Malware Most Foul: Emotet, Trickbot, Cryptocurrency MinersResearchers: Targeted Crime Attacks Surge, Continue to Blend With Nation-State Campaigns
Two banking Trojans, as well as various strains of cryptocurrency mining malware, continue to be among the most-seen types of malicious code being employed in nontargeted online attacks, according to a new report from cybersecurity firm CrowdStrike.
The report, which describes online attack trends the company saw in the first half of 2019, says the most prevalent malware strains used in nontargeted attacks were Emotet and Trickbot, followed by various strains of cryptocurrency mining malware, Gozi and Dridex.
While Emotet, Trickbot and Gozi - aka Ursnif - began life as banking Trojans, today they have much more functionality, including the ability to act as a dropper. This means that after gaining a foothold on an infected system, they can install or "drop" additional malware - including ransomware - onto endpoints, as well as push additional functional modules (see: Repeat Trick: Malware-Wielding Criminals Collaborate).
Emotet Steals Emails
Numerous other security firms have also called out Emotet for being the most prevalent type of malware now seen in the wild, noting that it continues to be updated with new functionality (see: Emotet Botnet Shows Signs of Revival).
For example, cybersecurity firm Secureworks notes that one Emotet module gives attackers the ability to grab the first 8 KB of every email in a victim's email inbox and send it back to the botnet's command-and-control server.
Researchers at the security firm Cisco Talos say the malware uses the stolen data to create socially engineered spam. "Emotet's reuse of stolen email content is extremely effective. Once they have swiped a victim's email, Emotet constructs new attack messages in reply to some of that victim's unread email messages, quoting the bodies of real messages in the threads," they say.
Trickbot Targets Telco Customers
Trickbot, the second most-seen type of malware in the wild attacking CrowdStrike customers in the first half of this year, has also continued to be revamped. The malware has long had the ability to spoof legitimate banking sites via web injection, which presents users with a preprogrammed, look-alike version of a site when they navigate to the legitimate URL.
Top TrickBot infected countries. The vast amount of infections are located in the US, followed by Spain, Germany, Canada and Great Britain.— abuse.ch (@abuse_ch) October 4, 2019
You can prevent becoming a victim of TrickBot and Ryuk Ransomware by blocking known TrickBot C2s:https://t.co/if21bBHTpo pic.twitter.com/pUBRFGHl6J
In August, Secureworks' counter threat unit reported that the malware had been updated to include web injects for the websites of three U.S. mobile carriers: Sprint, T-Mobile and Verizon Wireless.
Secureworks says the targeting of mobile PIN codes appears to be an attempt to perpetrate SIM swapping fraud, which enables fraudsters to intercept one-time codes sent via SMS, which can help them drain online bank accounts and cryptocurrency hot wallets (see: Alleged SIM Swappers Charged Over Cryptocurrency Thefts).
Ransomware Onslaught Continues
While ransomware strains don't rank in CrowdStrike's top five list of malware seen being recently used in non-targeted attack, security experts say crypto-locking malware remains prevalent, persistent and damaging. In part, that's because it's proven to be an easy money-maker for crime gangs.
"Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent," the FBI warns in a Wednesday alert. "Since early 2018, the incidence of broad, indiscriminate ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly."
No wonder then that threat intelligence firm Recorded Future's Insikt Group found that from May 2018 to May 2019, ransomware was the most discussed form of malware on underground forums.
Targeted Crime Attacks Surge
Looking beyond nontargeted attack attempts, CrowdStrike reports that for attacks that could be attributed to a nation-state actor or cybercrime group, China remains the most active - or actively seen - actor. The report says: "CrowdStrike has observed China target the most industries across the board, including chemical, gaming, healthcare, hospitality, manufacturing, technology and telecom."
Another trend this year, says Jen Ayers, vice president of CrowdStrike's Falcon OverWatch threat-hunting service, has been the increasing crossover between nation-state groups and cybercrime gangs. "I don’t want to say that those lines have completely blurred, but they are really blurring," she tells Information Security Media Group (see: Cybercrime Groups and Nation-State Attackers Blur Together).
While the overall quantity of nation-state attacks doesn't appear to have declined or escalated this year, CrowdStrike says it has charted a sharp increase in targeted attacks apparently being launched by gangs that have a monetary focus, such as stealing payment card data or personally identifiable information.
Ayers says that overall, cybercrime gangs' sophistication also continues to increase, with some gangs moving far beyond "spray and pray" tactics. For more sophisticated crime gangs, "if it is a distinct, identified target, it's very smooth in terms of their entry point, using web shells or remote desktop protocol, doing credential dumping, or if they'd previously dumped credentials, going to very specific locations, such as targeting particular high-value servers of interest," she says. "For sure, this is a level of sophistication that we have seen grow over the last year."
Tooling: Customized Malware Declines
While criminal sophistication has been increasing, when it comes to attack tools, "customization is definitely on the decline," Ayers says. "We are not seeing as much of that any more" by cybercrime gangs, she adds, while noting that some nation-state attackers continue to deploy custom malware, although less frequently.
The easy availability of resources such as the legitimate penetration testing tool Cobalt Strike - similar to Metasploit - as well as memory scraping tool Mimikatz and scripting framework PowerShell means that cybercrime and nation-state attackers alike have more effective, free options at their disposal, Ayers notes.
"If it already exists, why not just reuse what you have?" she says, with the added benefit that for nation-state hacking groups, looking like a cybercrime gang makes their efforts tougher for defenders to attribute. The same goes for living-off-the-land tactics, referring to attackers using legitimate tools to disguise their illicit activities - for example, using the PsExec command-line tool to execute processes on remote systems.
Criminals are also adopting some new, free tools. "We are seeing the introduction of a couple of new tools, including basic tools to deploy evasion techniques," she says, pointing to PC Hunter and Process Hacker.
From a threat-hunting perspective, Ayers says that comparing customers in the same industry sector and geographic area reveals that organizations with better security maturity are at less risk of suffering a breach - or being attacked.
"One thing I am noticing that I think we can generalize on … is that these adversaries are certainly looking for ... call it ease of use," she says. "The tighter the security maturity of a customer tends to be, the less an adversary is going to be interested. Like any other human in the world, they're going to pick the path of least resistance."
Basic security hygiene counts, she says, pointing to ensuring there's strong user awareness programs, reliable vulnerability and patch management processes, and mandatory multifactor authentication for account access. MFA can help blunt the effect of a breach by continuing to deny attackers access to targeted accounts - or at least slowing down their efforts to such a degree that they simply look elsewhere.