Malware Trends - Q1 2016

April 7, 2016 by Ixia Blog Team

ATI SealAuthor: Oana Murarasu. You think you’ve got it all sorted out when it comes to malware? Well, think again. Every day hundreds of thousands of new malware samples are observed, curtesy of the relentless toil and innovation of malware authors around the world. Some samples that get reverse-engineered appear unique and complex, revealing that we are actually dealing with advanced creators. Some are variations of old, well-known malware. Some are easy to identify and detect. Most are recompiled or obfuscated samples of the same malware. Regardless, all types of malware are highly effective after perimeter defenses have been breached.

2016 has already become yet another year that has contributed to the exponentially growing number of malware families. The first few months have brought about malware targeting operating systems that were previously ignored more than others were. One example is OS X. Not long ago, ransomware that targeted this operating system was functionally incomplete (see FileCoder discovered by Kaspersky in 2014). Then KeRanger appeared in early March and the Internet sat up and took notice. A fully functional ransomware hits and Mac users are not disregarded anymore. The surprise should not be that OS X was targeted, but that it took so long for a strong ransomware contender to appear considering the target-rich environment that the platform provides.

With the above concerns in mind, let’s recap some of the malware news for the first months of 2016.

Triada - Android

Triada is a recently discovered Android malware with a modular architecture that provides full access to an infected system. The key feature of Triada is its ability to inject itself into the Zygote process. This process contains core system libraries and frameworks that are used by installed applications and constitutes a template for new ones. Think of it as the init process of Android. By infiltrating its code into Zygote, Triada has visibility and control of all the applications installed on a device. This control provides the attackers with means of collecting SMS messages, as is the case of Triada, but could be expanded to harvesting emails, stealing browser session cookies, monitoring phone calls, injecting ads, or taking malicious activity on just about any phone-based activity.

Retefe - Windows and Android Hybrid


Retefe is a malware family first seen in 2014. At that time, it didn’t attract a lot of attention since it targeted users mostly from Sweden, Austria, Switzerland, and Japan. Recently Retefe has evolved to bypass two factor authentication used by banks. The means for distributing this malware is through phishing emails that contain zip archives with malicious executables inside. Once installed, all traffic towards certain banks is redirected to a proxy. The user is prompted with a pop-up notifying of a site modification that requires new credentials. Afterwards another pop-up offers the choice of selecting two factor authentication via SMS or RSA token. The user provides the mobile phone number and the phone’s operating system and receives a SMS with instructions to install a new Android Application Package (APK). By luring the user into installing the latter application, the attacker not only gains control over the mobile phone but also gets to hijack the legit SMS messages sent by the bank. This mechanism hands two-factor authentication over to the hijackers for draining the bank account at their leisure.

Locky – Windows

Figure 2

Locky is a new ransomware for Windows systems. This malware has received a lot of attention since it was discovered in February. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other recent ransomware, it encrypts local files as well as network shares with AES encryption and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted.

KeRanger - OS X

Figure 3

KeRanger is one of the first documented ransomwares to target Mac users. It was recently discovered by Palo Alto Networks packaged with the popular BitTorrent client Transmission. After installation on the victim’s machine, KeRanger encrypts documents, images, video files, email archives and databases located on the hard drive. Victims are then asked to pay a bitcoin ransom to get their files decrypted. To date, KeRanger has only been detected in the transmission app for Mac, but more than likely, we will see it appear again shortly.

Mazar – Android


Mazar is a new Android malware that spreads through SMS or MMS messages that contain a link to a malicious APK. A click on this link causes a download of the APK file that when run, prompts the user with the installation of a new application and also asks for administrative privileges. Once installed it can send/read messages, make calls to any of the contacts, infect the browser, change/read phone settings, access the Internet, erase the device’s storage, and so on. It can also download other Android apps that enable the attacker to spy on the victim’s web traffic.

Teslacrypt3 – Windows

Figure 5

Teslacrypt3 is an older ransomware that has been recently extended with additional features to make it harder to detect or remove. When researchers discover code flaws to detect or remove malware, the creators find new ways of solving them. In 2016, we’ve already seen news of Teslacrypt3, then 3.0.1, then 4. This malware used to only target computers with specific computer games installed, but newer versions of it no longer look for this anymore. This malware is distributed through well-known exploit kits, such as Angler. AES encryption is used for file encryption and, like other ransomware, it demands payment in bitcoin.

Did you consider all of the above for your network, application, and device testing? We did. These and many other malware samples, together with their corresponding botnet traffic you can find in the new and improved ATI Malware and Botnets Monthly Update February/March – 2016. Using this package, you can test your IPS, inline sandboxing, and other network security solutions to make sure they remain up to date on the latest malware trends as soon as they come out.

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.