Avast uncovers ‘thieves’ kitchen’ of malware-writing teens

Researchers at Czech cyber firm Avast have discovered an online community of children using dedicated Discord servers to build, exchange and spread malware, including ransomware, infostealers and cryptominers.

Various groups lure in individuals aged 11 to 18 by advertising access to different malware builders and toolkits that can be used to code malware without much technical expertise. Others specialise in the theft of gaming accounts, deleting Fortnite or Minecraft folders, or even online “pranks” such as causing a web browser window containing pornography to open repeatedly on the victim’s system.

In some cases, said Avast, the groups operate a pay-to-play system in which individuals have to buy access to malware builder tools, while in others, individuals can become group members but are then offered the tools for a nominal fee of between €5 and €25. Prices seem to differ based on the type of tool, duration of access, and so on.

The groups, which can have more than 1,000 members, tend to focus on malware-as-a-service type offerings, such as Lunar, Snatch and Rift, and Avast said that on observing their message boards, it was extremely obvious that group admins are preying on young people – participants often discuss their ages, and the idea of hacking their schools or parents is a topic that exercises many. Often, conversations turned nasty, with many observed instances of fighting, instability and bullying.

“These communities may be attractive to children and teens as hacking is seen as cool and fun, malware builders provide an affordable and easy way to hack someone and brag about it to peers, and even a way to make money through ransomware, cryptomining and the sale of user data,” said Avast malware researcher Jan Holman.

“However, these activities by far aren’t harmless – they are criminal. They can have significant personal and legal consequences, especially if children expose their own and their families’ identities online or if the purchased malware actually infects the kids’ computer, leaving their families vulnerable by letting them use the affected device. Their data, including online accounts and bank details, can be leaked to cyber criminals.”

Another notable feature of many of these groups that Avast observed is the use of YouTube to market and distribute malware. In many cases, the firm’s researchers found community members creating YouTube videos that supposedly show information about a cracked game or cheat codes, which are linked to, but in fact lead to the malware.

To create trust and game YouTube’s algorithms and moderation policies, users will ask fellow community members to like and leave comments under the video, endorsing it and giving it the appearance of legitimacy.

“This technique is quite insidious, because instead of fake accounts and bots, real people are used to upvote harmful content,” said Holman. “As genuine accounts are working together to positively comment on the content, the malicious link seems more trustworthy, and as such can trick more people into downloading it.”

Avast said it had reached out to Discord, which has since banned the servers associated with the company’s research, and has also created detections for the malware samples it found being spread.

However, said the Avast team, some responsibility must still rest with parents to teach children to behave safely online.

In particular, it is important to be sceptical of attractive offers such as game features or pre-releases, which are often used as lures, and to learn the importance of not revealing any passwords or personal information if active on multiplayer platforms, such as Minecraft.

“What may seem venturesome and fun can bring serious harm to others and be an actual criminal offence,” said Avast’s team “Young children may think they are safe as they aren’t legally liable yet, however, their parents are. It is important for parents to talk to their children about this.”