Unmasking xDedic’s Black Market for Servers and PCs

Black market machine trading has gone beyond the sale of servers and now includes PCs located on corporate networks or that contain sensitive data.

LAS VEGAS — Black market machine trading of PC and server resources is maturing at alarming speeds. Underground networks such as xDedic have fine-tuned their compute platform to the point where they are almost indistinguishable to legitimate networks such as Amazon Web Services and Rackspace.

Those observations come from Israel Barak, head of incident response at Cybereason who will be explaiing his research at Black Hat USA 2016 on Wednesday when he will discuss buyers and sellers are connecting on markets such as xDedic and growing new cyber criminal market opportunities.

XDedic is one of many platforms for the sale of compromised RDP servers that Cybereason now says has branched out and is selling access to compromised PCs.

“Unsophisticated click-fraud hackers that have made their living infecting PCs with malware are waking up to realize that all those PCs they have infected can be sold as resources,” Barak said.

Cybereason said far more sophisticated cybercriminals are luring these less sophisticated malware peddlers with attractive new ways of turning infected PCs into to profits. The right infected PC inside the right company with desirable point-of-sale software running on it, for example, can fetch as much as $1,000 per computer. A less desirable consumer PC still might go for $10 a pop.

Selling access to compromised servers isn’t new, but selling access to PCs is, Barak said. “Multiple cybercrime organizations have diversified their business by selling compromised machines or compromised corporate assets on black market platforms,” he said. Cyber criminals aren’t attracted by a PC’s processing power. Rather, crooks are after access to a specific company where the PC resides. They view the PC as a springboard to go deeper into a corporate network or to just simply spend a week collecting credit card transaction data.

At any given time on the xDedic platform, he said, criminals can pay an enrollment fee of $50 and start using the platform’s search engine to find a desirable PC that meets their criminal needs. Looking for a PC within a specific Fortune 500 company? No problem, according to Cybereason. Criminals can search for PCs by software, industry niche, bandwidth and processing capabilities as well searching for desirable geographies.

The security firm estimates that there are more than 100,000 PCs now available for sale individually or via bulk sales. It reports there are nearly a dozen such platforms, such as xDedic, that cumulatively are earning between $150,000 and $250,000 a day. It estimates that 30 percent of compromised PCs for sale on the black market are located within the U.S.

The marketplaces have evolved to have their own escrow services, similar to Ebay. They have their own sets of tools for optimizing compromised machines so they are more attractive to buyers. Part of that includes a host of custom tools for optimizing remote access and going undetected. “The key is to ensure reliable and stealthy remote access to make sure the asset can be easily transferred to the buyer,” Barak said.

PCs have been scoffed at by cyber criminals as limited low-powered tools only good for conducting DDoS attacks or distributing spam, Barak said. But as the platform operators have become experts in the ability to identify where PC assets reside, what software is running on them and if they are located within desirable industries, attitudes have changed.

“Crooks selling time on hijacked PCs for DDoS attacks and Bitcoin mining used to sell batches of a 1,000 PCs for $200 a day. By linking up with a platform such as xDedic they can sell each machine for $10 to $1,000,” Barak said.

Platform operators who are acting like middlemen between buyers and sellers, Barak said, are fueling the economy and the number of new PCs coming online every day. “People think of adware and click-fraud as a stupid type of threat,” Barak said. But what security experts need to consider is, most of the malware today can provide complete remote access. That’s all a more sophisticated RDP platform administrator needs to turn a simple malware infection into a potentially lucrative sale of a PC resource.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.