The dark web has been supporting the sale of digital tools such as those designed to breach subscription services like Netflix and Apple Music, with cybersecurity experts observing the sharp growth in dark web advertisement for botnets created to enable hackers to compromise victim devices.
Commonly used in Distributed Denial-of-Service (DDoS) attacks, a botnet refers to a group of internet-connected systems that a threat actor has compromised – a technique used to multiply the cybercriminal force used by hackers for warping or breaking into victim devices.
Botnet attacks are quite dangerous. Sometime in the year 2016, the Mirai botnet is reported to have caused the takedown of a large section of the internet – with victim organizations being observed to be big players like Twitter, Netflix and CNN, as well as notable Russian financial institutions and the West African Republic of Liberia.
After shutting down much of the internet, the situation was worsened when the malware creator released the source code – an action that inspired cybercriminals across the world to use it as a chassis to create their own versions of botnets.
As much as the original co-authors faced justice, the impact of their creation is still being felt today as the dark web continues to promote their legacy – an aspect that is evidenced by darknet vendor advertisements for botnet sales.
Botnets on the Dark Web Marketplaces
Dark web marketplaces have been very instrumental in the growth of botnets as an industry, it facilitates the sale of malware and exploit kits that are designed to connect infected machines into live botnets in furtherance of cybercriminal purposes.
In fact, the practice of selling and renting botnets via dark web platforms happens to be a nothing new – threat actors have been exploiting dark net engines to sell “hacking-as-a-service” to interested parties looking to benefit from the highly profitable cybercriminal industry.
Cybersecurity experts agree that highly destructive botnets such as Mirai have resulted in occurrence of highly capable DDoS attacks. The DDoS market has since evolved as sellers have managed to supercharge their offerings by supplying the dark web market with more dangerous DDoS kits.
According to a Managed Security Service Report published by IBM researchers, the software and malware category of dark web listings offer a wide range of malware options for interested buyers.
The discovery was made when the researchers found a number of advertisements on one of the biggest, and most popular dark web markets in existence.
In highlight, the report showed that darknet platforms have developed highly organized structures to mirror the commercial models used by their legitimate counterparts – including the use adoption of a network-based consumer-to-consumer and business-to-consumer approach to sales and services.
The dark web scan, which sought to provide an overview of botnet advertisements in the hidden web, led the team of researchers to a darknet vendor called “ZeusOverTor” whose offering appears to fall in the classification of highly potent malwares created to infect victim computers (See Below).
Screenshot of a dark web advert for ZeusOverTor botnet (Source: IBM X-Force Research)
In the advert, the vendor claimed to offer an “extremely resilient” variant of the Zeus Trojan. The unique property stemmed from the vendor’s promise that the malware on sale was capable of communicating with the Command & Control (C&C) Servers over Tor.
In practice, it means that the flow of data between infected victim computers and the C&C server will happen under the veil of anonymity – thus making it exceedingly difficult for third parties to identify or intercept the process.
Safe to say, the botnet possessed many competitive features that would enable threat actors to conduct money transfers, eliminate anti-virus software from victim computers and access the hidden service without the need to create domain registration.