New research reports from information security firms that track online attacks and cybercrime trend show that malicious code developers remain hard at work. Indeed, they continue to update or issue fresh versions of cryptocurrency miners, crypto-locking ransomware, banking Trojans and other malware.
Looking at such efforts from a high-level perspective, they’re ruled by a simple, straightforward imperative: “Criminals like to make money,” says Brian Honan, who heads BH Consulting in Dublin.
As a result, if a particular type of attack leads to an illicit payday for an individual or group, those attacks are likely to continue. Nevertheless, some gangs appear to keep diversifying by using malware droppers – the attack code that initially infects a PC or server – to push an ever-changing array of attack code onto victims’ PCs and servers.
WebCobra: No Bundle of Joy
While ransomware continues to pummel organizations, security experts say that what’s especially hot right now is cryptocurrency-mining malware. And a new strain of malicious code called WebCobra, which appears to have been built by Russian developers, is the latest example of malware that’s designed to use infected systems’ CPUs to mine for cryptocurrency, say McAfee researchers Kapil Khade and Xiaobing Lin in a blog post.
“Coin mining malware is difficult to detect,” they say. “Once a machine is compromised, a malicious app runs silently in the background with just one sign: performance degradation.”
Victims, however, are left paying the energy costs from all of this CPU usage. Crescent Electric Supply Company in January estimated that in the U.S., the cost of mining a single bitcoin ranged from $531 to $26,170, depending on the state in which the mining occurred.
“The increase in the value of cryptocurrencies has inspired cybercriminals to employ malware that steals machine resources to mine crypto coins without the victims’ consent,” the McAfee researchers say.
In the case of WebCobra, the researchers believe the malware is being distributed by shady applications, or what the industry often refers to as PUPs – potentially unwanted programs – that may come bundled with wallpaper or purportedly free versions of paid applications.
WebCobra also has a few tricks up its sleeve; it customizes attacks based on the type of system it manages to reach. “This cryptocurrency mining malware is uncommon in that it drops a different miner depending on the configuration of the machine it infects,” the McAfee researchers say.
Coin-Mining Malware Remains Hot
The researchers expect the prevalence of these types of attacks to keep increasing, as it has done for the past 12 months.
“Coin-mining malware will continue to evolve as cybercriminals take advantage of this relatively easy path to stealing value,” they say. “Mining coins on other people’s systems requires less investment and risk than ransomware and does not depend on a percentage of victims agreeing to send money. Until users learn they are supporting criminal miners, the latter have much to gain.”
The ease of running such attacks, together with the difficulty victims have in spotting them, have led to a dramatic increase in such campaigns, security experts say.
“Cryptocurrency mining detections have increased sharply between 2017 and 2018,” the Cyber Threat Alliance says in a report released in September.
“Combined data from several CTA members shows a 459 percent increase in illicit cryptocurrency mining malware detections since 2017, and recent quarterly trend reports from CTA members show that this rapid growth shows no signs of slowing down,” the report says.
Raj Samani, chief scientist at McAfee, says cryptomining attacks have surged over the past year because such attacks are “simpler, more straightforward, and less risky than traditional cybercrime activities.”
Trickbot Learns New Tricks
Meanwhile, modular malware called Trickbot, which has also been used to mine for cryptocurrency, is up to new tricks.
“TrickBot has traditionally targeted banking customers in multiple geographies to steal login credentials in order to commit identity fraud and facilitate fraudulent transactions,” researchers at Digital Shadows say in a research report.
But TrickBot’s designers have been adding additional capabilities that appear designed to extend the reach of the malware. In February, TrickBot’s designers added an open source monero cryptocurrency-mining module. And in March, they added the ability to crypto-lock devices, “potentially helping threat actors to extort victims,” the research report says.
Last month, Vitali Kremez, director of research at threat intelligence firm Flashpoint, warned the TrickBot had been updated to included a module designed to steal passwords from multiple types of applications and browsers.
10-19-2018: #TrickBot #Banker #Malware Group:
New “pwgrab.dll” aka “PasswordGrabber” Module
Soft Targeted ->
Dev Comment | Even Ports HTTP & Odd Ports HTTPS
Date: November 27, 2018