Webroot highlighted the nastiest malware wreaking havoc this year. With the threat landscape constantly changing, this segment highlights malware of 2018 and top tips for Cyber Security to prevent these malware from causing havoc.
Botnets and banking trojans
Emotet is an advanced, modular banking Trojan. It primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be the most costly and destructive malware affecting governments, the private and public sectors. It seeks to increase the number of zombies in its spam botnet, with a concentration on credential gathering. Threat actors have recently established a universal plug and play module that allows Emotet to turn victims’ routers into potential proxy nodes for their command-and-control infrastructure.
Trickbot attacks are intended to access online accounts, including bank accounts, with the aim of procuring Personally Identifiable Information (PII) that can then be used to facilitate identity fraud. It exploits trusted commercial and government brands using well-crafted phishing emails to initiate an infection.
Zeus Panda has similar functionality to Trickbot but has more interesting distribution methods including macro-enabled Word documents, exploit kits and even compromised remote monitoring and management services. Most of the code is derived from the original Zeus trojan, and maintains the coding to carry out man-in-the-browser, keystroke logging, and form grabbing attacks.
Top tips for security include:
- Provide awareness and training for staff who may be the end users targeted by banking trojans
- Open channels for staff to be able to report suspected phishing attempts
- Ensure operating systems, software and firmware on devices are kept patched and updated as vulnerabilities are discovered
- Use an email filtering system or service to identify phishing threats, particularly around malicious attachments
- Ensure anti-virus (AV) software is installed on end-points and kept regularly updated with scans carried out regularly
- Manage the use of privileged accounts and ensure the "principal of least privilege" is implemented
- Disable macros from Office files transmitted via e-mail
- Prevent access to malicious websites, including the downloading of the malware installed during these attacks
Cryptomining and cryptojacking
GhostMiner is a fileless cryptomining malware that contains innovative coding that could make it dangerous but may have inadvertently given security experts the keys to its own undoing. GhostMiner specifically targets Oracle WebLogic servers and spreads by scanning IP addresses. During its scans, it looks for running instances of WebLogic software, MSSQL, or phpMyAdmin, and spreads to machines with those applications. GhostMiner’s distribution method is the scariest part for its victims because they don’t know its entry point, similar to a scary movie where you know someone’s in the house, but you don’t know where. GhostMiner is most commonly seen being distributed via an exploit in Oracle WebLogic (CVE-2018-2628).
Wannamine penetrates computer systems through an unpatched SMB service and gains code execution with high privileges to then propagate across the network, gaining persistence and arbitrary code execution abilities on as many machines possible. WannaMine’s Windows management instrumentation (WMI) persistence technique is extremely nasty, allowing it to remain stealthy and difficult to find and remove.
Coinhive is a cryptocurrency mining service that relies on a small chunk of computer code designed to be installed on Web sites. The code uses some or all of the computing power of any browser that visits the site in question, enlisting the machine in a bid to mine bits of the Monero cryptocurrency. Coinhive, initially innocent, was quickly added to the standard toolkit for attackers compromising websites. Even legitimate website owners are using Coinhive without knowing the impact it will have on their visitors. If your computer processing power (CPU) spikes to 100 percent when simply visiting a website, it might be Coinhive.
Top tips for security include:
- Incorporate the cryptojacking threat into your security awareness training, focusing on phishing-type attempts
- Install an ad-blocking or anti-cryptomining extension on web browsers
- Use endpoint protection that is capable of detecting known crypto miners
- Keep your web filtering tools up to date
- Maintain browser extensions
- Use a mobile device management (MDM) solution to better control what’s on users’ devices
Dharma ransomware has been spreading as an alternative for Crysis ransomware as they share similar traits and are considered to be congenerical. Crysis/Dharma goes hand in hand with the term "compromised RDP." This ransomware has been evolving to remain one of the top dogs of the ransomware as a service (RaaS) world and specifically targets the RDP vector. System administrators consistently return to work after a weekend to find one or more of their machines encrypted, usually without knowing the source.
GandCrab is the first ransomware that demands payment in DASH cryptocurrency and utilizes the "bit" top level domain (TLD). This TLD is not sanctioned by ICANN and it therefore provides an extra level of secrecy to the attackers. GandCrab is yet another RaaS. It is especially nasty, as it is distributed via malspam campaigns, exploit kits, and RDP. Another interesting fact is that it uses the .bit TLD (top level domain), not sanctioned by ICANN, providing an added level of secrecy.
SamSam ransomware is a custom infection used in targeted attacks, often deployed using a wide range of exploits or brute-force tactics. SamSam, initially distributed via a JBoss exploit, soon turned to RDP and is now bringing down entire cities (or portions of them at least). SamSam uses either vulnerabilities in remote desktop protocols (RDP), Java-based web servers, or file transfer protocol (FTP) servers to gain access to the victims’ network or brute force against weak passwords to obtain an initial foothold. You’ve likely seen these attacks in the news for taking down the city of Atlanta or the Colorado Department of Transportation.
Top tips for security include:
- Back up data
- Report and ignore suspicious phishing emails and links
- Patch and block
- Disconnect from network
Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.
James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
More articles by James
Cyber Pulse: Edition 105
Cyber Pulse: Edition 104
Cyber Pulse: Edition 103
Cyber Pulse: Edition 102
Cyber Pulse: Edition 101
4 things you need to know about cyber security in 2020
How does Ransomware-as-a-Service work?
Phishing Campaigns: Defending organisations against phishing
Is Mr Robot a good representation of real-life hacking and hacking culture?
Safeguarding your Digital Footprint