The first half of 2019 demonstrated that no environment is immune to malware attacks. We have witnessed threat actors developing new tool sets and techniques, targeting corporate assets stored on cloud infrastructure, individuals’ mobile devices, trusted
third-party suppliers’ application and even popular mail platforms.
2019 New Malware Trends
One of the dominating malware attacks in 2019 is targeted ransomware attacks. This year collaborations between threat actors allowed even more destructive attacks that paralyzed numerous organizations worldwide. What ends with a ransomware attack usually starts with a more silent sequence of bot infections.
Still highly visible, cryptominers are on the decline this year – only 21% of organizations worldwide were affected by cryptominers’ attacks in comparison to 42% during its peak in 2018. This was the outcome after shutting down the ‘CoinHive’ drive-by mining service.
Software supply chain attacks attracted public and government attention. In such attacks threat actors inject malicious code into components of legitimate applications, victimizing a large number of unsuspecting users. The accumulation of several cases since the beginning of the year led the American government to devote special attention to this evolving threat and will soon publish official recommendations on ways to minimize the impact of such attacks.
In addition to the above major trends, there are three other cyber trends of 2018 that are still very relevant in 2019.
- The targeted ransomware approach which gained popularity during 2018 has proven effective in 2019; not a week goes by without some kind of tailored destructive ransomware attack hitting the headlines. One such prominent attack vector utilizes Emotet’s vast distribution and victim base to select lucrative targets. Emotet is used to spread TrickBot within the compromised corporate network which, in turn, deploys Ryuk or other ransomware as the final payload. From countless local government entities through a cloud
hosting provider, industrial corporations and airports, this year every organization is a potential target to the catastrophe of targeted ransomware, led by Ryuk and LockerGoga.
- The infamous cryptominers remained a prevalent malware type in the first half of 2019’s threat landscape. This is despite the shutdown of the notorious drive-by mining service ‘CoinHive’ this March, which led to a decrease in the popularity of cryptominers among threat actors. As a result, and in order to remain prevalent in 2019, threat actors have been adopting a new approach regarding cryptominers, aiming at more rewarding targets than consumer PC’s and designing more robust operations. Among the new victims one can find corporations, factories, powerful servers and even cloud resources. And if that was not enough, we have even seen them integrating cryptominers as part of a DDoS botnet for side-profits.
- DNS Attacks target one of the most important mechanisms that govern the internet – the Domain Name System (DNS). The DNS is in charge of resolving domain names into their corresponding IP addresses and it is a crucial part of the internet’s trust chain. Such attacks target DNS providers, name registrars, and local DNS servers belonging to the targeted organization and are based on the manipulation of DNS records. DNS takeovers can compromise the whole network and enable multiple attack vectors: control of email communications, redirection of victims to a phishing site, and more. One of the biggest advantages DNS attacks provide is the option to issue legitimate looking certificates by Certificate Authorities which rely on DNS to verify that you are the legitimate holder of the domain in question.
The growing popularity of DNS attacks pushed the Department of Homeland Security and the Internet Corporation for Assigned Names and Numbers (ICANN) to issue official warnings of a significant risk to this key component of the Internet infrastructure. Large incidents involving DNS attacks include attacks on government and internet and telecommunications infrastructure, as depicted in the recent DNSpionage and SeaTurtle campaigns.
Top 48 Malware Family Descriptions
AdvisorsBot – AdvisorsBot is a sophisticated downloader first spotted in the wild in May 2018. Once AdvisorsBot has been downloaded and executed, the malware uses HTTPS to communicate with the C&C server. AdvisorsBot has significant anti-analysis features
including using “junk code” to slow down reverse engineering and Windows API function hashing to make it harder to identify the malware’s functionality.
AgentTesla – AgentTesla is an advanced RAT which functions as a keylogger and password stealer and has been active since 2014. AgentTesla can monitor and collect the victim’s keyboard input, system clipboard, and can record screenshots and exfiltrate credentials
belonging to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client). AgentTesla is openly sold as a legitimate RAT with customers paying between $15-$69 for user licenses.
AmmyyRat – FlawedAmmyy is a remote access Trojan (RAT) that has been developed from the leaked source code of the remote administration software called Ammyy Admin. FlawedAmmyy has been used in both highly targeted email attacks as well as massive spam campaigns and implements common backdoor features, allowing the attackers to manage files, capture the screen, remote control the machine, establish RDP SessionsService and much more.
AndroidBauts – AndroidBauts is an adware targeting Android users that exfiltrates IMEI, IMSI, GPS Location and other device information and allows the installation of third party apps and shortcuts on mobile devices.
Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since its initial detection, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications on the Google Store.
Asacub – Asacub Mobile Banker was first introduced in 2015 as a spyware. Nowadays Asacub functions as a banker aiming at the victim’s bank account information, and also capable of siphoned incoming SMS messages, browser history, and contacts, as well as execute
commands, intercept messages, turn off the phone or its screen. Asacub spread via phishing SMS containing a link which leads to downloading the APK file of the Trojan to the infected device.
