Cybercrime , Cybercrime as-a-service , Cyberwarfare / Nation-State Attacks

Malware Most Foul: Emotet, Trickbot, Cryptocurrency Miners

Researchers: Targeted Crime Attacks Surge, Continue to Blend With Nation-State Campaigns
Malware Most Foul: Emotet, Trickbot, Cryptocurrency Miners
The five most prevalent types of malware seen in non-targeted attacks in the first half of 2019 (Source: CrowdStrike)

Two banking Trojans, as well as various strains of cryptocurrency mining malware, continue to be among the most-seen types of malicious code being employed in nontargeted online attacks, according to a new report from cybersecurity firm CrowdStrike.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The report, which describes online attack trends the company saw in the first half of 2019, says the most prevalent malware strains used in nontargeted attacks were Emotet and Trickbot, followed by various strains of cryptocurrency mining malware, Gozi and Dridex.

While Emotet, Trickbot and Gozi - aka Ursnif - began life as banking Trojans, today they have much more functionality, including the ability to act as a dropper. This means that after gaining a foothold on an infected system, they can install or "drop" additional malware - including ransomware - onto endpoints, as well as push additional functional modules (see: Repeat Trick: Malware-Wielding Criminals Collaborate).

Emotet Steals Emails

Numerous other security firms have also called out Emotet for being the most prevalent type of malware now seen in the wild, noting that it continues to be updated with new functionality (see: Emotet Botnet Shows Signs of Revival).

For example, cybersecurity firm Secureworks notes that one Emotet module gives attackers the ability to grab the first 8 KB of every email in a victim's email inbox and send it back to the botnet's command-and-control server.

Researchers at the security firm Cisco Talos say the malware uses the stolen data to create socially engineered spam. "Emotet's reuse of stolen email content is extremely effective. Once they have swiped a victim's email, Emotet constructs new attack messages in reply to some of that victim's unread email messages, quoting the bodies of real messages in the threads," they say.

Trickbot Targets Telco Customers

Trickbot, the second most-seen type of malware in the wild attacking CrowdStrike customers in the first half of this year, has also continued to be revamped. The malware has long had the ability to spoof legitimate banking sites via web injection, which presents users with a preprogrammed, look-alike version of a site when they navigate to the legitimate URL.

In August, Secureworks' counter threat unit reported that the malware had been updated to include web injects for the websites of three U.S. mobile carriers: Sprint, T-Mobile and Verizon Wireless.

"When a victim navigates to the website of one of these organizations, the legitimate server response is intercepted by TrickBot and proxied through a command-and-control server. This 'C2' server injects additional HTML and JavaScript into the page, which is then rendered in the victim's web browser," Secureworks reports. "For all three carriers, injected code causes an additional form field that requests the user’s PIN code."

TrickBot-modified form (left) versus original form for Verizon Wireless (Source: Secureworks)

Secureworks says the targeting of mobile PIN codes appears to be an attempt to perpetrate SIM swapping fraud, which enables fraudsters to intercept one-time codes sent via SMS, which can help them drain online bank accounts and cryptocurrency hot wallets (see: Alleged SIM Swappers Charged Over Cryptocurrency Thefts).

Ransomware Onslaught Continues

While ransomware strains don't rank in CrowdStrike's top five list of malware seen being recently used in non-targeted attack, security experts say crypto-locking malware remains prevalent, persistent and damaging. In part, that's because it's proven to be an easy money-maker for crime gangs.

"Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent," the FBI warns in a Wednesday alert. "Since early 2018, the incidence of broad, indiscriminate ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly."

Top 10 malware categories mentioned on underground cybercrime and hacking forums (Source: Recorded Future)

No wonder then that threat intelligence firm Recorded Future's Insikt Group found that from May 2018 to May 2019, ransomware was the most discussed form of malware on underground forums.

Targeted Crime Attacks Surge

Looking beyond nontargeted attack attempts, CrowdStrike reports that for attacks that could be attributed to a nation-state actor or cybercrime group, China remains the most active - or actively seen - actor. The report says: "CrowdStrike has observed China target the most industries across the board, including chemical, gaming, healthcare, hospitality, manufacturing, technology and telecom."

Another trend this year, says Jen Ayers, vice president of CrowdStrike's Falcon OverWatch threat-hunting service, has been the increasing crossover between nation-state groups and cybercrime gangs. "I don’t want to say that those lines have completely blurred, but they are really blurring," she tells Information Security Media Group (see: Cybercrime Groups and Nation-State Attackers Blur Together).

While the overall quantity of nation-state attacks doesn't appear to have declined or escalated this year, CrowdStrike says it has charted a sharp increase in targeted attacks apparently being launched by gangs that have a monetary focus, such as stealing payment card data or personally identifiable information.

Ayers says that overall, cybercrime gangs' sophistication also continues to increase, with some gangs moving far beyond "spray and pray" tactics. For more sophisticated crime gangs, "if it is a distinct, identified target, it's very smooth in terms of their entry point, using web shells or remote desktop protocol, doing credential dumping, or if they'd previously dumped credentials, going to very specific locations, such as targeting particular high-value servers of interest," she says. "For sure, this is a level of sophistication that we have seen grow over the last year."

Tooling: Customized Malware Declines

While criminal sophistication has been increasing, when it comes to attack tools, "customization is definitely on the decline," Ayers says. "We are not seeing as much of that any more" by cybercrime gangs, she adds, while noting that some nation-state attackers continue to deploy custom malware, although less frequently.

The easy availability of resources such as the legitimate penetration testing tool Cobalt Strike - similar to Metasploit - as well as memory scraping tool Mimikatz and scripting framework PowerShell means that cybercrime and nation-state attackers alike have more effective, free options at their disposal, Ayers notes.

"If it already exists, why not just reuse what you have?" she says, with the added benefit that for nation-state hacking groups, looking like a cybercrime gang makes their efforts tougher for defenders to attribute. The same goes for living-off-the-land tactics, referring to attackers using legitimate tools to disguise their illicit activities - for example, using the PsExec command-line tool to execute processes on remote systems.

Criminals are also adopting some new, free tools. "We are seeing the introduction of a couple of new tools, including basic tools to deploy evasion techniques," she says, pointing to PC Hunter and Process Hacker.

Source: CrowdStrike

Hygiene Counts

From a threat-hunting perspective, Ayers says that comparing customers in the same industry sector and geographic area reveals that organizations with better security maturity are at less risk of suffering a breach - or being attacked.

"One thing I am noticing that I think we can generalize on … is that these adversaries are certainly looking for ... call it ease of use," she says. "The tighter the security maturity of a customer tends to be, the less an adversary is going to be interested. Like any other human in the world, they're going to pick the path of least resistance."

Basic security hygiene counts, she says, pointing to ensuring there's strong user awareness programs, reliable vulnerability and patch management processes, and mandatory multifactor authentication for account access. MFA can help blunt the effect of a breach by continuing to deny attackers access to targeted accounts - or at least slowing down their efforts to such a degree that they simply look elsewhere.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.