The Chinese underground has played host to many cybercriminals over the years. In the research brief titled Beyond Online Gaming Cybercrime: Revisiting the Chinese Underground Market, we provide some details of the current state of the Chinese underground economy. Last year, we looked into this underground sector, and this brief is a continuation of those efforts.
Gathering knowledge about the Chinese underground economy is not particularly difficult, but does pose some challenges. The sites and markets that make up this underground economy are not visible to the public, but are hidden in forums and QQ chat groups. While many underground economies are organized via underground forums, the use of QQ chat groups is unique to China. These sites use their own jargon to name and describe their groups, but cybercriminals familiar with their jargon can easily find what they want.
In some ways, the Chinese underground is similar to other legitimate economies: it offers a wide variety of products and services at a variety of price points. The services offered include:
- Distributed Denial of Service (DDoS) kits and servers
- Remote Access Tools (RATs)
- Detection evasion services
- Compromised webhosts
- Phishing kits
- Stolen user information
In all of these cases, a robust and healthy ecosystem exists, with cybercriminals being able to purchase their chosen product at a variety of price points.
For example, for denial of service attacks, cybercriminals can choose to rent dedicated servers to mount more large-scale attacks. A modest Atom-based server can cost 599 RMB (US$98.50) a month; a more powerful Xeon server with a 1Gb/s connection can cost 2100 RMB (US$345) a month.
The variety of prices is most evident in the sale of webshells, scripts that allow an attacker to maintain control over a compromised site. Sites with low page rankings on Baidu and Google can cost around 220-300 RMB (US$36-49) for a bundle of 270 sites; sites with higher page ranks can go for as much as 999 RMB (US$164).
We hope that this paper will help readers understand the Chinese underground, in order to understand the kind of threats that users are likely to face from these threat actors and prepare the necessary defenses accordingly.