- A rising service selling web shell access is offering unprecedented levels of quality and comfort.
- Called “MagBo”, the platform is detailing the listings and even offering a backdoor access UI tool.
- About 200 purchases of access happen on the platform each day, while up to 400 new compromises are added over the same time.
An impressive AaaS (access as a service) platform called “MagBo” has appeared in recent researcher reports, currently selling access to no less than 43,000 unique compromised servers. MagBo is an automated market where crooks can browse offerings and buy access to servers that have been previously compromised by someone who planted a web shell malware. Everything is done with a simple click, and there’s no human interaction or intervention in the process whatsoever. In the past two years, MagBo has had 150,000 “clicks” of this kind, so we’re talking about a highly successful service.
The particular platform stands out against the remote access competition thanks to the amazing diversity of its listings and the details that accompany the offerings. Other platforms merely sell web shells through forum posts and provide only the type of the business you will access. MagBo, on the other hand, offers more: it is detailing things like the hostname, the permissions that can be leveraged, the ability to distribute phishing emails from the compromised server, sniffing network traffic to steam payment or credit card details, and more.
Moreover, MagBo isn’t limiting its offering to the login credentials, but it’s also supplying a fully-fledged backend access tool that will enable the buyers to launch their attack. Called the MagBo Backdoor (MBD), this tool can perform actions on the compromised server right from an easy-to-use and comfortable UI. The sellers have loaded the necessary module files by scanning the server and figuring out what software versions it’s running, thus minimizing errors and warnings that could lead to the generation of telling logs. Therefore, MBD makes the loading of malware, the execution of arbitrary code, and a broad spectrum of other malicious actions a walk in the park.
KELA researchers report that the daily server additions to the market are between 200 and 400, and the number of daily transactions is approximately 200. There are 190 unique sellers who have something to offer on MagBo, while the cost to access each server depends on its type. For example, ZDNet found government websites on the platform, but there are also servers used by insurance and financial institutions. The cost of accessing these may be up to $10,000, and less valuable listings could be offered for a few dollars. In conclusion, MagBo is getting more popular fast, and without a doubt, it’s drawing the attention of law enforcement agencies, attention that may soon result in a crackdown.