Avast has discovered that teens are being recruited to a malware-as-a-service. The group behind the scam is providing very low-cost access to malware builders and tool kits. Attracting teens is the same approach that drug gangs have used for county lines operations. The idea is that they are cheap labour and if caught, the penalties for them are limited.
Avast Malware Researcher Jan Holman said, “These communities may be attractive to children and teens as hacking is seen as cool and fun, malware builders provide an affordable and easy way to hack someone and brag about it to peers, and even a way to make money through ransomware, cryptomining and the sale of user data.
“However, these activities by far aren’t harmless, they are criminal. They can have significant personal and legal consequences, especially if children expose their own and their families’ identities online or if the purchased malware actually infects the kids’ computer, leaving their families vulnerable by letting them use the affected device. Their data, including online accounts and bank details, can be leaked to cybercriminals.”
At the heart of this is the group behind the Lunar malware builders. They are named because the ransomware it provides encrypts files and gives them the extension “.LUNAR”. But this is about more than just ransomware. The group also has information-stealing malware and crypto miners.
How does it work?
The organisers advertise their “easy-to-use” malware builders and tool kits for sale at a low price. Those who buy the builders and tools are immediately given access to groups on the popular Discord messaging platform. Those who haven’t bought the tools can still gain access if they pay a nominal fee. Avast says that this is anywhere between €5 and €25 Euros.
Avast gained access to the Lunar discord group and did some investigating. It found that there were over 1.5k members of the group. Most had bought access to the group but around 4-6% were listed as clients. These were people who had purchased the tools. They created plugins and tools that were traded through the group.
The age range of the group was also surprising and ranged from 11-16. They regularly discussed hacking teachers and school systems. However, just as surprising is the statement from Avast that “a lot of the malware’s functionality, and definitely most of the plugins submitted by other members of the community, are aimed at annoying victims rather than causing actual harm.”
That annoyance is also reflected in the areas where Avast saw activity. It says “they focused on features like stealing gaming accounts, deleting Fortnite or Minecraft folders, or repeatedly opening a web browser with Pornhub.”
The malware is often spread as game cracks or as modified binaries in other code. They also use YouTube to spread the malware using “bait” videos. Interestingly, the community works with each other to “promote” the videos across social media. The more responses, the wider the YouTube algorithms spread the content.
A more serious issue
Based on those findings it might be tempting to dismiss this as teenagers acting out. There is, however, a serious side to this. Avast observed some teens talking about their parents. This opens up new ways to cause problems.
They might look to embarrass a parent by opening windows to porn when they were on a company call. Equally, they might find themselves under pressure to do something more serious. That could include copying malware onto a parent’s device.
Should the organisers of Lunar be so minded, they could use these teenagers to cause more serious damage. So far, however, Avast has spotted no signs of that.
Enterprise Times: What does this mean?
There are interesting parallels between the use of teenagers here and in other criminal activities. While many might grow out of this, if they make enough money on a malware-driven side hustle, they might look to go further. For some, that could mean a career as a developer in a cybercriminal gang.
For others, however, there is a darker side. While communities like this come and go there will be cybercrime groups watching. They will spot talent and look to nurture it. In effect, there is a risk of grooming people into criminality.
For parents, Discord responded to this work by Avast. Its advice to parents is to tailor their child’s setting to prevent messages from strangers. That’s a start but as most parents realise, their children, especially teenagers, have more technical skills than they do. That does not absolve parents of their responsibilities. However, it does mean that need to do more. Nobody wants that knock on the door from law enforcement looking for their child.