Malware: A month in review - April 2018

It appears that 2018 really will be the year of the cryptominer. Since the end of 2017, detections of both cryptomining malware and cryptojacking scripts (in-browser miners) in websites have only increased. This trend continued into April, and whilst ransomware has not disappeared by any means, cryptomining malware has been the most detected threat for some time.

One particular development exemplifies this shift from ransomware towards cryptominers: the retooling of the XiaoBa ransomware as a cryptocurrency miner. Now in its fourth iteration, the malicious actors behind this relatively successful ransomware clearly see more money to be made from cryptomining. Other notable developments in the world of cryptomining include PyRoMine, a miner that has incorporated the NSA EternalRomance exploit to spread laterally within target organisations; a new cryptomining worm, coded in AutoHotKey, RETADUP; a widespread Monero-mining malware Rarog (circulating on the Darknet for as little as $104); and a script on the AOL advertising platform that had been modified to launch a cryptomining program.

Malspam campaigns continue to be an easy way for threat actors to distribute their malware. There was a significant uptick in spam from the Necurs botnet distributing QuantLoader, whilst the cross-platform remote access Trojan (RAT) Adwind, the XTRAT backdoor, Loki info-stealing malware, as well as a VBScript with backdoor and worm capabilities dubbed DUNIHI were all detected.

Brazil remains a popular target for spammers: several malspam campaigns, collectively dubbed Metamorfo, were detected dropping banking Trojans. And a new method of delivering malware in a malicious Word document without the need to enable macros was used against targets in the USA and Middle East. It is linked to the notorious @Cobalt group.

As we noted last month, there seem to be reports on a strikingly regular basis about malware hosted on the official Google Play Store. This month was no exception, with the removal announced of a series of malicious apps sneaked onto the Play Store by @APT-C-23 (aka @Two-TailedScorpion) and an unnamed group - designated a 'mobile APT' or mAPT.

Android also remains a perpetual target of malware developers. Two variants of a new Android RAT, dubbed KevDroid, came to light this month; there was a new strain of Android malware, focused exclusively on stealing data from mobile instant messaging clients; Plaestinian users were reported to have been targeted by an Android malware strain; and researchers revealed Roaming Mantis, a new Android threat distributed through compromised sites. A new Android spyware and banking Trojan, dubbed XLoader, targets the PII and financial data of users in Japan, Korea, China, Taiwan and Hong Kong.

In the financial sphere, some notable developments included significant evolution of the infamous Trickbot Trojan. Two different groups of security researchers produced research looking at the malware, stating that it is undergoing "active development" with several new capabilities added. And it has transpired that a new screen-locking feature added to the Trojan was never intended for use with ransomware operations. Elsewhere, Netskope reported on a new strain of the ATM jackpotting malware, dubbed ATMJackpot.

As always, it should be noted that financial malware almost always targets the users of banking services, and not the institutions themselves. While attacks certainly have been perpetrated against institutions, with ATMs drained of cash and networks infiltrated, the high skill level required of the hackers means that the distribution of financial malware in malspam remains one of the main threats to this sector.

Finally, following last month’s sudden, and random, outbreak of WannaCry at Boeing (and Honda earlier in the year), this month saw the release of Telltale, a tool providing access to WannaCry sinkhole data in order to prevent Boeing-style flare-ups resulting from "untreated and dormant Microsoft Windows infections that maintain a foothold and are responsible for the residual and continued propagation of WannaCry".