Service offers for rental over 70,000 hacked servers

Jun 15, 2016 13:10 GMT  ·  By

Crooks are using the xDedic underground marketplace to sell or rent hacked servers belonging to various companies.

The marketplace, which launched two years ago and is hosted in an Eastern European country, currently lists over 70,000 servers from all over the world and covering a variety of setups and technologies.

Kaspersky, the security firm that discovered xDedic, says the marketplace's owners don't sell anything but only provide a platform where criminals can advertise their hacked servers, similar to the eBay business model.

xDedic team provides their own RDP client to connect to hacked servers

All servers advertised on xDedic are vetted before being published on the market, and constantly updated. xDedic's owners use automatic scanning tools to verify if the hacked servers are accessible as the seller is claiming. These tools also return server hardware details, open ports, and a list of installed software pieces.

Sellers rarely install their own software on hacked servers and usually leave the original apps in place. The only thing they sometimes install is server patches to allow for multiple RDP sessions.

The xDedic team even created their own Windows RDP client, which connects to the service's database, gets a user's purchase history, and auto-fills connection info for any of the hacked servers bought by the customer.

Servers running e-commerce and PoS software are in high demand

The average server rental price is $6. This low price allows criminals to acquire a vast infrastructure that they can use to host and launch other cyber-attacks.

Servers with e-commerce or PoS software installed are the hottest items, allowing criminals to rent the server, access it, and deploy credit card stealers or PoS malware.

Most of these servers are compromised via brute-force attacks, after leaving ports open for sensitive services, such as RDP.

SCCLIENT malware is behind many hacked servers

After investigating the service and some of the hacked servers, Kaspersky experts claim that hackers compromised a large number of these servers using the SCCLIENT malware.

The company adds that xDedic sellers Narko, xLeon, or sirr may be behind the SCCLIENT malware. These sellers are ranked third, fourth, and fifth in xDedic's top sellers for May 2016.

Kaspersky says it managed to sinkhole five of the eight C&C servers used by the SCCLIENT malware and discovered over 3,600 infected hosts in the first twelve hours alone.

The security firm also details that it teamed up with a European ISP in order to collect data about the xDedic service, which they have now forwarded to the appropriate law enforcement authorities.

UPDATE: xDedic is now offline. At the time of publishing, the market was online and functional.

A random xDedic listing
A random xDedic listing

Photo Gallery (2 Images)

xDedic's login page
A random xDedic listing
Open gallery