Bestsellers in the Underground Economy: Measuring Malware Popularity by Forum

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

Recorded Future’s Insikt GroupⓇ analyzed advertisements and comments within underground forums to determine popular malware and malware categories within underground forums. Sources include the Recorded FutureⓇ Platform, as well as open web, dark web, and underground forum research.

This report will be of greatest interest to organizations seeking to better understand malware dissemination within the criminal underground, as well as those who wish to monitor developing malware-related criminal threats.

Executive Summary

By analyzing over 3.9 million posts from May 2018 to May 2019 across all underground forums indexed by the Recorded Future platform, Insikt Group identified the top malware variants being referenced on underground forums. Insikt Group also attempted to find real-world events that correlated with a higher number of malware references on these forums, as well as differences in tools advertised in forums of different languages, to see if any differences existed.

Insikt Group discovered that a majority of the top 10 mentions of malware in multiple languages included openly available dual-use tools, open-source malware, or cracked malware. Some of these malware families were also over three years old or could be mitigated with basic security precautions. Activity in underground forums that correlated to growth in malware references included: sale of malware in a larger bundle, advertising updates to the malware, advertisements of the malware on a new forum in which the malware was not previously sold, news articles related to malware shared on forums, and community engagement.

Insikt Group also discovered that underground communities in different languages did indeed focus on different malware, malware categories, and attack vectors. English- and Chinese-speaking underground communities, for example, focused more on Android malware than other communities. By separating forum advertisements by language, Insikt Group found that forum members occasionally used online translation services to attract business partners and buyers from different language communities.

Key Judgments

  • The top 10 mentions1 of malware across Recorded Future underground forum collections suggest that underground forum members are discussing and using tools readily available to them more often than paying for or inventing new tools.
  • Based on the prevalence and longevity of the malware, Insikt Group assesses with medium confidence that there likely exist enough victims who do not comply with basic security precautions for forum members to successfully infect.
  • Approximately 50% of all activity concerning ransomware on underground forums are either requests for any generic ransomware or sales posts for generic ransomware from lower-level vendors. We believe this reflects a growing number of low-level actors developing and sharing generic ransomware on underground forums.
  • Insikt Group assesses with medium confidence that, due to the number of underground forum members sharing, deploying, and providing reviews about malware and its functionality, the 10 most popular malware on underground forums hit host computers with higher frequency, but are low to moderate threats compared to other malware due to their age, ineffectiveness without a delivery vehicle or crypter, and existing antivirus detections.


In the last year, Recorded Future has reported on the hacking communities within Russia, ChinaIran, and Brazil. This research draws special attention to what malware is popular within those communities. In order to better understand commodity malware that may be targeting client environments, we used a data-driven approach to answer the following questions:

  • What are the top 10 malware variants being discussed on underground forums?
  • Do underground forums in different languages advertise different tools? What kinds of differences or similarities can we see?
  • What events occur in either real life or underground forums that result in higher malware references? Effectively, what makes certain malware variants grow in popularity?

Methodology, Definitions, and Limitations

From May 1, 2018, to May 1, 2019, Insikt Group researchers pulled all mentions of any malware family or category by month from underground forums spanning the dark web, the open web, and related sources. Insikt Group gathered over 3.9 million posts and checked the posts for mentions of 61 malware categories and 101,124 malware names.

The definition of malware used in this report is “operational pieces of code used to conduct illegal activity.” This expanded the scope of the data set to include vague categories (e.g., botnet, crypter, or webshell), red-teaming tools, or even certain exploits, such as ETERNALBLUE. While these entities are not usually classified as malware, individuals in both underground markets and forums talk about these entities similarly enough to malware to be notable, as shown by the data in the “Threat Analysis” section below.

