Oana Murarasu, Security Software Engineer at Ixia
Security Software Engineer at Ixia

Q2 Malware Trends

July 26, 2016 by Oana Murarasu

It’s a war out there. Spam emails target users, exploit kits evolve, antivirus solutions detect, firewalls block, malware gets invented, zero-days mutate every day, and researchers work to crack the code. Unfortunately, end-users are falling victim to many of these harmful malware, and we’re seeing Ransomware playing a numbers game that puts the numbers in their favor.  It’s impossible to “catch them all,” but what’s essential is to stay informed on the most recently seen threats. Let’s review some of the more prevalent and nasty malware from Q2, 2016.

CryptXXX – Windows


(Source: www.proofpoint.com)

Whether it replaced TeslaCrypt or Locky in several campaigns, CryptXXX became popular mid-April and has been infecting Windows-running machines since then. You might have figured out that if being a replacement for TeslaCrypt/Locky, CryptXXX is the name given to yet another ransomware. The malware spreads through exploit kits placed on compromised sites or through malvertising. Bedep malware is known to be the dropper of CryptXXX and once the ransomware reaches a computer it begins with checking if the machine is running on a virtual environment. If that is the case, the infection process halts. Otherwise, the encryption begins. Try to stop it and it will end up restarting itself from the beginning. A watchdog program is used for following the encryption’s course. If anything stops the encryption process, the watchdog restarts it. The user is also prevented access to any other tool than accessing the site to pay the ransom. An interesting fact to notice is that CryptXXX increased the waiting period for paying the ransom before it doubles.

Locky – Windows


(Source: www.blog.checkpoint.com)

Not new anymore, but smarter, Locky is a ransomware name that’s been getting a lot of attention since the beginning of 2016. Delivered through a JavaScript downloader attached to spam emails (containing an invoice attachment), once executed, Locky will encrypt the compromised files demanding a ransom for their decryption. An improvement to the malware’s earlier behavior is the fact that newer versions use both symmetric and asymmetric encryption algorithms when communicating with the C&C (Command & Control) servers, whereas earlier versions used custom non-complex encoding. With this addition Locky manages to hide its network traffic, becoming harder and harder to discover.

BlackEnergy – Windows/Linux


(Source: www.securityaffairs.com)

BlackEnergy represents a Trojan malware that’s been around for several years, but caught our attention at the beginning of this year when it was found to be at the base of the Ukrainian energy attacks. BlackEnergy is used in DDoS, cyber espionage, and information destruction attacks. In the past it was mainly spread through emails with attached Microsoft Excel documents containing macros, but in the recent attacks from Ukraine, a Microsoft document with macros was used. To convince the victims to run macros, the document references “Pravii Sektor” which is a Ukrainian nationalist political party. After installation, BlackEnergy delivers KillDisk, which is a malware typically focused on destroying files and documents. In the Ukrainian attack KillDisk also destroyed Windows Event Logs and sabotaged the industrial control systems.

TorrentLocker – Windows


(Source: www.blogs.mcafee.com)

Ransomware seems to be the leitmotif of the summer as TorrentLocker also falls into this category. This is not a new sample of malware, however its delivery mechanism has become more focused. Targeting Spain, the emails are in Spanish and use the word “Endesa,” which is Spain’s largest electricity provider. The attachments masquerade as invoices that contain a JavaScript downloader that fetches the ransomware. It then contacts the C&C server, encrypts files and demands ransom.

Godless – Android


(Source: www.securityintelligence.com)

Godless is an Android malware that targets any device running Android 5.1 or earlier. Composed of a several exploits (such as CVE-2015-3636 and CVE-2014-3153) the malicious code is present in certain applications that can be found in app stores, including Google Play. Once a malicious app is installed, it downloads exploits from an immense repository to root the victim device. After gaining root privileges, the malware receives remote instructions of what to download and install next. This leads to unwanted ads, backdoors, toll collecting texts, or simply being spied on.

RAA – Windows


(Source: www.virustotal.com)

RAA is a ransomware written entirely in JavaScript. This makes it unique to the ransomware families seen so far. There is no need to download any supplementary programs, once it gets executed, it encrypts your data and asks for a ransom.

Furtim - Windows

Furtim is a complex piece of malware composed of many components. One component checks the victim’s machine environment, one downloads other malicious modules, one malicious module that intercepts power configuration, one that performs information stealing via Pony Stealer, one that manages communication with the C&C server. Furtim looks for security products being installed or whether it is running in a virtual environment, and halts execution if either are discovered. If not, it blocks access to approximately 250 security related sites. It installs itself as an NTFS alternative data stream, removes any installed filter drivers and forces a reboot. It blocks command line and task manager access and disables Windows notification. Unique information about the device is sent to the C&C servers.

You can find all of the above and many other malware samples along with their corresponding traffic in Ixia’s Malware and Botnet Strikepacks.

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.