Malware - 2018 in Review

2018 saw some significant events in the malware environment which had far-reaching effects across all sectors around the world. In this broad-brush overview of the malware events of the year, we will explore both major attacks and trends within the environment.

One of the key developments in 2018 was the ascendance of cryptomining malware to the top of the threat tree. Numerous security researchers believed that it all but heralded the end of the road for ransomware, however, as we noted in a blog post earlier in 2018, this was not the case: instead, the emergence of cryptomining malware merely precipitated a recalibration of the malware environment in which ransomware was still a prominent threat. A good example of this is the GandCrab ransomware which, over the course of 2018, evolved at least five times to ensure it could stay ahead of cybersecurity defences.

In February, the opening ceremonies for the Winter Olympics in Pyeongchang were hit with the Olympic Destroyer malware, with the ticketing website temporarily taken down and systems in the stadium being infected. While various sets of researchers were able to carry out extensive analysis of the malware itself – which was established as having been designed for purely destructive purposes – attribution proved impossible as a result of numerous false flags in the code. Another variant of the malware appeared later in the year with improved anti-detection capability.

Another of 2018’s big malware stories took place in May, when researchers across the world warned about the VPNFilter malware. According to some, at the time of the initial reports, 500,000 devices worldwide had already been infected with it, and the malware had potential to be immensely disruptive. Whilst it was never activated, VPNFilter could have been used to steal users’ website credentials, monitor Modbus SCADA protocols, and even brick the affected router.

Over the course of the next month, the malware was analysed closely, and new modules were added by the malicious developers. Some eight different third-stage modules were added to VPNFilter that gave the malware even more destructive capabilities, such as filtering data, disguising communications with its C&C servers, encrypting tunnelling capabilities, and the ability to completely shut down an infected router.

As noted above, cryptominers are arguably the story of 2018. In January, a series of pool-based miners emerged many of which had botnets of millions of infected systems that could have been used to generate many millions of dollars a year. Whilst an organisation hit by cryptomining malware would not lose any precious data, they would nonetheless be at risk from significantly decreased computing power.

One actor, @Rocke, became one of the biggest users of cryptocurrency miners, distributing cryptomining malware using a varied toolkit, including Git repositories, HttpFileServers, dropping miners via shell scripts and JavaScript backdoors. This actor is expected to branch out into social engineering as a way of luring unsuspecting users into downloading his miners. Overall, the threat from these malware is not going to disappear in 2019, despite the significant fall in the value of cryptocurrencies.

Perhaps the other most significant trend in the malware landscape 2018, has been the rise of mobile malware. We have covered this extensively, with several researchers seemingly discovering new threats each day.

This threat has grown as more and more consumers have turned to their mobile devices, instead of desktops, for shopping, email, and other tasks. In most cases, threat actors have looked to distribute malicious apps with a focus on stealing data from banking apps or retail apps. The Google Play Store has been plagued by these fake apps which users download believing them to be legitimate. Tactics vary, with some developers opting for overlay attacks in which their app will run silently in the background until the target app is opened, at which point a phishing window will be laid over the top of the target app and all data entered will be collected and stolen. Others use links to malicious phishing pages, warning users that the app or their payment information is out of date. A good example of this threat is the GPlayed malware, disguised as a legitimate Play Store app, which initially had the capability to load plugins and inject scripts, but eventually evolved to include a banking Trojan that targeted login credentials for financial services websites.

In some cases, attackers distributed malware that completely took over a mobile device, as was the case with an initially small campaign discovered in India in July. In that campaign, researchers discovered 13 devices infected with mobile device management (MDM) software that could allow attackers to add on malicious features to legitimate apps, giving them the ability to exfiltrate information such as contacts, photos, messages and location. Later in the year, it was found that the campaign had targeted more devices than initially thought and the attack was attributed to an actor with a history of targeting Android devices. This was an intriguing espionage operation which only served to underline the sophistication of the threats in the mobile malware environment.

The Emotet banking Trojan was one of the most reported threats of the last quarter of 2018. In October it was reported that the developers behind the malware had added a credential harvesting module that would allow for data theft, and it was assumed that they were gearing up for a significant operation. This theory was borne out shortly after when the banking Trojan was seen being distributed in malspam emails targeting users from Europe to the Americas. One of the most interesting developments of this threat has been its transition to a first-stage downloader malware, pushing other threats including the TrickBot banking Trojan and IcedID.

Finally, towards the end of the year, two new variants of the infamous Shamoon disk-wiping malware came to light. This latest Shamoon update has been given a modular reworking. Contained in the malware is a list of targeted computers, a spreader for the file eraser, code able to exfiltrate information relating to the infected device’s OS, a remote wiper execution module, and the new wiper itself, which deletes every file found upon execution. It remains to be seen what this threat will be used for.

2019 will see significant developments in the mobile malware sphere: a ‘professionalisation’ of the kind that was seen a decade ago in PC malware. This will see the threats become more sophisticated as defences improve and greater targeting is made necessary. Cryptominers will continue to plague users around the world, though their meteoric rise will not be matched next year. And more traditional malware, such as ransomware and banking Trojans, whilst appearing to have been eclipsed by cryptomining threats in 2018, will nonetheless remain a serious issue for the foreseeable future.

Finally, towards the end of the year, two new variants of the infamous Shamoon disk-wiping malware came to light. This latest Shamoon update has been given a modular reworking. Contained in the malware is a list of targeted computers, a spreader for the file eraser, code able to exfiltrate information relating to the infected device’s OS, a remote wiper execution module, and the new wiper itself, which deletes every file found upon execution. It remains to be seen what this threat will be used for.

2019 will see significant developments in the mobile malware sphere: a ‘professionalisation’ of the kind that was seen a decade ago in PC malware. This will see the threats become more sophisticated as defences improve and greater targeting is made necessary. Cryptominers will continue to plague users around the world, though their meteoric rise will not be matched next year. And more traditional malware, such as ransomware and banking Trojans, whilst appearing to have been eclipsed by cryptomining threats in 2018, will nonetheless remain a serious issue for the foreseeable future.