Malware: A month in review - September 2018

This month has seen numerous developments in the malware environment, with APTs changing their tactics, various ransomware evolving rapidly, and Google continuing in its seeming inability to prevent malicious apps hitting the Play Store.

The GandCrab ransomware was first detected in January of this year, but we are already onto version 5. This swiftly mutating ransomware is routinely updated when antivirus companies block the latest variant. In just over a week in September, GandCrab went from version 5 to version 5.0.1. Staying one step ahead of cybersecurity professionals is one way for the hackers to increase their chances of success. This appears to be a trend among many malicious developers: instead of going for volume, they are going for quality, to increase the likelihood of infecting more devices.

As noted above, the Play Store continues to be plagued with problems. September alone saw well over a hundred malicious apps listed on it, receiving cumulative downloads in the hundreds of thousands. This is a very real problem, and not one that Google appears to be dealing with sufficiently.

Banking Trojans are the most common malware uploaded to the Store. An example of this was the QRecorder automatic call and voice recording tool, which had been infected with the BankBot Trojan and downloaded more than 10,000 times. In another case, 25 apps on the Play Store were found to contain cryptomining malware. These Coinhive-infected apps, disguised as educational apps, games and utilities, had been downloaded more than 120,000 times. Users in the UK, Switzerland, Poland, Turkey, New Zealand, Australia and the USA are known to have been specifically targeted.

In the financial sphere more generally, banking Trojans continue to be distributed by a host of malicious developers. These are designed to steal banking login credentials, often by forcing redirects to phishing pages disguised as legitimate login portals.

US banking customers were targeted with an iteration of Ramnit; DanaBot was deployed in several campaigns over the month, some targeting its normal European and Australian victims, but another also aimed at US users too; and business customers of the Brazilian banking sector were hit by a new Trojan, dubbed CamuBot.

Well-known APT Cobalt has been spreading a new malware targeted at high-value financial institutions around the globe. The threat has been dubbed SpicyOmelette. It is generally delivered in malicious PDFs attached to phishing emails. As a result of its functionality, SpicyOmelette paves the way for a host of malicious activities, including privilege escalation via the theft of account credentials and ATM cashouts.

Cryptomining continues to be a significant issue worldwide. It was reported this month that numerous Indian government websites had been roped into a cryptojacking campaign which, at the time of publishing, was believed to still be active. IoT devices are prime targets for malicious cryptomining, with reports this month that at least 420,000 MikroTik routers had been compromised. At least 80 unique campaigns were detected, distributing various cryptomining malware such as Coinhive, WebMinePool, CoinImp and Crypto-Loot.

The evolution of the Internet of Things (IoT) is well documented as having presented cybercriminals with a new and extensive threat surface to abuse. IoT devices are routinely found to have been co-opted into botnets, often used for cryptomining: both Fbot and XBash are two new malware families that were detected carrying out these malicious activities in September. The main news regarding botnet threat evolution, however, was the discovery of a new malware dubbed Torii, which is believed to be more advanced than the Mirai family. There have been warnings of such powerful botnets before, most of which have not proved to be anywhere near as serious as initially thought. But it is nonetheless appropriate to keep an eye on Torii’s development.

As ever in a report about malware, there must be a mention of malspam. Despite this threat vector’s simple and mundane appearance, it is no less a problem for the end user than many of the more sophisticated threats mentioned above. ‘Pump and dump’ schemes – whereby thousands or millions of emails will be pushed out in a short time in the hope that at least one recipient will click the link or open the attachment – are detected routinely. The Necurs botnet continues to be one of the major threats in this part of the malware environment. New research showed that between late May and early July, it distributed more than 780,000 malicious emails in five different campaigns. It is often the simplest threats that are the ones to cause the most damage to end users. One stray click and a threat actor may have access to a bank account of an individual, or be granted access to the network of a major company.