A community formed by young people between the ages of 11 and 18 is using Discord servers as a discussion forum and place for the sale and dissemination of malware families such as “Lunar”, “Snatch” and “Rift”, in a typical operating malware as a service (malware-as-a-service). The discovery was announced today by Avast. According to a survey by researchers at the company, the material includes ransomware, stealers and cryptominers. The group lures young users with advertisements for access to different malware creation and toolkits designed for laymen to easily build malware. In some cases, people need to buy access to the tool to join the group, and in others, they can become a member of the group, where the tool is offered for prices ranging from five to 25 euros.
Young people revealed their ages in conversations, discussed the idea of hacking teachers and school systems, and mentioned their parents in conversations. In a Discord group focused on selling “Lunar,” there were over 1,500 users, of which about 60-100 had a “customer” role, meaning they paid for the malware-building tool. Prices for malware creation tools differ depending on the category and duration of access.
“These communities can be attractive to kids and teens as hacking is seen as fun, malware writers provide an accessible and easy way to hack someone and brag to peers, and even a way to make money from ransomware. , cryptocurrency mining and the sale of user data,” says Jan Holman, Malware Researcher at Avast. “However, these activities are far from harmless, they are criminal. They can have significant personal and legal consequences, especially if children expose their own or their families’ identities, or if purchased malware actually infects victims’ computers, leaving those families’ devices vulnerable. Your data, including online accounts and banking details, can be leaked to cybercriminals,” adds Holman.
After purchasing and compiling their individual malware sample, some customers use YouTube to distribute it in the marketplace. Avast researchers have seen customers create a video on YouTube, allegedly showing information about a cracked game, or a cheat in a game, the link of which they send to others. However, the URL actually leads to the malware. To instill confidence in their video, they ask other people on Discord to like and leave their comments on the video, endorsing it and showing it to be genuine. In some cases, they even ask other people to comment that if the antivirus software detects the file as malicious, this is a false positive.
Through monitoring online communities, Avast found that while group members support each other in cybercrime, partly regarded as a joke but also as stealing data and money, there are also conversations that easily become quite turbulent. There has been a considerable amount of fighting, instability and bullying among users, with fierce competition that goes to the point of appropriating someone else’s codebase and even slander.
Malware creation tools allow users to generate malicious files without having to program anything. Typically, users just need to select the features and customize details like the icon. There are several malware families built with these tools and they all have similar user interfaces, with slightly different layouts, color palettes, names and logos. Tools are generally designed to be short-lived, based on a hosted source code from GitHub or some other build tool, renamed with a new logo and name, sometimes slightly tweaked or modified with new functionality.
Avast has created detections that protect users against samples that spread across servers and has contacted Discord to let them know about these groups. Discord confirmed that they take steps to address these communities and banned servers associated with Avast’s findings.
Source: CisoAdvisor