Hackers in Arab world collaborate more than hoodie-clad Westerners

Ideological unity drives 'spirit of sharing' in crimeware market

Cybercriminals in the Arab states are some of the most cooperative in the world, according to Trend Micro this week.

The infosec biz's latest study, Digital Souks: A glimpse into the Middle Eastern and North African underground, identifies the most popular kinds of hacking tools and commodities, and the most active countries in the region.

Hacktivism, DDoS attacks and website defacements are a staple in the Middle East. These tactics are often carried out by actors who harbour ideological mistrust towards the West as well as local governments. Major primary product categories are malware (27 per cent), fake documents (27 per cent), stolen data (20 per cent), crimeware (13 per cent), weapons (10 per cent), and narcotics (3 per cent).

Items sold on the underground in the region are entirely different to other parts of the world, where drug sales dominate the scene.

Crimeware sold includes a variety of cryptors, malware and hacking tools. Typical prices include worms at $1-$12, keyloggers for free up to $19, known ransomware for $30-$50, malware builders for free up to $500, citadel (FUD) for $150, ninja RAT (FUD) for $100, and Havij 1.8 (cracked) for free.

Similar to the Russian-speaking underground, cashout services also abound. These are platforms from which physical items, usually stolen, are converted into cash. These services are paid in bankcards, Bitcoin (BTC) or via direct cash transactions.

In the Middle East underground, DDoS services can be purchased by hacktivists and threat actors to further their ideology. The average is $45 per hour, with three-hour packages at $275, and involves the deployment of tools such as Low Orbit Ion Cannon (LOIC) or Lizard Stresser.

Malware-as-a-Service (MaaS) typically includes a purveyor, a malware developer selling a single binary or a combination of a binary and builder marketed as fully undetectable (FUD). Average prices are $20 for a binary, and $30–$110 for a binary with C&C infrastructure. A binary-builder package costs around $150–$400.


Stolen identities are sold in forums across the region. The Arabic forum hack-int in Egypt sells stolen identities for $18. The demand for personally identifiable documents is influenced by geopolitical tensions – their buyers might want to flee active war zones, for instance. Cybercriminals can also purchase fake documents to perpetrate fraud or worse.

Virtual private networks (VPNs) are a mainstay of cybercriminal activity and are purchased due to the anonymity they provide. VPNs offered here are purportedly secure, don't store logs, and have multiple hop points. Cybercriminals typically use these servers as either part of a botnet, or as a jumping-off platform for further attacks.

Hosting providers make significant profit by selling regionalised hosting spaces, which allows for local language and time settings in addition to faster connection speeds. A single IP connection and 50GB of hard disk space, for instance, are sold for $50. Smaller plans exist, and start as low as $3.

Hackers commonly share malware and insights with each other for free and for the common good, making it a fertile ground for the creation of collaborative groups. By contrast hackers in Western Europe and North America are more likely to work independently.

When malware and hacking tools are sold rather than shared, prices in the region are high. For example, a keylogger in the North American underground costs between $1-$4 but the same item in a cybercrime souk in the Middle East would cost up to $19. The willingness for members to share content for a mutual cause helps balance out the price differences.

In other marketplaces, like North America or Russia, purveyors mostly focus on selling their wares to forum participants and seldom band together to plan cyber attacks. Hacking as a service is unique to the Middle East and North African underground due to the ideology that drives its trade, Trend Micro said.

Trend Micro has seen that regional marketplaces closely reflect the societies in which they operate. Brotherhood and religious alliance transcend the illicit transactions that occur through digital marketplaces in the region, spawning a "spirit of sharing" mindset.

"The prevalence of giving services and malware away for free is interesting," said Ihab Moawad, Trend Micro's VP for Mediterranean, Middle East & Africa. "Other underground marketplaces provide support to members, but the extent and willingness in this region is unique.

"The region is not at par in terms of scale and scope when compared to other regions, but the products and services available remain common and sophisticated."

For the purposes of its research, Trend Micro defined the MENA underground as marketplaces, websites, and forums hosted within the regions. Arabic is the prevalent language, although some sites are in Turkish, Farsi, English, and occasionally French. While criminals sell commodities to and from the Middle East and North Africa, they are also operating globally. ®

Biting the hand that feeds IT © 1998–2020