AZORult – AZORult is a Trojan that gathers and exfiltrates data from the infected system. Once the malware is installed on a system (typically delivered by an exploit kit such as RIG), it can send saved passwords, local files, crypto-wallets, and computer profile
information to a remote C&C server. The Gazorp builder, available on the Dark Web, allows anyone to host an AZORult C&C server with moderately low effort.
Bancos – Bancos steals financial information, using keylogging to record the victim’s credentials as they are entered on a targeted bank webpage. Bancos can also supplement or replace a legitimate bank login page with a fake webpage.
Coinhive – Cryptominer designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s approval. The implanted JS uses great computational resources of the end users machines to mine coins, thus impacting its performance.
DanaBot – DanaBot is a Trickler that targets the Windows platform. The malware sends out information to its control server, downloads and decrypts files to execute on the infected computer. It is reported the downloaded module can download other malicious files on the system. Moreover, the malware creates a shortcut in the user’s startup folder to achieve persistence on the infected system.
DarkGate – DarkGate is a multifunction malware active since December 2017 combining ransomware, credential stealing, RAT and cryptomining abilities. Targeting mostly windows OS, DarkGate employs a variety of evasion techniques.
Dorkbot – IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system, with the primary motivation being to steal sensitive information and launch denial-of-service attacks.
Dridex – Dridex is a Trojan that targets the Windows platform. This malware is reportedly downloaded by an attachment found in spam emails. This malware identifies itself with a remote server by sending out information about the infected system. Furthermore, it can download and execute arbitrary modules received from the remote server.
Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet was once employed as a banking Trojan, and recently was used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion
techniques to avoid detection. In addition, it can also be spread through phishing spam emails containing malicious attachments or links.
Gandcrab – GandCrab is a RaaS malware (Ransomwareas-a-Service). First discovered in January 2018, it operated an “affiliates” program, with those joining paying 30%-40% of the ransom revenue to GandCrab and in return getting a full-featured web panel and technical
support. Estimates are that it affected over 1.5 million Windows users before retiring and halting its activities in mid-2019. Decryption tools exist for all GandCrab versions.
Guerilla – Guerrilla is an Android Trojan found embedded in multiple legitimate apps and is capable of downloading additional malicious payloads. Guerrilla generates fraudulent ad revenue for the app developers.
Gustuff – Gustuff is an Android banking Trojan introduced in 2019, and capable of targeting customers of over 100 leading international banks, users of cryptocurrency services, and popular ecommerce websites and marketplaces. In addition, Gustuff can also phish credentials for various other Android payment and messaging apps, such as PayPal, Western Union, eBay, Walmart, Skype and others. Gustuff employs various evasion techniques including using the Android Accessibility Service mechanism to bypass security measures used by banks to protect against older generations of mobile Trojans.
Hawkeye – Hawkeye is an info stealer malware, designed primarily to steal users’ credentials from infected Windows platforms and deliver them to a C&C server. In past years, Hawkeye has gained the ability to take screenshots, spread via USB and more in addition to its
original functions of email and web browser password stealing and keylogging. Hawkeye is often sold as a MaaS (Malware-as-a-Service).
Hiddad – Android malware that repackages legitimate apps, and then releases them to a third-party store. Its main function is displaying ads. However, it is also able to gain access to key security details built into the OS.
HiddenMiner – A strain of Android cryptominer that was spotted in April 2018. The HiddenMiner is delivered through a fake Google Play update app, exhausting the devices’ resources in mining Monero.
IcedID– IcedID is a banking Trojan which first emerged in September 2017, and usually uses other well-known banking Trojans to empower its spread potential, including Emotet, Ursnif and TrickBot. IcedID steals user financial data via both redirection attacks (installs local proxy to redirect users to fake-clone sites) and web injection attacks (injects browser process to present fake content overlaid on top of the original page).
impacting the performance of the system.
Lezok – Lezok is an Android Trojan capable of downloading additional malware to victim’s computer without user’s consent, as well as generating pop-up advertisements when the user is surfing the Internet.
LockerGoga – LockerGoga ransomware was first seen in the wild towards the end of January 2018, while targeting heavy industry companies. It appears that the threat actors behind the attack invest time and efforts in choosing the victims and are working to launch the attack in perfect timing and against critical assets. The attack usually involves encryption of Active Directory server and endpoints, in order to leave no alternative other than paying the ransom. Using a combination of AES-256 and RSA makes the encryption very solid. However, a poor code design makes the encryption process very slow.
LokiBot – LokiBot is an info stealer with versions for both Windows and Android OS. It harvests credentials from a variety of applications, web browsers, email clients, IT administration tools such as PuTTY and more. LokiBot has been sold on hacking forums and believed to have had its source code leaked, allowing for a range of variants to appear. It was first identified in February 2016. Since late 2017 some Android versions of LokiBot include ransomware functionality in addition to their infostealing capabilities.
Lotoor – Lotoor is a hack tool that exploits vulnerabilities on Android operating systems in order to gain root privileges on compromised mobile devices.
