Malware-as-a-service (MaaS): Definition, rising threat, and protection strategies

Malware-as-a-service (MaaS) is becoming a go-to solution for cybercriminals, resulting in the growing popularity of such products. In the second half of 2024, MaaS attacks were responsible for as much as 57% of cyber threats to organizations, with most attackers relying on malware they didn't create and don’t own but rather bought from more experienced parties.[1] The dark market for malware sold for a subscription fee is thriving, so it's important to understand how to protect your company. Discover more about MaaS in cybersecurity and learn effective strategies to keep your organization safe.

What is malware-as-a-service?

Malware-as-a-service (MaaS) is a cybercrime business model that offers malware and related services for purchase or subscription. MaaS providers often sell bundles with user-friendly dashboards, customer support, and automation tools, making it easier for inexperienced criminals to carry out cyberattacks.

MaaS falls under the broader umbrella of cybercrime-as-a-service (CaaS), which includes a wide range of illicit offerings such as phishing kits, hacking tools, and stolen credentials. In the case of MaaS, cybercriminals can rent or purchase the infrastructure and malware they need to execute attacks without developing the malware themselves or owning any sophisticated resources.

In the past, most hackers used to create and own their own malware. To this day, the most famous viruses and malicious applications are linked to their creators, who were not only developers but also distributors and profiteers.

However, the market has evolved, and not all cybercriminals are experienced hackers. Some simply rely on off-the-shelf malware services, often found on underground forums or encrypted messaging platforms, where various malicious agents gather and connect. This shift makes MaaS a relatively young "business" model in terms of cybersecurity history.

How do MaaS platforms work?

Malware-as-a-service platforms operate as cybercrime marketplaces where malicious software is sold. These platforms are highly organized, with developers creating the software, administrators managing transactions, and agents providing support. Cybercriminals have plenty of options available — they can purchase software (one-time payment), enable a monthly subscription (and all the perks that come with it), or pay a percentage of what they make from the attacks (share profit).

In the cybersecurity world, MaaS product buyers are referred to as affiliates. This term originates from affiliate programs and is used by MaaS operators to describe their services. Affiliates and operators usually use encrypted messaging apps to connect and finalize transactions, ensuring they're both as anonymous as possible.

MaaS platforms are often similar to legitimate software-as-a-service (SaaS) platforms — hence the resemblance in its name. The difference is that SaaS providers offer legitimate software with no ill intent, while MaaS providers and buyers intend to use the products against their victims.

Who uses MaaS and why?

Malware-as-a-service is used by a wide range of cybercriminals, from amateurs to organized crime groups. The main users include:

• Amateur hackers. Inexperienced hackers are often drawn to MaaS because they lack coding skills or programming knowledge but still want to profit from malicious attacks. This option presents a low risk, making it a quick way for amateurs to make money. Typically, their most common targets are small businesses and individuals with poor security habits.
• Organized crime groups. Organized crime groups operate more like businesses than individuals. By using MaaS, they can delegate many of their operations and focus on more profitable areas, such as launching ransomware attacks on government institutions, extracting sensitive data to sell on the dark web, or laundering money.
• Nation-state actors. Although these operations are often publicly condemned, many governments hire hackers for espionage and intelligence gathering. MaaS allows them to gain a political advantage over other countries without leaving a trace — since the malware is purchased rather than developed in-house — and it provides them with a way to conduct cyber operations without the need for extensive resources or development.

Why is MaaS so popular?

MaaS offers attackers a unique opportunity — it allows them to use off-the-shelf software for a subscription fee or a percentage of the profits gained from an attack, usually paid in cryptocurrencies to increase anonymity.

Developing any kind of functional software, including malware, is complicated and requires skill and knowledge. Modern cybercriminals don't have to do that anymore, reducing both effort and exposure.

There are, however, a few risks associated with using MaaS. The dark web is full of cybercriminals, scammers, and people with no good intentions. Inexperienced attackers can fall victim to fraud and lose money.

Types of malware sold via MaaS

Malware-as-a-Service can take many forms, as the term "malware" is quite broad and refers to several types of malicious software. Some of the most commonly distributed MaaS products are:

• Ransomware. Ransomware is a type of malware that encrypts data and prevents the victim from accessing it. Hackers use it to demand ransoms because many users would rather pay for decryption than lose sensitive information or have it released to the public. Ransomware distributed as MaaS is often referred to as Ransomware-as-a-Service.
• Infostealers. These applications are created to steal private information, such as login credentials and credit card numbers. Infostealers send the stolen information to attackers, who can later sell or trade it on underground forums and marketplaces or use it for identity theft.
• Spyware. Spyware monitors user activity, capturing data such as keystrokes, screenshots, and even images or video from the camera. The information obtained by spyware helps hackers gain information about their victims and use it to launch other cyberattacks.
• Backdoors and botnets. Backdoors are covert mechanisms that allow unauthorized remote access to a system. They can take the form of a hidden part of a program, a standalone software, or a code at the hardware or firmware level. Attackers often use backdoors to compromise devices and incorporate them into large networks of infected devices known as botnets. This tactic allows attackers to launch simultaneous attacks from multiple devices, making it more challenging to detect the threat source.

How to protect your business against MaaS attacks

Protecting your business against MaaS attacks requires a well-defined strategy. Companies must ensure that not only the technical part of the problem is taken care of but also the human factor, which, more often than not, causes security leaks and makes attacks simpler.

Some of the best practices for vulnerability management include:

• Investing in threat intelligence. Threat intelligence refers to the collection, analysis, and use of information about cybercrimes and hackers. Think of a spy working for a government agency, informing it in advance of potential threats, but in the cybersecurity world. There are several threat intelligence types, each of which is helpful in quickly detecting and mitigating vulnerabilities.
• Relying on threat detection tools. Threat detection tools are designed to help spot any potentially malicious anomalies as quickly as possible. Manually monitoring massive amounts of traffic is humanly impossible, especially in a large company, so the best solution is to use automated software.
• Monitoring the dark web. Dark web monitoring services scan the dark web in real time, searching for any company-related keywords and information that may have leaked after an attack you didn't even know about.
• Focusing on staff training. Employees can become a company's weakest security link. A lack of cybersecurity awareness can make them vulnerable to phishing attacks and other cyber threats. Training and regular practice drills can improve a company's cybersecurity, as no software can protect employees from themselves.

As with any malware and cyber threats, the best defense against MaaS is prevention. Losing data to hackers always means huge reputational and financial damage, some from business interruption and some from damage control and legal fees. Managing your threat exposure is critical to minimize the time it takes to detect and mitigate MaaS-related threats.

References

[1] High, M. How Cybercrime-as-a-Service is a Growing Enterprise Threat. Cyber Magazine. Retrieved from: https://cybermagazine.com/articles/how-cybercrime-as-a-service-is-a-growing-enterprise-threat