The Hacker Infrastructure and Underground Hosting: Services Used by Criminals

Trend Micro has released research that states organizations’ on-premise and cloud-based servers are compromised, abused and rented out as part of a sophisticated criminal monetization lifecycle.

To understand how the criminal underground operates, one need to understand not only the criminals, their motivations, and their business models, but also the infrastructure and services that underpin everything they do. All online businesses need stable and reliable infrastructure to thrive, and it’s no different for cybercrime. Online bookshops need to take care of shop inventory, advertising, go-to-market strategies, customer retention, and more; without a stable hosting infrastructure as a base, all other areas of the business are ineffective. The same goes for cybercriminal businesses.

The Underground Hosting series aims to offer a comprehensive look into the infrastructure behind cybercrime today and serve as a guide for those who are interested in it, investigating it, or involved in the daily battle to defend against such activities.

The first part of the series detailed how the underground market for criminal infrastructure operates, and covered the methods and platforms used to buy and sell such services. This research paper, which is the second part of the series, explains the technical details of cybercriminal operations, as well as the main services and methods they use. It reveals the creativity that cybercriminals exhibit when building and organizing their infrastructures. The paper also details some of the common patterns we observed through the years, as well as some interesting “rare” cases we found during this research.

The series concludes with a discussion on the modus operandi of the criminals behind the services, and the methods that some of the long-term criminal providers employed to survive as long as they have.

Each part of the series also includes an appendix of definitions and concepts, serving as a glossary of terms. It is also worth noting that several screenshots used here were machine-translated.