Avast, a digital security and privacy company, has discovered an online community of minors constructing, sharing and distributing malware, including ransomware and a mix of information stealers and cryptominers.
Avast says the group attracts young users by promoting access to various malware builders and toolkits that allow non-experts to easily construct malware. In some cases, people need to purchase access to the malware builder tool to join the group, and in others they can become group members where the tool is offered to them for a small fee ranging from A$7 to A$37.
The community uses dedicated Discord servers as a discussion forum and sales platform to distribute malware families like Lunar, Snatch or Rift, following the current trend of Malware-as-a-Service.
According to Avast, the discussion forums revealed that children were revealing their ages, discussing the idea of hacking teachers and their school systems, and mentioning their parents in conversations. The results show that the age of the participants varied between 11 and 18 years.
In a discord group focused on selling Lunar, there were over 1.5k users, around 60-100 of whom had a customer role, meaning they paid for the builder.
The company says the types of malware shared between teenagers target minors and adults, and have options that include stealing passwords and private information, cryptomining, and even ransomware.
For example, if a customer buys a builder tool and uses it for data theft, the generated pattern will send all the stolen data to that specific customer who generated and distributed it. Or, if a client uses a tool to create a ransomware sample, the victim will be prompted to send funds to that particular client’s crypto wallet.
Other notable features include stealing game accounts, deleting Fortnite or Minecraft folders, or repeatedly opening a web browser to adult content, apparently just to prank others.
Avast malware researcher Jan Holman says these communities may appeal to kids and teens because hacking is seen as cool and fun.
“Malware creators provide an affordable and easy way to hack someone and show it off to colleagues, and even a way to monetize ransomware, cryptomining, and selling user data,” he says.
“However, these activities are not harmless, they are criminal. They can have significant personal and legal ramifications, especially when children reveal their own identities and those of their families online, or when the purchased malware actually infects the children’s computers, leaving their families vulnerable to letting them use the affected device. Your information, including online accounts and banking information, can be leaked to cyber criminals.”
Spreading Malware via YouTube
According to Avast, after purchasing and assembling their custom malware sample, some customers use YouTube to market and distribute their malware. For example, the company’s researchers have seen customers create a YouTube video that purportedly shows information about a cracked game or game cheat they are linking to. However, the URL leads to their malware instead.
To inspire trust in the video, they ask other people on Discord to like and comment on the video, support it, and say it’s real. In some cases, they even asked others to comment that if their antivirus software detects the file as malicious, it’s a false positive.
“This technique is quite insidious as it uses real people instead of fake accounts and bots to upvote malicious content. Because genuine accounts work together to positively comment on the content, the malicious link appears more trustworthy and as such can deceive more people into downloading it,” says Holman.
By monitoring online communities, Avast discovered that despite group members assisting each other in cybercrime, some intended as pranks, information and money were also being stolen and the conversations quickly became quite turbulent.
A significant amount of fighting, instability, and bullying among cutthroat users has been observed, to the point of appropriating someone else’s codebase and vilifying them.
Avast says it reached out to Discord to let them know about these groups, and Discord confirmed they are taking action to target these types of communities and has banned the servers associated with Avast’s findings .