Source code leaks a key cog in malware development life cycle

Mar 29, 2022

The leak of data related to the Conti ransomware-as-a-service gang is a watershed moment for the information security community. This data leak allows for insights into attacks that were previously unknown, the organizational structure behind the group and how the malware operation functioned.

While researchers and analysts are scrutinizing Conti’s source code to build defenses against future attacks, it’s likely that the cybercrime underground has also started examining the code for its own gains. While defenders can glean insights to protect their organizations, cybercriminals often use code leaks to enhance and improve their malware code base.

This is not the first time there has been a massive dump of source code tied to a prolific strain of malware. Banking trojans, botnets, and information stealers, among others. Leaks of malicious code have been publicly released, only to serve as a code base for further iterations of malware by other bad actors. By examining what happened in the aftermath of past leaks, organizations can better formulate security strategies to defend against future attacks.

Mirai

Mirai is a notorious strain of malware that can pull different types of networked devices into a large botnet for the purpose of launching Distributed Denial-of-Service (DDoS) attacks. The malware is most notably tied to an attack launched in October 2016 against domain name system (DNS) provider Dyn, which subsequently caused major Internet platforms and services to be unavailable in Europe and North America. That attack was possible because weeks earlier Mirai’s source code was leaked on the popular underground forum HackForums.

While the version of Mirai used in the Dyn attack is not in direct use by cybercriminals today, Many botnet variants have been built using Mirai’s source code, including BotenaGo, Echobot, Gafgyt, Loli, Moonet, Mozi and Zeroshell. All of these botnets have been active since the start of the COVID-19 pandemic in early 2020 and have continued to evolve throughout 2021.

The code is so influential that even some of the malware offshoots are starting to have their own code versions released and co-opted by other cybercriminals. For example: earlier this year, source code for BotenaGo was publicly released on GitHub.

Given the total number of IoT devices connected worldwide is projected to be about 30.9 billion devices by 2025, the attack surface for these botnets is only going to grow, which means public source code will continue to be the foundation of these malware variants.

ZeuS

Arguably the most notorious piece of crimeware over the past decade, the ZeuS malware was publicly released in 2011, going on to power a host of other malware variants that become noteworthy in their own right. An entire ecosystem of malware was propped up when ZeuS version 2.0.8.9, leading to a countless number and various varieties of attacks.

The following are some examples of malware that shares functionality, source code or both with ZeuS:

  • Citadel

  • Floki

  • GameOver

  • Terdot

  • Sphinx

  • ZLoader

  • Zeus Panda

These malware variants have been used in conjunction with many others in malspam campaigns, information theft and ransomware delivery, among other schemes. While ZeuS wasn’t the first piece of crimeware, its creation and further widespread use led to millions of systems being infected and billions of dollars being stolen worldwide, much of which was made possible by the online source code leak.

Android malware

Source code leaks tied to mobile malware have not followed the same development trends as the previous two examples. While Mirai and ZeuS provided the code base for many different malware variants, mobile malware development based on source code leaks is much more splintered. Several older Android trojans were used as code bases for other pieces of malware. The source code of those particular iterations would then have their own code bases leak, with newer malware variants being stitched together on top of previously leaked malware variants.

The graphic below shows how Android malware has developed as source code has leaked:


Leak Data Blog Android Malware Graphic

This is not a comprehensive list of Android malware; many more variants exist outside of those mentioned. However, it is a chilling example of the accelerated development of popular Android trojans driven in part by source code being publicly available once these malware variants have become established threats.

Babuk

Only recently did cyber threat intelligence analysts begin to see ransomware code leaks similar to other malware. One of the most notable leaks was Babuk’s source code, which was leaked on a Russian-language cybercrime forum in September 2021.

Since the leak, there hasn’t been much development that can be directly attributed to Babuk’s source code. While Intel 471 has observed actors posting the source code for download on various underground forums, it’s unclear if new ransomware variants have been built on top of this code. Another version of Babuk, known as “Babuk 2.0,” surfaced shortly after the leak, but it’s unclear if the code bases match. Additionally, some of the infrastructure used by Babuk, including its name-and-shame blog, have been used in conjunction with other ransomware strains.

More leaks, more malware

While the information security community is still sifting through the Conti leaks, it’s a safe guess that attackers are doing the same to iterate on their own malware’s capabilities. As this posting has shown, while malware source code leak can defang a variant, it also serves as a stepping stone to variants that organizations will contend with in the future.

Ignoring malware variants after source code leaks is a mistake. While organizations must learn from it, because the attackers are certainly advancing their code bases. Once attackers have incorporated the code or its structure a raft of new threats often surfaces. Defenders that prepare their organizations for a multitude of threats can avoid becoming targets as attackers continue to develop malware based on these leaks.