The rise and commoditization of underground marketplaces for selling and buying access to compromised corporate machines introduces a new reality for security professionals – one in which corporate machines, infected with malware that is generally accepted to be “untargeted” or “low corporate risk” and hence typically get de-prioritized for remediation by security operation centers, can very quickly, sometimes within hours from the initial infection, become launch pads into the organizational network for targeted APT actors, that acquire access to those compromised machines via black market trading.
A good example for the commoditization of this underground market is xDedic, which is one of the largest black markets for selling access to compromised machines. Traditionally, most of the machines offered on those marketplaces were internet-facing servers, compromised by hackers that took advantage of poor server security hardening, exploits or just password guessing, and subsequently offered them for sale. However, in the last year and a half, we're witnessing a dramatic growth in the amount of compromised endpoints offered for sales on marketplaces, like xDedic. For the most part, the growth in the endpoints offering can be attributed to click-fraud and adware actors that are boosting their monetization model by selling direct access to machines they have their malicious software running on.
In enterprise settings, machines infected with click-fraud or adware are perceived to be “low risk,” and as a result, many organizations de-prioritize its removal or disregard it all together. While it's true that commodity malware often has low impact on organizational assets, xDedic and its counterparts have created lucrative black markets for acquiring access to infected endpoints, which can be easily and anonymously be purchased and used as part of a targeted attack.
This market, driven by xDedic and others, is free market economics in its purest form. For botmasters, the average value of a single compromised machine that is engaged in click-fraud is roughly $10-$20 across its average lifetime (days to weeks). If that same machine is sold as part of a bulk machine sale, for activities like DDoS or spam distribution, its average lifetime value climbs to between $18-$36. But when selling access to individual lucrative machines on black markets, they have the potential to be exponentially more profitable.
If the machine has admin privileges, a public IP address, and high network bandwidth, that raises the price by at least 50% above the ‘commodity price' of $5-$10 . If there is installed software or a history of accessed websites that would make it feasible to find valuable user credentials or payment card information on it that can jack up the price by up to 1,000%. If the machine being sold has affiliation to a lucrative enterprise network, it can fetch its seller a jackpot of up to 10,000% more than the commodity price.
There are two main ways platforms such as xDedic add value. First, they reduce the risk for buyers – it saves them the effort of having to troll the web looking for a seller with access to a specific machine, as well as verify some of the seller claims to help the buyer avoid scams. Second, they reduce risk to the seller by making sure the seller gets paid, verifying the buyer payment information in advance, as well as by adding another layer of anonymity, masking the seller's identity and location.
Once a transaction is complete, the buyer gets access to the machine via Remote Desktop Protocol (RDP), or an equivalent remote access protocol, and if by some chance a buyer is not familiar with RDP, xDedic provides step-by-step instructions on how use its services.
Those values come at a price - xDedic gets a 20% cut off each sale. If someone wants to re-sell a machine they previously purchased off the marketplace, the marketplace cut goes up to 80%. xDedic keeps a well maintained listings of 10s or thousands of compromised machines for sale at any given time, across the globe.
It's no surprise that black markets such as xDedic are thriving – they are easy to find, easy to use, and provide significant value to buyers and sellers. With that being the case, next time you find commodity malware on your network, if you can't immediately remediate the machine, then keep in mind that thanks to black markets such as xDedic, “low risk” or “untargeted” malware can evolve into a targeted operation at a moment's notice. Make sure you have the right tools and procedures in place to monitor for any indicative changes taking place on those machines.
This blog previously appeared in SC Magazine.