Malware: A month in review - March 2018

Cryptocurrency has been one of the biggest themes of 2018, and with it has come a string of malware targeted at users, traders, exchanges, and everything in between. Over the course of March, there were several different cryptomining campaigns detected, all with different modus operandi.

A large-scale cryptomining operation, which has infected more than 30,000 devices with MsraMiner malware was reported mid-month, and appears to have been running since November 2017. The ComboJack malware alters the clipboard of an infected user, replacing the user’s wallet address with that of an attacker-controlled cryptocurrency wallet. One particularly advanced miner, Ghostminer, was detected. And cybercriminals demonstrated their creativity by hiding their miner inside an image file.

Malspam campaigns continue to be an easy way for threat actors to distribute their malware. FlawedAmmyy, Hancitor downloader, the Ursnif banking Trojan, and the Sigma ransomware were all detected this month, alongside the Boleto Mestre malspam campaign which perpetually targets Brazilian users, and another campaign that is believed to be run by the North Korean-linked @Lazarus group.

The Hajime IoT botnet reared its head again for the first time in over six months. This botnet was making huge scans for vulnerable MikroTik devices, and may signal a renewed interest in this type of attack. Other botnets of note for March include RottenSys, which was found to have infected nearly five million Android devices already, and the Dark Cloud botnet, which is being used to distribute the infamous Gozi ISFB banking Trojan, and has been doing so for at least six months.

Problems continue for the Google Play Store. In March, HiddnAd and Guerilla, two potentially unwanted programs (PUP) malware, were found to have infected 22 Android apps. All have since been removed. This demonstrates that even official app stores cannot be expected to be fully malware-free.

Governments of certain countries are increasingly targeting protesters and dissidents with malware. The Iranian administration was reported to have used a malware-laced fake VPN app to track their citizens; researchers reported a new Android Trojan targeting Iranian users; Uyghurs in China are thought to have been targeted by a new Android malware family dubbed HenBox; and the developers at Hacking Team are still producing new variants of the infamous Remote Control System spyware which is known to have been sold to regimes around the world.

Banking malware continues to evolve and pose a major threat to customers, if not so much to the institutions themselves. A new variant of the FakeBank Android malware was detected which can intercept calls users make to their banks.

One point of note is that the objectives of developers of malware are often quite opaque. This was the case with UselessDisk, or DiskWriter, which was originally believed to be ransomware. However, because the malware also overwrites the Master Boot Record (MBR), either encrypting or corrupting it, researchers believe this was more likely to be a wiper.

Another issue of interest: Boeing reported that it was hit by a WannaCry ransomware attack on 28 March. However, it was quickly announced that the situation was not as serious as feared. This probably does not herald a new round of infections with the infamous malware.