Mirai – Mirai is a famous Internet-of-Things (IoT) malware that tracks vulnerable IoT devices, such as web cameras, modems and routers, and turns them into bots. The botnet is used by its operators to conduct massive Distributed Denial of Service (DDoS). Mirai botnet first surfaced on September 2016 and quickly made headlines due to some large-scale attacks. Among them were a massive DDoS attack used to knock the entire country of Liberia offline, and a DDoS attack against the Internet infrastructure firm Dyn, which provides a significant portion of the United States internet’s backbone.
Necurs – Necurs is a one of the largest spam botnets currently active in the wild, and it is estimated that in 2016 it consisted of some 6 million bots. The botnet is used to distribute many malware variants, mostly banking Trojans and ransomware.
Panda – Panda is a Zeus variant that was first observed in the wild at the beginning of 2016, and is distributed via Exploit Kits. Since its initial appearance, Panda has targeted financial services in Europe and North America. Before the Olympic Games of 2016, it also ran a special campaign against Brazilian banks.
Piom – Piom is an Adware which monitors the user’s browsing behaviour and delivers unwanted advertisements based on the users web activities.
Qbot – Qbot is a backdoor belonging to the Qakbot family. It is capable of dropping and downloading other malware. It also establishes a connection with a remote HTTP server without user consent and may steal important user information.
Ramnit – Ramnit is a banking Trojan which incorporates lateral movement capabilities. Ramnit steals web session information, giving worm operators the ability to steal account credentials for all services used by the victim, including bank accounts, corporate, and social
Retadup – Retadup is a Trojan that targets Windows platform. It is reported that this malware is used for targeted attacks and some variants of the malware comes with Keylogger, screen capture and password stealing capabilities. The malware is used to mine
cryptocurrency on the infected system. It communicates with its remote control server and accept commands to execute on the infected system.
Ryuk – A ransomware used in targeted and well-planned attacks against several organizations worldwide. The ransomware’s technical capabilities are relatively low, and include a basic dropper and a straightforward encryption scheme. Nevertheless, the ransomware was able to cause severe damage to the attacked organizations, and led them to pay extremely high ransom payments of up to 320,000 USD in Bitcoin. Unlike common ransomware, systematically distributed via massive spam campaigns and exploit kits, Ryuk is used exclusively for tailored attacks. Its encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers. The malware encrypts files stored on PCs, storage servers and data centers.
Satan – Satan is a Ransomware-as-a-Service (RaaS) which first emerged in January 2017. Its developers offer a user-friendly web portal with customization options, allowing anyone who buys it to create custom versions of Satan ransomware and distribute it to victims. New versions of Satan were observed using the EternalBlue exploit to spread across compromised environments, as well as performing lateral movement using other exploits.
Sodinokibi – Sodinokibi is a Ransomware-as-a-Service which operates an “affiliates” program which was first spotted in the wild in 2019. Sodinokibi encrypts data in the user’s directory and deletes shadow copy backups in order to make data recovery more difficult. Moreover, Sodinokibi affiliates use various tactics to spread it through spam and server exploits, as well as hacking into managed service providers (MSP) backends, and through malvertising campaigns redirected to the RIG exploit kit.
TheTruthSpy – An Android spyware that first emerged in May 2017. TheTruthSpy is capable of monitoring WhatsApp messages, Facebook chats, and internet browsing history.
Tinba – Tinba is a banking Trojan which targets mainly European banking customers and uses the BlackHole exploit kit. Tinba steals the victim’s credentials using web-injects, which are activated as the user tries to connect to their account.
Triada – Modular Backdoor for Android which grants super-user privileges to download a malware. Triada has also been seen spoofing URLs loaded in the browser.
TrickBot – TrickBot is a Dyre variant that emerged in October 2016. Since its first appearance, it has been targeting banks, mostly in Australia and the U.K., and lately it has also started appearing in India, Singapore and Malesia.
Ursnif – Ursnif is a Trojan that targets the Windows platform. It is usually spread through exploit kits – Angler and RIG, each at its time. It has the capability to steal information related to Verifone Point-of-Sale (POS) payment software. It contacts a remote server to upload collected information and receive instructions. Moreover, it downloads files on the infected system and executes them.
Virut – Virut is one of the major botnets and malware distributors in the Internet. It is used in DDoS attacks, spam distribution, data theft and fraud. The malware is spread through executables originating from infected devices such as USB sticks as well as compromised
websites and attempts to infect any file accessed with the extensions .exe or .scr. Virut alters the local host files and opens a backdoor by joining an IRC channel controlled by a remote attacker.
WannaMine – WannaMine is a sophisticated Monero cryptomining worm that spreads by exploiting the EternalBlue exploit. WannaMine implements a spreading mechanism and persistence techniques by leveraging Windows Management Instrumentation (WMI) permanent event subscriptions.
XMRig – XMRig is open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in the wild on May 2017.
Zeus – Zeus is a widely distributed Windows Trojan which is mostly used to steal banking information. When a machine is compromised, the malware sends information such as the account credentials to the attackers using a chain of C&C servers.
To protect your organization from these attacks that get in through end users, think about End-User Cybersecurity Training. If you feel your cybersecurity plan isn't strong enough to defend against this extensive list of malware, schedule a free consultation with one of our cybersecurity experts now. We will be glad to find the gaps and help build your plan to protect your devices and more.