Understanding the Trail of the Malware Ecosystem from the Underground Markets to the Surface
IMDEA Networks is the beneficiary of this project
  • Financed by: Ministry of Sciences and Innovation TED2021-132900A-I00
  • Duration: December 2022 to November 2024
  • Contact: Guillermo SUAREZ-TANGIL, Principal Investigator for IMDEA Networks

Supported by an underground economy, cyber-dependent crimes have rocketed in recent years. Knowledge, but more importantly, tools are exchanged in online markets. An example is crypto-mining malware, which has permeated from these underground communities to illicitly produced over 57M USD of revenues as shown later in a case-study that is as part of an on-going measurement. This income fuel the underground economy and gear other cyber-criminal activities.

The goal of this project is to better understand cyber-dependent crimes that are enabled by malware from a software development perspective. The purpose is threefold: a) to profile malware developers, b) to understand their business model, and c) to measure the support offered by online markets and forums. A central aspect of the project will be developing technology for malware characterization.

This is, ascribing malware to a given campaign, seller or author (namely, miscreant). This will be used to measure the trail left by malware developers and hacking groups when trading software through anonymous markets. Malware  characterization is a difficult task because it deals with active adversaries in a context where partial code reuse is common. Two separate communities have tackled the problem of malware characterization: the malware analysis community study malware found in the wild, while the cyber-crime community look at marketplaces where actors share malware. However, market places are not echoed chambers and the tools produced permeate through to the wild. This project aims to bridge the gap between these two disparate approaches, measuring the commonalities, and then delivering a new approach to understand this ecosystem through malware characterization which is stronger than the sum of its parts. As a key novelty, we will be looking at the exchange of malware source code together with binaries found on the wild.

COMET will create a malware observatory of malware. The objective is to bridge the gap between the malware analysis community and the cyber-crime community through the following key research objectives:
O1. To develop automatic tools to enable the systematic study of software dependencies and the impact of code-reuse in malware. This will allow us to study software artefact provenance and to track malware reused artefacts across multiple observations.
O2. To design Machine Learning (ML) algorithms to cluster malware campaigns perpetrated by the same actors. This will address the problem of identifying relevant actors.
O3. To measure the prevalence of software trading in both the underground markets and surface forums. This measurement is the key to implement effective disruption strategies.
O4. To study the ecosystem behind the development of malicious and unwanted software, with special emphasis on ground tools and cutting-edge exploits that could be leveraged on cyber-warfare engagements.

COMET has the following sub-objectives: 1) to study the malware ecosystem from a software development perspective analysing both source code and binary analysis; 2) to model how malicious software artefacts are manufactured and traded across different underground markets, surface forums, and online repositories; 3) all this together will then be used: a) to understand the factors driving the economic growth of this illicit business, b) to profile the different actors behind the development and the distribution process, and c) to measure its impact.