Malware: A month in review - May 2018

The biggest news this month concerned a malware called VPNFilter. The threat was linked to Russian state-sponsored hackers (because of code similarities to other Kremlin-linked attacks), and in the initial assessment was believed to have infected at least 500,000 routers and storage devices.

Later reports claimed that the FBI had taken control of one of the key servers in the VPNFilter botnet, effectively killing the ability of the malware to reactivate following a reboot. The Bureau later released a Public Service Announcement (PSA) advising that "any owner of small office and home office routers power cycle (reboot) the devices". However, it subsequently came to light that simply rebooting infected devices was insufficient. While a reboot does remove the malicious components of the malware, it would not be eliminated entirely.

VPNFilter was initially believed to be an attempt by Russian hackers to disrupt the Champions League Final, held in Kiev on 26 May. This particular threat did not materialise, but there have been warnings since then of continued infections, particularly in Ukraine.

Elsewhere, researchers reported that malicious Android apps purporting to be the popular Fortnite game were spreading malware. Android spyware, cryptomining malware and a scam app claiming to help players earn free V-bucks were all detected, the latter having been hosted on Google Play Store. All the other apps, however, were found on third-party app stores.

Also in the Android sphere, information was published on a malware being shipped with more than 140 Android smartphones and tablets. It has been dubbed Cosiloon and appears to have been in circulation since 2016 when 26 low-cost Android smartphones were found to have been affected by a supply-chain attack. This threat has clearly expanded its reach.

Malicious actors continue to push to get their malware into the Google Play Store. This month saw the reintroduction of seven malicious Android apps into the Store simply by changing their names, and the name of the developer. Some of these apps had been downloaded more than 100,000 times by users in the UK, South Africa, India, Japan, the USA and elsewhere. Android is the most prevalent mobile operating system on the planet: this threat is not going away.

Malspam continues to be an attractive way for hackers to make money, mainly because of the simplicity of the scam. This month saw impersonations of HSBC, RBS, Barclays and Lloyds Bank, among others. The most significant threat was the presence of the infamous TrickBot banking Trojan in malspam emails purporting to be from RBS.

Research was published this month looking at new Mirai variants popping up on a strikingly regular basis. In the last few months four new botnet malware have been detected in the wild: Satori, JenX, OMG and Wicked. All of these build on the Mirai source code which has been available publicly for some time. Exploits and capabilities are being added all the time and these new, improved variants are being introduced into the wild more quickly than ever before.

Last, but by no means least, the cryptomining malware threat shows no signs of abating, despite an interesting, if marginal, uptick in new ransomware detections this month. One particularly aggressive cryptomining malware, dubbed WinstarNssmMiner, was tracked in over 500,000 attacks in just three days. The malware was found to crash the host system if an antivirus, or the user, identifies and attempts to remove it.

The other significant development in the cryptomining sphere was the detection of a large campaign utilising the recently disclosed Drupalgeddon 2 vulnerability (CVE-2018-7600). This campaign continues, and many others have jumped on the Drupal-exploiting bandwagon. This is particularly worrying given recent research finding more than 115,000 sites running Drupal version 7.x had not yet installed the fix released by developers over two months ago.