Malware Finances and Operations: a Data-Driven Study of the Value Chain for Infections and Compromised Access

TL;DR

This study analyzes the criminal ecosystem of infostealer malware, providing datasets on infections and trade, revealing pricing structures, and identifying effective countermeasures within the illicit value chain.

Contribution

It offers new datasets on malware infections and trade, and analyzes the value chain to inform better countermeasures against cybercriminal activities.

Findings

Most malware prices are between 1-20 US dollars.

Genesis Market provides access to victim accounts via a specialized browser.

The median prices for compromised accounts are around 5-7 US dollars.

Abstract

We investigate the criminal market dynamics of infostealer malware and publish three evidence datasets on malware infections and trade. We justify the value chain between illicit enterprises using the datasets, compare the prices and added value, and use the value chain to identify the most effective countermeasures. We begin by examining infostealer malware victim logs shared by actors on hacking forums, and extract victim information and mask sensitive data to protect privacy. We find access to these same victims for sale at Genesis Market. This technically sophisticated marketplace provides its own browser to access victim's online accounts. We collect a second dataset and discover that 91% of prices fall between 1--20 US dollars, with a median of 5 US dollars. Database Market sells access to compromised online accounts. We produce yet another dataset, finding 91% of prices fall between 1--30 US dollars, with a median of 7 US dollars.