The Hacker Infrastructure and Underground Hosting: An Overview of the Cybercriminal Market
Underground Hosting Series
This paper is the first of a three-part series that aims to cover the broad topic of underground infrastructures. It has been over five years since we published an article on underground hosting, and the situation regarding its infrastructure has changed significantly, as did the tools used by threat actors. We have noticed that a certain type of threat actor is now extensively using cloud services in their attack toolchain, along with widely abused “free” services such as free DNS domains, free content hosting abuse, and social networks.
The use and abuse of compromised assets have also become more significant. Acquisition, analysis, and resale of compromised assets formed a whole new market in the underground. Compromised asset analysis, wherein criminal experts examine the compromised assets and identify the best possible ways to monetize the system, is now an essential part of the attack chain.