Malware: A month in review - October 2018

In a month that saw the build-up to the US midterm elections, one of the more striking pieces of research revealed that hacker group APT28 had turned its attentions away from interfering with elections in other countries towards cyber-espionage activities and intelligence gathering. Nonetheless, given that this group is connected to Russia, and that they use tailormade malware and well-crafted spear-phishing emails against their targets, this new development should not be seen as a cause for relief.

Ransomware continues its upward trend away from the predictions made by many in the cyber security industry that it was on its way out. GandCrab has been one of the major stories of this year, and October was no different: Europol issued a
press release reporting that a new free decryption tool for it has been released; and the developers of the malware published a tool for the use of Syrian victims who, according to the threat actors, were not supposed to be infected anyway.

Other interesting developments include the new distribution of the Kraken Cryptor ransomware by the Fallout Exploit Kit, and a ransomware bundle called ‘2018 ransomware pack’ for sale on the Darknet for $750: this allegedly includes SamSam, Magniber, Satan, CryBrazil and XioaBa. The inclusion of SamSam may point to the involvement of the as yet unidentified group behind that ransomware. Researchers also released an analysis of SamSam which showed that it had been used in 67 targeted attacks in 2018, primarily against the healthcare sector in the USA.

Banking Trojans and cryptomining malware continue to become more sophisticated and present the most persistent threat to users all over the world. In particular, Turkish, Italian and Brazilian users have all been targeted by banking Trojans this month, with one campaign pushing the Ursnif malware onto Italian users, and a massive phishing operation driving sophisticated and hard-to-detect malware at Turkish banking customers. New research showed that Trickbot is the most prevalent payload in email attacks.

Other developments of note include: a new password-grabber module has been added to Trickbot; several new versions of Gozi ISFB were disclosed this month, all with different targets; researchers discovered GPlayed, a new Android malware that is significantly more sophisticated and flexible than most threats on the market; GPlayed Banking, a predecessor to GPlayed, was then reported targeting users of Sberbank AutoPay; and several updates have been made to the Panda Banker financial malware.

In the cryptomining sphere, one of the most interesting developments was a new Monero-mining malware, dubbed Novel Miner, which is specifically targeting Chinese servers. Elsewhere, a new campaign was found to be distributing cryptominers in apps purporting to be Adobe Flash Player updates - an old tactic. Coinhive remains top of the malware threats list: according to researchers it now affects 19% of organisations worldwide.

No analysis of banking malware threats to users would be complete without the latest update on the distribution of Trojans through the Google Play Store. ESET reported on a tranche of 29 mobile banking Trojans available on the Store, masquerading as anything from battery managers to horoscope-themed apps. One Android banking Trojan became the number one trending app in the financial category of the Store in Turkey; and another had been installed more than 11,500 times. This is one of the most serious threats to users.

The threat to industrial systems of infected removable USB devices has also been highlighted, with Trojans the malware most commonly found on them. However, instances of infamous malware strains such as Triton, Mirai, Stuxnet, and WannaCry were also detected in October. Reports were broadcast in Iran claiming that critical infrastructure networks in the country had been hit by a virus more powerful than Stuxnet. And FireEye researchers have also linked the deployment of the Triton malware to a Russian government-owned technical research institution.

APT groups continue to be a major threat to governments around the world. Key developments in this sphere include the discovery of a previously unknown RAT used by the notorious Lazarus group which has been dubbed CasperPhpTrojan. This malware is thought to be one of the key weapons in the group’s arsenal. A new group, APT38, is reportedly linked to the North Korean government, operating independently of Lazarus. And Sidewinder APT is believed to have changed its tactics in order to deliver a new backdoor.

As noted last month, malspam is one of the easiest infection vectors for threat actors to employ. A host of malware was detected this month, ranging from Trojans to backdoors, keyloggers to RATs. A phishing campaign that hit Iceland on the weekend of 6 October was called the largest cyber-attack ever to hit that country. And the threat keeps on evolving: researchers discovered and disclosed a surreptitious delivery vector for malware that results from the way in which videos are embedded into Microsoft Word documents. This threat is not going away.