15 Sep The Mass Effect Of The Malcurious
Crowdsourced workforce spreads malware at scale
Atlanta, Ga. – Sep. 15, 2021
In late 2019, while investigating the Geost banking trojan, security researcher Veronica Valeros of the Stratosphere Lab stumbled upon a peculiar file: a private Skype log containing thousands of chat exchanges among Russian-speaking individuals regarding the technical aspects of Geost botnet operations — including command-and-control domains, credentials, IP addresses, and infected Android packages (APKs).
This lucky encounter offered a unique research opportunity; seldom do we have access to private conversations between people directly involved in the dissemination of malware.
Using the chatlog, we were able to track the interactions of some of the individuals on a large and public internet marketing forum. We found that the group used the public forum to covertly ground their operations, recruit other workers and share technical information.
So, a group of us set about to discover what we could about these actors by applying algorithmic techniques such as Uniform Manifold Approximation and Projection (UMAP) and Group-Based Trajectory Modeling (GBTM) to the private and public conversations.
Malware Overlords or Malcurious Masses?
To our great surprise, after careful translation and analysis of both the private and public discussions, we found that the group was quite far from embodying the malware overlord narrative that we built around them. Nor did they epitomize any traditional criminal ethos.
They were instead simple freelance IT workers, opportunistic entrepreneurs trying to get by in the difficult and informal space of internet marketing. They just happened to be hired in an informal network of contractors to spread the Geost malware.
They were amateurs using defective tools and techniques. Facing an adverse business environment, these amateurs developed a lenient attitude toward criminality. Yes, they actively participated in the spread of the malware botnet. But their participation was much more akin to a banking clerk’s participation in global finance than it was to that of some hedge fund mastermind.
The research was led by Masarah Paquet-Clouston (GoSecure). Secureworks data scientist Serge-Olivier Paquette participated, along with Sebastian Garcia (Stratosphere Lab at the Czech Technical University) and Maria-Jose Erquiaga (Cisco Systems).
These are the “malcurious.” And little did we know, there are legions of them — not only for Geost, but more generally.
What we uncovered is an example of a phenomenon known as the “mass effect.” In medicine, “mass effect” refers to the effect of a growing mass (such as a tumor) that results in secondary pathological effects by pushing on or displacing surrounding tissue.
The mass effect of the malcurious plays a major role in the dissemination of malware. Yes, they’re unskilled and uncommitted, but this mass effect scales malware in a way that makes it much more dangerous. Like the kid who takes $20 for keeping an eye out for the cops by a crack corner, they’re trivial players individually. But collectively they are as vital to the fortunes of a true cybercriminal as those kids’ eyes are to a drug kingpin.
We found the informal marketing forum to be a hotbed for such opportunistic entrepreneurs to drift into cybercrime. During the years 2017 and 2018, at least 7.2 percent of its users participated to some degree in activities hosted on cybercrime forums. Using statistics, we extrapolated that there are at least 500,000 persons on similar platforms that fit this malcurious drifter profile right now.
Using UMAP, we were able to gain insight on the forum’s user population and get a grasp on its communities of interest. We then used GBTM, often used in social science to track the evolution of populations, to understand how users drift into cybercrime platforms from the original marketing forum.
We found that while a relatively small number of users (27 percent) end up almost completely switching to the other side, a majority (73 percent) are simply malcurious. That is, they do not switch to the cybercrime forums with any great commitment, but instead simply lurk and interact minimally there before coming back to the legitimate marketing platforms.
What this tells us is that while a large number of people are apparently willing to join the crowdsourced workforce necessary to spread malware at scale, most of them would probably rather not. And this is what we aim at communicating with this research. The individuals studied were IT workers looking for opportunities; they were technical contractors with very little motivation to actually do harm.
The discovery of the malcurious isn’t just a fun fact. It can and should directly impact the way we combat malware. Because this discovery is relatively new, the jury is still out on exactly how to best apply our understanding of malcuriosity to cyberdefense. But it may be that we can alter the narrative of cybercrime in order to discourage their drifting before they actually do harm. Alternatively, we may be able to proactively identify and communicate with the malcurious in order to provide them with other opportunities that don’t entail aiding and abetting cybercrime.
Regardless of how we ultimately leverage our new insight into how malware is propagated in the real world, two principles remain clear. First, we must constantly and diligently study the behaviors of our adversaries in order to neutralize them most effectively. Second, both the study of our adversaries and the steps we consequently take to neutralize them are best undertaken communally. We are much stronger and smarter together than we are apart.
That’s why Secureworks remains committed to our industry’s cooperative efforts to make the whole world safer for human progress by outpacing and outmaneuvering the adversary. Join us at our Threat Intelligence Summit on September 28th 9AM -2PM EST.
– Serge-Olivier Paquette is Senior Manager – Data Science Lead at Secureworks. His research focuses on the ability to infer, through machine learning, the context of security events from incomplete information. He also serves as President for Northsec, a non-profit organization that hosts a series of world-class technical cyber security events, held annually in Montreal.
Secureworks is 100 percent focused on cybersecurity. In fact, it’s all we do. For nearly two decades, we’ve committed to fighting the adversaries in all their forms and ensuring that organizations like yours are protected.
Secureworks® Taegis™, a cloud-native security analytics platform built on 20+ years of real-world threat intelligence and research, improves your ability to detect advanced threats, streamline and collaborate on investigations, and automate the right actions.