kras99 - stock.adobe.com

Tip

How to protect against malware as a service

Malware operators are further monetizing their malicious software by selling it to other attackers on a subscription basis. Learn how to detect and mitigate the threat.

Ashwin Krishnan
By
Published: 04 Dec 2024

Organizations need to remain up to date on the latest malware happenings. One especially concerning recent trend is malware as a service.

MaaS is a subscription-based model in which owners sell ready-to-launch malware to cybercriminals and malicious hackers. Like other subscription-based models, such as SaaS, malware creators sell their products -- the malware, the infrastructure it runs on, instructions on how to use it and technical support services -- for a fee.

This increasingly prevalent attack vector is alarming because it enables nontechnical "customers" to quickly and easily buy and distribute sophisticated malware.

Let's take a deeper look at MaaS and how to protect against it.

How does MaaS work?

The MaaS business model begins with malware developers creating and marketing their malware through private chat channels, dark web marketplaces and other underground forums.

Next, interested customers -- including newcomers to cybercrime, as well as experienced attackers who want to extend their existing attack footprint -- purchase access to the malware products.

Malware groups can offer a few different payment structures, usually requiring cryptocurrency, such as bitcoin, because it's difficult to track:

  • Subscription services -- for example, monthly or annually -- offer a quick and easy way for cybercriminals to get started.
  • Pay-per-install services are based on the number of successful malware installations on target machines.
  • Profit-sharing services involve MaaS operators receiving a percentage of the profits from successful attacks conducted by their customers.
  • Full purchases, while not technically as-a-service offerings, give cyberattackers lifetime access to malware for a single payment.

Once subscribed, MaaS customers distribute the malware to their victims. Common distribution methods include phishing email with malicious attachments or links; targeting OS and library vulnerabilities; malvertsing via malware-infected ads on websites, podcasts, video channels, etc.; and social engineering campaigns.

What are the different types of MaaS?

Common MaaS options offered by malware groups include the following:

  • Information stealers harvest credentials, personally identifiable information and sensitive business data via phishing attacks or drive-by downloads. The cyberattackers then sell the data on the dark web or use it for future attacks. Examples of infostealers include Raccoon Stealer and AZORult.
  • Cryptojacking malware doesn't steal data; rather, it illegally uses a victim system's electricity and compute power for cryptomining. This reduces system efficiency and can increase costs. Examples of cryptojackers include XMRig and perfctl.
  • Botnets are networks of infected devices used for DDoS attacks, spam networks and custom MaaS attacks. Examples of botnets include Mirai and Emotet.
  • Ransomware as a service is subscription-based, ready-to-use ransomware. Cyberattackers demand a ransom in exchange for exfiltrated data or the decryption key. Examples of RaaS include LockBit and Goliath.

MaaS types also include adware, keyloggers, spyware, worms, Trojan horses and more.

How to protect against MaaS attacks

To protect against MaaS, organizations should implement a multilayered defense-in-depth security strategy composed of complementary controls and policies. Consider including the following:

  • Email security. Implement advanced spam filters to identify and quarantine suspicious emails, and use AI-powered tools to detect sophisticated phishing attempts.
  • Endpoint protection. Deploy and regularly update antivirus and antimalware software, as well as endpoint detection and response tools. Implement application allowlisting to limit employees to only approved and secure applications.
  • Network security. Deploy firewalls and intrusion detection and prevention systems, and implement segmentation to limit lateral movement. Also, use zero trust and VPNs to secure remote employee access.
  • Patch management. Maintain an up-to-date inventory of all systems and software in use. Implement an efficient patch management process, and prioritize critical security updates.
  • User access control. Implement the principle of least privilege to limit user access. Require MFA, and regularly audit user access permissions.
  • Employee training and awareness. Hold regular cybersecurity awareness trainings to keep employees up to date with malware trends and how to avoid them. Conduct phishing simulations to test employee vigilance.
  • Backup and recovery. Develop and implement a backup strategy, and regularly test backup restoration processes. Store backups offline or in air-gapped systems.
  • Incident response plan. Develop and regularly update an incident response plan and incident response communication plan. Conduct incident response tabletop exercises to test incident response processes.
  • Security assessments. Perform vulnerability assessments and penetration testing. Maintain compliance with industry standards and regulations, and conduct security audits to evaluate system security.

Ashwin Krishnan is host and producer of StandOutIn90Sec, based in California, where he interviews tech leaders, employees and event speakers in short, high-impact conversations.

Dig Deeper on Threats and vulnerabilities