Malware Moves: Attackers Retool for Cryptocurrency TheftNew and Repurposed Attack Code Steals Passwords, Drops Miners and Ransomware
New research reports from information security firms that track online attacks and cybercrime trend show that malicious code developers remain hard at work. Indeed, they continue to update or issue fresh versions of cryptocurrency miners, crypto-locking ransomware, banking Trojans and other malware (see: GandCrab Ransomware: Cat-and-Mouse Game Continues).
Looking at such efforts from a high-level perspective, they're ruled by a simple, straightforward imperative: "Criminals like to make money," says Brian Honan, who heads BH Consulting in Dublin.
As a result, if a particular type of attack leads to an illicit payday for an individual or group, those attacks are likely to continue. Nevertheless, some gangs appear to keep diversifying by using malware droppers - the attack code that initially infects a PC or server - to push an ever-changing array of attack code onto victims' PCs and servers.
WebCobra: No Bundle of Joy
While ransomware continues to pummel organizations, security experts say that what's especially hot right now is cryptocurrency-mining malware. And a new strain of malicious code called WebCobra, which appears to have been built by Russian developers, is the latest example of malware that's designed to use infected systems' CPUs to mine for cryptocurrency, say McAfee researchers Kapil Khade and Xiaobing Lin in a blog post.
"Coin mining malware is difficult to detect," they say. "Once a machine is compromised, a malicious app runs silently in the background with just one sign: performance degradation."
Victims, however, are left paying the energy costs from all of this CPU usage. Crescent Electric Supply Company in January estimated that in the U.S., the cost of mining a single bitcoin ranged from $531 to $26,170, depending on the state in which the mining occurred.
"The increase in the value of cryptocurrencies has inspired cybercriminals to employ malware that steals machine resources to mine crypto coins without the victims' consent," the McAfee researchers say.
In the case of WebCobra, the researchers believe the malware is being distributed by shady applications, or what the industry often refers to as PUPs - potentially unwanted programs - that may come bundled with wallpaper or purportedly free versions of paid applications.
WebCobra also has a few tricks up its sleeve; it customizes attacks based on the type of system it manages to reach. "This cryptocurrency mining malware is uncommon in that it drops a different miner depending on the configuration of the machine it infects," the McAfee researchers say.
Coin-Mining Malware Remains Hot
The researchers expect the prevalence of these types of attacks to keep increasing, as it has done for the past 12 months.
"Coin-mining malware will continue to evolve as cybercriminals take advantage of this relatively easy path to stealing value," they say. "Mining coins on other people's systems requires less investment and risk than ransomware and does not depend on a percentage of victims agreeing to send money. Until users learn they are supporting criminal miners, the latter have much to gain."
The ease of running such attacks, together with the difficulty victims have in spotting them, have led to a dramatic increase in such campaigns, security experts say.
"Combined data from several CTA members shows a 459 percent increase in illicit cryptocurrency mining malware detections since 2017, and recent quarterly trend reports from CTA members show that this rapid growth shows no signs of slowing down," the report says.
Raj Samani, chief scientist at McAfee, says cryptomining attacks have surged over the past year because such attacks are "simpler, more straightforward, and less risky than traditional cybercrime activities."
Trickbot Learns New Tricks
Meanwhile, modular malware called Trickbot, which has also been used to mine for cryptocurrency, is up to new tricks.
"TrickBot has traditionally targeted banking customers in multiple geographies to steal login credentials in order to commit identity fraud and facilitate fraudulent transactions," researchers at Digital Shadows say in an emailed research report.
But its designers have been adding additional capabilities that appear designed to extend the reach of the malware. In February, TrickBot's designers added an open source monero cryptocurrency-mining module, and in March, also the ability to crypto-lock devices, "potentially helping threat actors to extort victims," the research report says.
Last month, Vitali Kremez, director of research at threat intelligence firm Flashpoint, warned the TrickBot had been updated to included a module designed to steal passwords from multiple types of applications and browsers.
"Spoofed email accounts imitating Microsoft Office sent messages to United Kingdom victims, while United States and Canadian users received emails from a fake account associated with the Bank of Montreal," Digital Shadows said.
In September, the U.K.'s National Cyber Security Center issued recommendations for defending against Trickbot, warning that small and mid-size businesses were being especially targeted.
Emotet Hides in Word Documents
Another piece of malware, called Emotet - aka heodo - is also being used in new ways.
When Emotet was first seen in 2014, it was a standalone banking Trojan, Symantec in July reported that Mealybug, the group behind the malware, has diversified into also distributing malware for others, and predominantly targeted organizations in the U.S.
"I commonly see follow-up malware like Trickbot and Zeus Panda Banker during Emotet infections generated in my lab environment," says Brad Duncan (@malware_traffic), a threat intelligence analyst, for the Unit 42 research group at Palo Alto Networks, in a SANS Institute blog post.
Indeed, Emotet was blamed for the Oct. 4 attack against Onslow Water and Sewer Authority in Jacksonville, North Carolina. As the water utility struggled to expunge the malware from its systems, attackers on Oct. 13 used Emotet to push Ryuk ransomware onto the utility's systems.
IcedID IcedID Baby
Last week, Duncan said he discovered Emotet as the payload inside Microsoft Word documents with malicious macros enabled (see Hello! Can You Please Enable Macros?).
If allowed to execute, the macros downloaded the IcedID banking Trojan onto a system, he said. While Emotet's behavior is not unusual, the latest attack campaign "is yet another reminder the criminals behind Emotet remain active, and they continue to push follow-up malware like the IcedID banking Trojan," Duncan said.