Q2 Malware Trends
It’s a war out there. Spam emails target users, exploit kits evolve, antivirus solutions detect, firewalls block, malware gets invented, zero-days mutate every day, and researchers work to crack the code. Unfortunately, end-users are falling victim to many of these harmful malware, and we’re seeing Ransomware playing a numbers game that puts the numbers in their favor. It’s impossible to “catch them all,” but what’s essential is to stay informed on the most recently seen threats. Let’s review some of the more prevalent and nasty malware from Q2, 2016.
CryptXXX – Windows
Whether it replaced TeslaCrypt or Locky in several campaigns, CryptXXX became popular mid-April and has been infecting Windows-running machines since then. You might have figured out that if being a replacement for TeslaCrypt/Locky, CryptXXX is the name given to yet another ransomware. The malware spreads through exploit kits placed on compromised sites or through malvertising. Bedep malware is known to be the dropper of CryptXXX and once the ransomware reaches a computer it begins with checking if the machine is running on a virtual environment. If that is the case, the infection process halts. Otherwise, the encryption begins. Try to stop it and it will end up restarting itself from the beginning. A watchdog program is used for following the encryption’s course. If anything stops the encryption process, the watchdog restarts it. The user is also prevented access to any other tool than accessing the site to pay the ransom. An interesting fact to notice is that CryptXXX increased the waiting period for paying the ransom before it doubles.
Locky – Windows
BlackEnergy – Windows/Linux
BlackEnergy represents a Trojan malware that’s been around for several years, but caught our attention at the beginning of this year when it was found to be at the base of the Ukrainian energy attacks. BlackEnergy is used in DDoS, cyber espionage, and information destruction attacks. In the past it was mainly spread through emails with attached Microsoft Excel documents containing macros, but in the recent attacks from Ukraine, a Microsoft document with macros was used. To convince the victims to run macros, the document references “Pravii Sektor” which is a Ukrainian nationalist political party. After installation, BlackEnergy delivers KillDisk, which is a malware typically focused on destroying files and documents. In the Ukrainian attack KillDisk also destroyed Windows Event Logs and sabotaged the industrial control systems.
TorrentLocker – Windows
Godless – Android
Godless is an Android malware that targets any device running Android 5.1 or earlier. Composed of a several exploits (such as CVE-2015-3636 and CVE-2014-3153) the malicious code is present in certain applications that can be found in app stores, including Google Play. Once a malicious app is installed, it downloads exploits from an immense repository to root the victim device. After gaining root privileges, the malware receives remote instructions of what to download and install next. This leads to unwanted ads, backdoors, toll collecting texts, or simply being spied on.
RAA – Windows
Furtim - Windows
Furtim is a complex piece of malware composed of many components. One component checks the victim’s machine environment, one downloads other malicious modules, one malicious module that intercepts power configuration, one that performs information stealing via Pony Stealer, one that manages communication with the C&C server. Furtim looks for security products being installed or whether it is running in a virtual environment, and halts execution if either are discovered. If not, it blocks access to approximately 250 security related sites. It installs itself as an NTFS alternative data stream, removes any installed filter drivers and forces a reboot. It blocks command line and task manager access and disables Windows notification. Unique information about the device is sent to the C&C servers.
You can find all of the above and many other malware samples along with their corresponding traffic in Ixia’s Malware and Botnet Strikepacks.
Leverage Subscription Service to Stay Ahead of Attacks
The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.