Malware: A month in review - June 2018

Cryptomining and botnets are in the spotlight this month, with the former continuing its meteoric rise and becoming more sophisticated, and the latter making a comeback. There is significant crossover between the two, as botnets are increasingly being used in cryptocurrency mining operations, alongside their more traditional uses like distributing malspam.

In mid-June, researchers discovered that the Satori IoT botnet was responsible for a surge in port 8000 scan activity. PoC code for a buffer overflow vulnerability (tracked as CVE-2018-10088) was published on 8 June, and it seems that the actors behind Satori integrated the exploit into their botnet's attack routine. This developmental evolution is indicative of the resurgence in botnet activity across the board in June.

Two new malware, Mylobot and Prowli, were discovered adding infected devices to different botnets. Prowli is a botnet of more than 40,000 infected web servers, modems and other IoT devices, and is being used for cryptocurrency mining and redirecting users to malicious sites. The botnet uses both vulnerabilities and brute-force attacks to infect targets. Another botnet of note was detected after an outbreak of the Bondat worm which was building a botnet to both mine Monero and also attack WordPress sites.

According to new research, several malspam campaigns, particularly those distributed by the Necurs botnet, have been using a new type of attachment in order to bypass antivirus and mail filters. The attachments are Excel Web Query files - IQY files - and will attempt to pull data from external sources once opened.

Other malspam campaigns of note this month include a phishing operation pushing the FormBook infostealer malware; a campaign using malicious Hangul Word Processor documents to spread malware primarily in South Korea and the surrounding region; and the targeting of Italian and European companies with a new strain of malware, DMOSK. The malware is delivered in malspam emails containing malicious links, which are known to have been clicked by more than 6,600 users.

As noted above, the other key issue for June was cryptomining malware. As if to underline its importance of this threat, three of the top four malware in the ‘most wanted’ monthly list from CheckPoint were cryptominers, the fifth month in a row in which they have dominated the list. Infections are reported consistently, and target users in numerous different sectors.

Researchers reported on a new iteration of the WinstarNssmMiner cryptomining malware, dubbed WinstarNssmMiner3, which infected more than 30,000 computers in one day. Earlier in the month it was reported that both the Amazon Fire TV and Fire Stick Android devices were being targeted by a cryptomining malware known alternately as ADB.miner and Android.CoinMine.15. It scans for port 5555 which is the same port used by Android devices running the Android Debug Bridge (ADB). And ShutdownTimerBundlerMiner, a new cryptomining malware, managed to infect more than 200,000 devices in under a week.

The Android ecosystem continues to be plagued by malware. A new threat, targeting Android devices, has been dubbed MysteryBot. The malware has banking Trojan, keylogger and mobile ransomware features. As noted in previous reports, the Google Play Store is continually peppered with attempts by malicious actors to upload their software. This month saw reports that @AsianHitGroup was involved in pushing fraudulent apps on the Store using a background push notification to subscribe victims to a premium mobile service.

The financial sector remains one of the most attractive targets for threat actors. In the Darknet sphere, an anonymous user placed an advert for ATM malware on Deep Paste, and another vendor was found selling a worldwide ATM hacking tutorial on Empire Market. A malspam campaign purporting to be from RBS was pushing the TrickBot banking Trojan; another spam campaign that was using the US tax return date as its lure had the Ursnif banking Trojan as its payload; and a new financial malware, dubbed DanaBot, has been reported.

An attack on the Bank of Chile, perpetrated at the end of May, has been confirmed as a smokescreen for an attempted intrusion into the SWIFT network. Analysis has now also shown that the code of the wiper malware used in the attack is a modified version of MBR Killer, a component of the Buhtrap malware.

Looking to the future of malware, one of the interesting developments that we have picked up this month is SocketPlayer, a backdoor that is one of the first malware to provide two-way, real-time communication between the threat actor and the infected bot. This is a technique that we expect to be utilised in other malware. And researchers also reported that, despite its being advertised as a significant step up in terms of security, malware is being spread on HTML 5 ads on both mobile and desktop.