Malware as a Service (MaaS)

In the era of cloud computing, where we see all forms of online services provided for a subscription, it is probably not surprising that we see dark net services providing malware as a service.

While not necessarily something most of us would want to subscribe to, there are dark web sites that provide forms of malware such as:

  • Phishing Campaigns
  • Targeted Malware
  • Bot Nets
  • Ransomware
  • Lists of compromised credentials (e.g. email address, passwords) coming from data breaches
  • Crypto Mining
  • Data Exfiltration
  • Selling Zero Day vulnerabilities
  • etc.

These dark web sites will allow a subscriber to subscribe to the service they want to use to meet some objective, for example:

  • To make money (from Crypo-mining, Ransomware, other forms of extortion)
  • To compromise and possibly bring down a company or government
  • Exfiltrate information, including personal information and industrial secrets
  • Get privileged access to systems.

They will continually update the malware offered to avoid Anti-Virus countermeasures and to take advantage of new zero day vulnerabilities.

Malware Services

This sounds like science fiction, or the subject of some drama that we might watch at the cinema, but it is true and available if you know where to look. A Ransomware called GandCrab was such a service. I say was, because it has recently been announced that it is shutting down due to having netted $2 Billion for its subscribers and $150,000,000 for the service providers.

Image Credit: Steve Gibson, Security Now Podcast Episode 717

This particular service allowed people (i.e. cyber criminals) to mount ransomware campaigns with little investment from themselves except for a share in their profits. Unbelievable!

This is a business! It is not nation state actors, or teenage hackers in their bedrooms, this is being operated as a business for hire – and looks like it has been remarkably profitable.

Zero-Day Exploits Markets

Another service is provided on the surface web by a company called Zerodium. What this organisation does is market zero-day vulnerabilities to whoever wants them. Security researchers will uncover vulnerabilities in popular software (e.g. Windows, Photoshop) and then sell them to this company for a fee. If you look at their Exploit Acquisition programme page, you will find how much an exploit goes for. For example:

  • For a Server Remote Code Execution (RCE) exploit can pay you $1,000,000
  • Microsoft Outlook RCE can pay you £250,000
  • At the other end of the scale a RCE on a router can pay you $10,000.

Similar pay-outs exist for mobile clients and an iPhone Remote Jailbreak with Persistence exploit will pay you $2,000,000.

To achieve these kind of pay-outs you have to have a working exploit and for it not to have been disclosed to the software owners or for it to be patched. This is potentially a way for security researchers to get paid for their work, but most platform providers (e.g. Apple, Microsoft, Oracle) will provide their own bug-bounty schemes to allow researches to be paid. Zerodium also provide a subscription service for their “Zero-Day Research Feed”, so these people are cashing in in all ways.

Zerodium are not necessarily Malware as a Service, but in my opinion they are acting on the borders of what is legal, definitely what is ethical and most certainly not in the interests of the users of the services. A more responsible way to profit from their work, researchers can provide their exploits to the source company and get paid through what they call Bug Bounty programmes. However there are also dark net services that buy and sell exploits and they will be targeting criminal activity.

This is just the tip of the iceberg. In this world where we have to endure all forms of threats, this is one that we can really do without. International Law Enforcement are active in taking down these services. However, as they take down one, another one starts up somewhere else. It’s a never ending battle.


If you are interested in the law enforcement aspects of this, I suggest you follow the following accounts on Twitter and the corresponding websites:

You can also follow us on Twitter where we will post comment on the stories of the day and any articles we find of interest to the UK Cyber Security and Privacy space and keep coming back here for further updates.

There are many more such accounts on Twitter, and there may be more relevant ones in your own country (the above are largely specific to the UK and Europe).

If you are a cyber security researcher, I urge you to disclose any exploits you find responsibly and not to just publish them without warning or sell them to cyber criminals.

This is the inaugural post in a series of blogs I am intending to write on Malware, the different types and how to mitigate their effects. If you have found this blog interesting, please keep coming back for any future updates, follow us on Twitter and/or follow us here (WordPress users only).

Headline Image provided by Luther Bottrill on Unsplash.

Comments are closed.

Create a website or blog at

Up ↑

%d bloggers like this: