, which log keystrokes of the victims to log usernames, passwords, credit card data, etc.
• Adware: tracks user activity across the Internet to serve unwanted advertisements and collect personal data on the user, which can be sold to advertisers without consent.
• Fileless Malware: relies on using legitimate tools, such as PowerShell or JavaScript, to execute a cyberattack without the use of malicious files or software applications.

Security Solutions Against Malware-as-a-Service (MaaS)

The rise of MaaS has resulted in the barrier of entry being lowered for amateur, financially-motivated cybercriminals looking to target organizations. Therefore, your cybersecurity practices must adapt continuously to stay resilient in the face of emerging cyber threats. This means you should seek to implement security measures required for a strong security posture: ensuring secure networks, regularly patching any vulnerabilities, and monitoring your environment for suspicious activity.

Additionally, it's important to remember that the human factor is often the weakest link in cybersecurity. Fostering a cybersecurity culture at your organization and ensuring that all employees are properly trained on security measures can help button down initial access vectors and minimize the risk of business disruption.

Although it's not possible to fully eliminate cyber risk, your organization will be prepared to anticipate, withstand, and recover from attacks with these security measures in place.

Protecting Against Malware-as-a-Service (MaaS)

Given this broadening attack vector, maintaining a strong security posture and building cyber resilience is more important than ever. Even if you manage to contain a malware attack, its effects may linger in your environment for many years, causing additional damage and costing a significant amount to clean up. That's why proactive measures are key when it comes to protecting your organization and its sensitive data.

Here are some recommendations to protect your organization from MaaS:

• Ensure you have complete multi-signal visibility across your attack surface, on-premises and cloud, so you can quickly detect anomalies in your environment.
• Ensure your team has 24/7 threat detection, investigation, and response capabilities or consider outsourcing your security services to an external Managed Detection and Response (MDR) provider for around-the-clock coverage.
  • Leverage automated and expert-level manual response to stop the attackers at the first signs of infection and effectively contain cyber threats.
• Practice strong cyber hygiene with regular patching, robust policies, strong password etiquette, and disciplined access controls.
• Back up your data on a regular basis and store the backups separately to ensure they cannot be accessed from your network.
• Conduct regular Phishing and Security Awareness Training (PSAT) with your employees to test your employees against real-world scenarios, build user resilience and drive behavioral change. Make sure you assess the effectiveness of your training by continuously testing your employees.
• Maintain a high level of awareness about the latest tactics, techniques, and procedures (TTPs) used by MaaS vendors.
• Ensure you have an Incident Response (IR) provider on retainer to support with Security Incident Response Planning and emergency preparedness as well as incident response, remediation, digital forensics investigation, root cause analysis and crime scene reconstruction in the event of a severe incident or breach.

By implementing these measures and staying vigilant, you can greatly reduce your risk of experiencing a MaaS attack, build a more resilient security operation, and minimize the chances of business disruption.

A Malware-as-a-Service Case Study: Golden Chickens Malware

Since 2018, Golden Chickens has been a popular MaaS used by three top Internet crime groups, Russia-based FIN6 and Cobalt Group, as well as Belarus-based Evilnum. These threat actors used Golden Chickens to conduct targeted attacks on e-commerce organizations.

eSentire’s world-renowned threat research team, the Threat Response Unit (TRU), spent 16 months tracking, analyzing, and defending customers from this stealthy malware suite. Between April 2021 and April 2022, TRU discovered two significant hacking campaigns utilizing Golden Chickens. TRU continued to track Golden Chickens, eventually revealing the identity of VENOM SPIDER, the threat actor and operator behind this MaaS.

In our report, "Unmasking VENOM
SPIDER," we provide an overview of the FIN6 and Cobalt Group cybercrime organizations, details about the investigation that led to uncovering the identity of VENOM SPIDER, the Golden Chickens MaaS operator, an analysis of the malware, and recommendations from TRU on how to defend your organization from the Golden Chickens malware.

Leveraging Managed Detection and Response (MDR) to Prevent Malware-as-a-Service (MaaS)

To build a strong defensive posture against malware-as-a-service, we recommend implementing specific controls to help prevent common ransomware and malcode execution techniques, improve your ability to respond and recover from a cyberattack, and reduce your overall cyber risk.

When looking for a solution to protect your organization from evolving threats, work with a trusted partner capable of providing a multi-layered cyber defense strategy that includes ongoing multi-signal visibility, security event monitoring, proactive threat hunting, and complete response and remediation.

Engaging a Managed Detection and Response (MDR) provider will help ensure you have ongoing 24/7 threat detection, investigation, and response, access to Elite Threat Hunters and containment expertise, and rapid response capabilities.

Remember – a real MDR provider offers multi-signal coverage across endpoint, log, network, cloud, vulnerability, and identity sources, powered by a strong XDR platform foundation and human expertise, to identify, contain, and respond to malware threats that bypass traditional security controls.

Cybercriminals won’t wait for you to be ready for them – the best way to start improving your cybersecurity posture is to be proactive in your approach and focus on building cyber resilience.

Learn how you can defend your organization against malware threats and build a more resilient security operation with eSentire MDR. To connect with an eSentire cybersecurity specialist, book a meeting with us.