Malware Has Evolved: Defining Malware-as-a-Service

Malware Has Evolved: Defining Malware-as-a-Service
7 minute read

This blog series focuses on key areas highlighted in the recent ZeroFox report: “The Future of Digital Threats: 2020 Insights, 2021 Predictions.” In this report, the ZeroFox threat research team reviews trends that defined 2020 and predictions for 2021 to help security teams prepare for another year of uncertainty in the digital-first world that now dominates modern life. In this series, we are reviewing the acceleration of the top three trends we’ve come to know: starting with targeted ransomware, moving into phishing, and ending with the expanded use of malware-as-a-service. In this final post of the series, we will review malware in more detail.


In 2020 and well into 2021, the ZeroFox threat research team saw an acceleration of the digital threats we’ve come to know, including the expanded use of malware-as-a-service. The pandemic and subsequent rapid shift to remote-first environments resulted in significant opportunities for malicious actors. How they capitalized on those opportunities, however, often involved doubling down on familiar techniques. Malware was not exempt, and spikes in malware-as-a-service illustrate this evolution. We will define malware and its development into a “service-based” model, as well as measures you can take to prepare for the tactics and techniques expected to increase.

Defining Malware 

“Malware: Software designed to disrupt, damage, or intrude into a computer. Examples are viruses, dishonest adware, spyware, worms, Trojans, crimeware, and scareware.” (Source: The Cyberwire Glossary)

Determining whether a cyber-attack is malware-based or not centers around the overall intended use versus the specific technology or technique used (as this is constantly changing).

This wide-reaching term stands for “malicious software” and can encompass several tactics and means of spreading further. Threat actors have a goal of gaining access to sensitive data and otherwise wreaking havoc where possible; to do so, they leverage malware tactics such as worms, trojans, viruses, adware, ransomware, spyware and the like to cause damage to networks, computers, servers and more. Malicious software can also be triggered manually if attackers can gain physical access or remote levels of senior access, such as through an administrator. Therefore malware is defined by the end result after it is successfully deployed. 

For example, this might include, but is not limited to:

  • Spyware, which focuses on gathering data on an unsuspecting victim under the radar. It can include “keylogger” software that tracks a user’s keystrokes, which is fruitful for stealing even more data such as passwords.
  • Adware, which uses a “follow the cookie crumb trail” approach in that it redirects a browser to an online ad that triggers additional downloads of malicious software with further-reaching impacts. 
  • Ransomware, which encrypts files and holds them hostage in return for payment. Typically, a decryption key is offered as the only way to regain access. Scareware is also seen in this approach, deemed as such because the attacker claims to have taken control and demands a ransom, but it is all smoke and mirrors using redirects to make the attack look more damaging than it actually is.

Malware Evolved

Threat actors have evolved malware tactics to sell a service that also enables a degree of “cloaking” from attribution at the end of the day. These cybercriminals have learned from the deluge of attribution reports that have been published and have used these indicators to systematically dismantle what previously served as high-fidelity indicators. As the criminal economies continue to evolve, threat actors are now more apt to share their expertise as well. Meaning each stage in an attack no longer requires an individual to develop and maintain their own code, making it all the more difficult to trace owners within the entire chain of an attack. Malware authors now regularly offer their projects for sale in the criminal underground. Enter malware-as-a-service, where an attacker finds more value in providing the latest tactics and technologies to anyone willing to pay. 

Malware-as-a-service can be broken down into three stages: developers of malware, peddlers of malware, and purchasers of malware. This model ensures the “latest and greatest” as the developer wants to maintain their “products” reputation and continuously provide new and innovative exploits. The expanded plug-and-play service model also allows for various configurations, especially with regard to multiple partnerships and multi-stage intrusions. The result is a complex many-to-many relationship wherein different tools may be used by the same actor for reconnaissance, exploitation, delivery, lateral movement and post-exploit activities. Each of those tools may be used by several other actors at the same time. The continued specialization of the criminal markets is creating more capable, robust and numerous groups that specialize in every part of the operational chain.

As time has passed, the landscape has changed; what were once reliable indicators for defenders have turned into an undifferentiated mass of open source tools, exploitation scripts, and disposable infrastructure.

At this point, a cybercriminal can outsource every capability to conduct a sophisticated intrusion and co-mingle attributes to make the campaign look like a hodgepodge of owners. 

Case in Point 

An excellent case in point would be the Hermes malware attack. Malware was used in a highly successful operation attributed to Lazarus Group and asserted as a North Korean Advanced Persistent Threat (APT) tool. The malware was then offered for sale on dark web forums by a Russian-speaking actor using the handle CryptoTech. CryptoTech went to great lengths to demonstrate the legitimacy of his claims, but there was no direct evidence if a sale was made, and if so, whether it was to one actor or many. Yet, what appeared to be a derivative project emerged in Ryuk ransomware, and then another evolution to Conti ransomware. This makes attribution based on technical indicators problematic. 

Three phases of an attack, with similar Tactics, Techniques, and Procedures (TTPs), our threat team outlines in “The Future of Digital Threats: 2020 Insights, 2021 Predictions,” include:

  • Phase One: A maldocs (malicious documents) infection triggers a first-stage loader. The maldocs themselves are a de facto industry standard and are not generally valuable for attribution. They change from campaign to campaign and sometimes from victim to victim. With most of these first-stage loaders being commodity malware, it is hard to draw any meaningful insights from the initial intrusion vector. Emotet, for example, is one of the most prevalent first-stage loaders and operates as an “access as a service” malware. It has been used by major campaigns for Ryuk, Dridex, and others.
  • Phase Two: The loader deploys a multistage toolkit for post-exploitation operations. This is where the many-to-many relationship between capability sellers and operators starts to complicate attribution even more. Some configurations pair well together, but something like Emotet or Qbot can deliver almost any payload. Emotet loads TrickBot, Ursnif, IceID or Cobalt Strike - the particulars vary widely. Furthermore, most of these tools began life as their own exploits and have now evolved into an anonymous source of leverage for multiple threat actors.
  • Phase Three: After full network compromise, the ransomware is deployed. Often in these infection chains, the threat actors will leverage infrastructure in the victim’s environment to host and spread the ransomware across the network. This is usually done via PowerShell or other built-in utilities hosted on servers with significant internal network access. The only defining feature of this stage is often the ransomware variant itself.

These attackers share some common tools – particularly the link Ryuk and Conti both share with TrickBot, but at the same time, both operations seem to be ongoing in parallel. While they share standard initial post-infection stages in a similar configuration, they employ multiple tools - Emotet, Ursnif, IceID, Buer and BazarLoader. Additionally, they had developed independent TTPs, illustrated when Conti became a practitioner of the double extortion techniques recently made popular, but Ryuk did not follow suit.

Disrupting Malware-as-a-Service

Threat actors continue to deploy both familiar and new tactics to exploit your digital presence. A comprehensive approach to Digital Risk Protection and Threat Intelligence requires countermeasures at every stage of the modern cyber kill chain. Solutions must provide early warning, real-time detection and rapid remediation to ensure an organization remains agile and steadfast in protecting what matters most while ensuring attackers don’t gain a foothold.

Download ZeroFox’s report, “The Future of Digital Threats: 2020 Insights, 2021 Predictions,” to learn more about these tactics and how they work together with other trending methods that our threat research team continues to track. 

See ZeroFox in action