Malware-as-a-Service (MaaS) is a business model under which cybercriminals provide access to malicious software and related infrastructure for a fee.
MaaS is a malicious variation of the Software-as-a-Service (SaaS) model, and also forms part of the Cybercrime-as-a-Service (CaaS) model. The marketplace for MaaS (and CaaS in general) is typically the dark web.
MaaS participants
Cybercriminals who provide malware under the MaaS model are called MaaS operators. They are usually organized groups with clearly defined internal roles, such as malware developers, system administrators, managers, and technical support.
The actual service provided by MaaS operators is often called an affiliate program, and a client who uses it — an affiliate.
MaaS payment options
There are several payment options under the MaaS model:
- A one-off purchase of malware;
- A subscription for a set period, such as a month or a year;
- A fee as a percentage of profit; for example, in the case of Ransomware-as-a-Service (RaaS) — a share of the ransom.
What malware is distributed under the MaaS model
Most often, MaaS operators distribute the following types of malware:
- Ransomware— malware that blocks access to user data and demands a ransom to restore it. Usually the MaaS model is used to distribute cryptomalware, which encrypts data on the user’s device and demands payment for decryption.
- Infostealers, or stealers for short — malware that collects data on the user’s system and sends it to the attackers.
- Loaders — malware that downloads other malware and unwanted software onto the victim’s system.
- Backdoors— malware that gives attackers remote access to the victim’s system.
MaaS operators can also lease out botnets — networks of devices infected with malware. Botnets are primarily used to spread malware and unwanted software used by affiliates, including for sending spam or downloading third-party software to infected devices in the botnet. DDoS botnets are not related to MaaS. The DDoS-as-a-Service model describes the provision of services to affiliates to carry out DDoS attacks — not malware.
MaaS and the rise of cybercrime
The MaaS model lowers the entry threshold into the world of cybercrime: operators provide affiliates with off-the-shelf malware, infrastructure and support, so that even those without coding or other technical skills can carry out attacks. This leads to an increase in cybercrime, and complicates attribution since the same malware can be used in dozens of different campaigns.