Malware: A month in review - July 2018

Since the beginning of the year, we have seen the threat from cryptomining malware grow exponentially. And in our malware reviews we have consistently referred to it as increasing, month by month. However, we now believe that it is no longer accurate to talk about it as if it were ‘up and coming’, because this could lead to it being underestimated: no, cryptomining malware has arrived at the top table of the malware world. New families continue to be detected on an almost daily basis, but many of these are now well-built and of a complexity not seen at the beginning of this year.

Some of the most notable cryptomining discoveries this month have been PowerGhost, NewKernelCoreMiner, SystemarevMiner – which could survive removal by antivirus solutions –WinstarNssmMiner4 – the fourth iteration of the WinstarNssmMiner threat that only came to light recently, and HiddenPowerShellMiner. Many of these had infected tens, if not hundreds of thousands of devices by the time they are discovered.

Whilst many in the cybersecurity sector have claimed that ransomware has seen a decline since the highs of mid- to late-2017 – in favour of cryptomining malware – we believe that in fact it never went away and is still a persistent threat to business. Cybercriminals are continuing to target organisations with ever evolving varieties of malware, and successfully demanding and receiving payments for the release of encrypted or stolen data. New variants of existing ransomware families are being released on a fairly frequent basis.

One reason for this is that it is relatively easy for even novice hackers to carry out an attack: ransomware kits can be found, downloaded and used quickly. Further, attacks like this are popular because of the fast evolution of the malware on offer. In recent months we have reported on several types of ransomware that developers have enhanced with new capabilities. Foremost among them is GandCrab, three separate variants of which were discovered as payloads in one single spam campaign, and for which version 4.3 now exists despite the malware only having been in circulation for seven months.

GandCrab is a perfect case study for rapid threat evolution, with the author having been vocal in recent weeks about everything from being criticised for poor coding to complaining that an antivirus company had developed a way to prevent encryption. One of the most recent variants of the malware does not require a C&C server and so can operate in airgapped environments. This sort of intensive work on improving the same family of malware rather than moving from project to project, is something that previously has only really been a feature of nation-state-backed actors.

Vulnerabilities go hand-in-hand with malware delivery, being used by threat actors in malspam campaigns and other attacks. The evolution of the Emotet malware is a good demonstration of the threats posed by cybercriminals putting their minds to efficient delivery. The malware has evolved to now provide a global packing and delivery service for cybercriminals, leveraging its extensive infrastructure and integrating new vulnerabilities all the time.

Another important development in the malware threat landscape this month was the discovery that malspam is increasingly delivering Emotet and Trickbot together. Whilst not without precedent, the combination of two such potent malware is significant. Combining malware in this manner allows the attackers to exploit the features of both, resulting in a more potent infection.

The malware threat landscape is populated today with a diverse range of threats that threaten individual users and large companies and everything in between. Antivirus and other defences against this menace are improving all the time, but frequently it seems that malicious developers are one step ahead.