There were four limitations inherent within the data set:

  1. As Recorded Future continues to expand its analysis to include new sources every month, and as forums change domains (either due to takedowns or as they add additional redundancies), it is likely that we have missed small amounts of data.
  2. A portion of the mentions in the data set were reposts of news articles and security research. However, we believe that those posts are still valuable, as hackers can occasionally get inspiration from other families of malware to create variants or exploit newer attack vectors. Therefore, we left them in the data set.
  3. Individuals posting on forums would post in their non-native language if the forum operated primarily in a certain language, or if the individual wanted to attract buyers from a specific country. Therefore, certain language-based data was inherently skewed.
  4. Certain posts mentioning malware were spam posts that mentioned the names of many different families of malware or tools. This was a tactic used by forum members advertising new marketplaces in order to show up in more search results. When a majority of malware mentions over the year could be attributed to this phenomenon, the entity was struck from the data set.

Threat Analysis

Malware Mentions by Language

After gathering the data, we separated the number of mentions over the 13 months by eight languages, and turned the top 10 mentions of malware by language into bar graphs (for the full set of graphs, see Appendix B).

Overall, we observed that a majority of the top 10 graphs included openly available dual-use tools, such as MinerGate and Imminent Monitor (a cryptominer and a remote-access tool, respectively, created initially for legitimate uses), and open-source malware, such as njRat, AhMyth, and Mirai. This likely demonstrates that underground forum members are eager to discuss and use tools readily available to them rather than pay for or invent new tools. Many of the non open-sourced entities mentioned, like SpyNote, Trillium, NLBrute, and RDPBrute, had been previously cracked, meaning that multiple forum members now distribute unauthorized copies of the malware, usually at cheaper prices than the original seller.

The top 10 graphs also included malware that had been around for over three years, like Gh0st RAT, in addition to malware that is usually detectable with antivirus software or thwarted with good password hygiene. For example, RDPBrute (and its variants) will brute-force usernames and passwords on IPs with open RDP ports to gain initial access on a machine. This tool could be easily thwarted with difficult passwords, or by turning off RDP entirely. However, forum members continue to use this tool (and others) regardless, suggesting that they have been able to successfully infect victim hosts with the above malware.

Additionally, the graphs included tools designed to conduct other illegal activity, such as account stuffing, spamming, or carding. For example, Xrumer is software that allows criminals to spam multiple forums and forum comments with similar posts in an attempt to improve their results on forum search engines, or even regular search engines on the open web.

We discovered several pieces of malware that were discussed broadly within multiple language groups, including:

  1. njRat, a windows RAT created in late 2012, the source code of which is available online on certain forums. This RAT is popular in English, Arabic, Spanish, Russian, Chinese (traditional), and Farsi posts.
  2. SpyNote, an openly available Android-based RAT containing keylogging and GPS functionality. This application was found on malware forums starting in 2016. This RAT is popular in English, Chinese (simplified), Chinese (traditional), Spanish, Japanese, and Arabic posts.
  3. GandCrab, a ransomware made famous by its namesake author, discovered in early January 2018. GandCrab’s primary vendors retired in June 2019, and the FBI released the master decryption keys for versions 4, 5, 5.04, 5.1 and 5.2 in July 2019. This ransomware is popular in Russian, Chinese (simplified), Spanish, Farsi, and Arabic posts.
  4. DroidJack, an Android RAT created in 2014 with an official website that sells lifetime licenses for $210, but with cracked versions for far cheaper on underground forums. This RAT is popular in Chinese (simplified), Chinese (traditional), English, and Arabic posts.

Analysis of Malware Popularity by Language

While many of the malware presented in our analysis had similar characteristics, each bar graph contained remarkably different content, showing that underground forums of different languages focus on different families of malware. Mentions of Nanocore, a cheap and easy-to-use remote-access trojan, were discussed more frequently on Farsi and Japanese forums. Xrumer had a high number of references on Russian forums and far fewer references on English forums, but was found in no other languages. The top malware entity mentioned in English-speaking forums was Trillium Security Multisploit Tool, which has only shown up a handful of times in forums containing other languages.

Additionally, the data shows that underground forums of different languages focus on different targets and attack vectors. For example, Chinese- and English-speaking underground forums focus more on targeting Android devices than their Russian counterparts. The top 10 malware within the Chinese-speaking underground included three Android trojans: SpyNote, AhMyth, and DroidJack. The English-speaking underground included two of those three: SpyNote and DroidJack. This is in stark contrast to the Russian-language group, whose top 10 contains no mobile malware whatsoever.