Share this article on:
Avast has discovered an online community of minors building, exchanging and spreading malware, including ransomware along with a mix of information stealers and crypto miners.
Popular communication platform Discord has been used to advertise easy-to-use malware builders and toolkits enabling users to DIY their own ransomware, information stealers, and crypto miners.
Young participants aged between 11 and 18 years old are lured in, because "they see hacking as cool and fun", according to Avast malware researcher Jan Holman.
"The malware builders provide an easy entry – they require no actual programming, just customisation of functions and appearance – into this activity and allow kids to prank people and make money," Holman said.
There are a number of different malware builders and toolkits in circulation that enable lay people to construct malware easily. Access to the malware builder tool requires a joining fee in order to join the group, in other cases, group membership is granted after a nominal fee of AU$7-$37 has been paid for the tool.
There are many hacking forums on Discord, but Avast researchers have discovered one is composed mainly of teenagers.
"These communities may be attractive to children and teens as hacking is seen as cool and fun, malware builders provide an affordable and easy way to hack someone and brag about it to peers, and even a way to make money through ransomware, crypto mining and the sale of user data," Holman further explained.
"However, these activities by far aren't harmless, they are criminal.
"They can have significant personal and legal consequences, especially if children expose their own and their families' identities online or if the purchased malware actually infects the kids' computer, leaving their families vulnerable by letting them use the affected device.
"Their data, including online accounts and bank details, can be leaked to cyber criminals," Holman warned.
Following the current trend of malware-as-a-service, the community uses dedicated Discord servers as a discussion board and selling place to spread malware families such as "Lunar", "Snatch", or “Rift”.
Avast researchers also uncovered discussion board content, including age-related insults are "being thrown around" on a nearly daily basis. Kids also revealed their ages, discussed the idea of hacking teachers, their school systems and mentioned their parents in conversations.
In a Discord group focused on selling “Lunar”, Avast researchers found there were over 1,500 users, out of which about 60-100 had a "client" role, meaning they paid for the builder. The prices of the malware builder tools differ depending on the type of tool and duration of access to the tool.
The types of malware exchanged among teens targets both minors and adults and have options that include password and private information stealing, crypto mining, and even ransomware.
According to Avast researchers, an example could involve a client buying a builder tool and choosing to use it for data theft, the generated sample will send any stolen data to that particular client who generated and distributed it. In another scenario, a client could use a tool to generate a ransomware sample, the victim will be asked to send money to that particular client's crypto wallet. Other prominent features include stealing gaming accounts, deleting Fortnite or Minecraft folders, or repeatedly opening a web browser containing adult content, apparently simply for the sake of pranking others.
YouTube leveraged as a malware distributor
Avast researchers have seen clients create a YouTube video supposedly showing information about a cracked game, or game cheat, which they link to. However, the URL really leads to their malware instead. To create trust for their video, they ask other people on Discord to like and leave comments under the video, endorsing it and saying it is genuine. In some cases, they even asked other people to comment that if their antivirus software detects the file as malicious, it's a false positive.
This technique is quite insidious, according to Holman, because instead of fake accounts and bots, real people are used to upvote harmful content.
"As genuine accounts are working together to positively comment on the content, the malicious link seems more trustworthy, and as such can trick more people into downloading it."
Through monitoring the online communities, Avast discovered that despite group members supporting each other with cyber crime partially for pranking, the practices are also for actual information and money stealing.
A considerable amount of fighting, instability, and bullying among users with "cutthroat" competition that goes to the point of appropriating someone else's codebase and slandering them was observed by Avast researchers in conversation threads that quickly became turbulent.
Malware builders are tools that allow users to generate malicious files without having to program anything. Typically, users only need to select the functionalities and customise details such as the icon. There are several builder-based malware families that have similar user interfaces with slightly different layouts, colour pallets, names, and logos.
These are usually short-lived projects based on a source code from GitHub or some other builder, rebranded with a new logo and name, sometimes slightly tweaked or modified with new functionalities, Avast researchers revealed.
Protecting kids from malicious online activity
It's very important to teach children to be critical of attractive offers, such as new game features unavailable in the official stores or pre-release versions of popular games.
Avast researchers added that parents also need to educate children on the importance of password security and tell them never to share their passwords with others, even if they claim to be their friends or a game master offering help.
For the younger kids, it is crucial not to reveal any personal information when playing on multiplayer platforms, such as Discord or the game Minecraft.
Children still need ethical guidance about what is right or wrong, Avast researchers added, which also applies in the digital space. What may seem fun can bring serious harm to others and be an actual criminal offence. Minors may assume they are safe as they aren't legally liable yet, however, their parents can be held liable.
It's important for parents to talk to their children about this, Avast researchers concluded.
Avast has created detections protecting users from the samples spreading on the servers and reached out to Discord to inform them about these groups.
Discord confirmed they take action to address these types of communities and has banned the servers associated with Avast's findings.
[Related: The top 8 cyber security predictions for 2022-23 revealed]