Q3 & Q4 Malware Trends
‘Tis the season to be wary… Below are some of the most prevalent malware seen in the last half of 2016. Ransomware, PoS malware, Banking Trojans, and Trojan Backdoors, mutated or not, they all deserve our full attention, since their full attention is targeted towards us.
TrickBot – Windows
TrickBot is a banking Trojan targeting Australian banks. Sharing a lot of similarities with Dyre, which terminated its activity in November 2015, TrickBot is a fully operational malware that came out in mid-autumn 2016. TrickBot consists of several layers. The first layer is the crypter, which is used to carry the encrypted payload and conceal it from antivirus detection. The same crypter is also used by malware such as Vawtrak and Cutwail. The second layer is the loader, which figures out whether the system it is being run on a 64- or a 32-bit architecture. Based on this information, the loader decodes the corresponding encrypted resource. The unpacked bot is then mapped to memory. During the first execution of TrickBot it will copy the executable to a new location, run from there, delete the original, and make itself a persistent botnet agent. The bot’s main duties rely on two components: getsysinfo, for harvesting system info, and injectDLL, which injects DLLs in browsers to steal banking credentials.
Ramnit – Windows
Ramnit didn’t die, it mutated into a new banking Trojan. Ramnit began its activity in 2010 as a self-replicating worm that mutated through the years, borrowing code from other malware. After infection, it scans files that have interesting keywords, such as “wallet,” “passwords,” or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it is also deployed in popular exploit kits, such as Angler.
Vawtrack - Windows
Vawtrack is yet another banking Trojan that’s been around for years. Besides being delivered through spam campaigns, Vawtrack is also spread through exploit kits. Recent mutations of this malware have been seen in August 2016, with new features such as HTTPS being used for C&C communications.
FastPOS – Windows
FastPoS is a PoS malware that was first seen in March 2016. In October 2016, FastPOS differentiated itself from the PoS malware family by jumping over a step in the process of stealing PoS data. Most PoS malware normally dump, scrape, store, and exfiltrate. FastPoS steals credit card data and goes directly to exfiltrating it to C&C servers. Even if this new behavior is noisier, the author must have preferred it this way to have more time to use the credit card date before banks are alerted and suspend it. FastPOS is usually distributed via compromised websites, VNC access with stolen credentials, or brute-force attacks and has a modular architecture. Its main components include a memory scraper (scans for credit card data), a key logger, and a C&C component.
Stampado - Windows
Stampado is a piece of malware that takes the ransomware family to another level, encrypting files that have already been encrypted. Usually ransomware that infects a system looks for files that have certain extensions, encrypting those files and adding a new extension to the encrypted files. Stampado, on the other hand, also targets files with known extensions appended by other ransomware. If a victim is already infected with ransomware and comes across Stampado, then they will have to pay twice to get their files decrypted.
Mamba – Windows
Since we’ve already discussed malware that targets already encrypted files, let’s also touch on malware that encrypts your whole disk. Mamba is a disk-level ransomware that encrypts the full disk using a tool named DiskCryptor (an open source disk encryption software). Mamba also modifies the Master Boot Record (MBR) and adds a bootloader that displays its ransom note.
Zepto - Windows
Zepto or mutated Locky? Locky definitely mutated. Zepto has been seen at the beginning of September 2016 and it is yet another variety of ransomware. A detailed inspection of Zepto’s code reveals that it is very similar to Locky. Zepto spreads the same way as Locky, via emails with attached zip archives or doc files, and uses the same payment page, but the ransom requested is higher than Locky’s. Another difference is that Zepto includes an implanted RSA key that enables data encryption without communication with the C&C servers. Differences are also noticeable after encryption since Zepto appends “.zepto” to all encrypted files while Locky appends “.locky”.
Crysis – Windows
Crysis is a ransomware that encrypts a large variety of file types on fixed or removable drives. The malware is spread via attachments in emails. The attachments contain double extension files that make them look as non-executable. Besides encrypting a victim’s files, Crysis also copies the admin login information from an infected machine to its C&C server, permitting other attacks if the credentials don’t get changed. Crysis ensures itself persistency by setting registry entries to be executed at every system start.
Petya / GoldenEye – Windows
GoldenEye is a new variant of the ransomware Petya. It has spread via spam emails written in German. The emails contain an Excel spreadsheet with a malicious macro that installs the GoldenEye ransomware. After infection, GoldenEye’s behavior is a bit different from other Petya mutations (such as Mischa). It encrypts the targeted files on the infected machine and also modifies the master boot record with a custom boot loader. The ransom note is presented via a text file and the encrypted files will have a random 8-character extension appended.
SFG – Windows
SFG is a trojan backdoor that targets European energy companies. SFG cripples antiviruses until it gets to uninstall them. Its main features are encrypted so that it is harder to get caught and examined and a main behavior is to not install itself if it detects a sandbox environment. To achieve administrative control over the infected computer, SFG uses privilege exploits for Windows vulnerabilities such as (CVE-2014-4113 and CVE-2015-1701). After gaining administrative control, it observes the network and conveys data to the attackers. The attackers can also provide instructions for further operations. This way SFG provides a network backdoor on SCADA systems.
Mirai – Linux
Mirai is a trojan backdoor that targets IoT devices running embedded Linux. It spreads by brute forcing the username and password using a preprogrammed list of commonly used passwords. Once logged in, it attempts to fetch a copy of itself from a server, executes that copy, and deletes itself from disk. Post-infection, Mirai turns a victim machine into a remotely controlled bot, scanning for more hosts to infect and connecting back to a C&C server awaiting further instructions. These bots have been used recently in large-scale DDoS attacks.
Remsec - Windows
Remsec, otherwise known as Sauron, is a piece of malware with a modular architecture that allows attackers to have full control over an infected system. It enables data exfiltration, placement of certain modules, and mobility throughout the network. Remsec also attempts to protect itself from being discovered. Remsec’s functionality is based on several modules. The loader loads files from disk and executes them, logs data, and maintains persistence as a fake security support provider. A network listener module is also available, as well as multiple backdoor mechanisms. There is even support for Lua scripting modules. The Lua functionality enables extensible modules to be loaded, for example a network loader, host loader, and keylogger are all available. Due to its advanced feature-set this piece of malware is used in many cyberespionage-style attacks.
Disttrack – Windows
Disttrack or Shamoon is a malware that's been around since 2012. In November 2016 security experts detected Disttrack in a new wave of attacks against Saudi Aramco, infecting a reported 30,000+ PCs. Evidence suggests that Disttrack’s intent is data destruction and system damage through a wiper component, used as a tool by politically motivated hackers. Other Disttrack parts include the dropper and the communications components.
You can find all the above and many other malware samples in Ixia’s Malware Strikepacks.
Leverage Subscription Service to Stay Ahead of Attacks
The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.