Cryptomining malware new norm
Cybersecurity firm McAfee also flags billing fraud on mobile apps, especially in Thailand and Malaysia
Malware that harnesses the computing power of thousands of connected devices to mine cryptocurrency has emerged as a significant new online threat, according to the cybersecurity company McAfee.
Billing fraud that has affected several apps on Google Play, especially in Thailand and Malaysia, along with a 27% rise in mobile malware in the second quarter, were among the other findings in the McAfee Labs Threats Report for September 2018.
Although less common than ransomware, cryptomining malware has quickly emerged as a threat factor, increasing from 400,000 samples detected by McAfee in the fourth quarter of 2017 to 2.9 million in the first quarter of 2018 and 5.4 million in the second quarter. Even older malware such as ransomware is being retooled with mining capabilities.
“In some cases, cryptomining targets specific groups rather than a broad field of potential victims,” McAfee said. “One cryptomining malware strain has targeted gamers on a Russian forum by posing as a ‘mod’ claiming to enhance popular games. Gamers were tricked into downloading the malicious software, which proceeded to use their computer resources for profit.”
While cryptomining malware primarily targets PCs, other devices have been hit. For instance, Android phones in China and Korea have been exploited by the ADB. Miner malware into producing Monero cryptocurrency for perpetrators.
“A few years ago, we wouldn’t think of internet routers, video-recording devices, and other Internet of Things devices as platforms for cryptomining because their CPU speeds were too insufficient to support such productivity,” said Christiaan Beek, lead scientist with McAfee Advanced Threat Research.
“Today, the tremendous volume of such devices online and their propensity for weak passwords present a very attractive platform for this activity. If I were a cybercriminal who owns a botnet of 100,000 such IoT devices, it would cost me next to nothing financially to produce enough cryptocurrency to create a new, profitable revenue stream.”
VULNERABILITY EXPLOITS
A year after the WannaCry and NotPetya attacks, new malware specifically designed to exploit software vulnerabilities increased by 151% in the second quarter. McAfee saw these two high-profile threats repurposed within new malware strains, and newly discovered vulnerability exploits similarly adapted to produce entirely new threats.
“It’s still surprising to see numerous vulnerabilities from as far back as 2014 used successfully to spearhead attacks, even when there have been patches available for months and years to deflect exploits,” said Mr Beek.
“This is a discouraging testament to the fact that users and organisations still must do a better job of patching vulnerabilities when fixes become available.”
McAfee researchers also discovered a vulnerability in the Cortana voice assistant in Microsoft Windows 10. The flaw, for which Microsoft released a patch in June, could have allowed attackers to execute code from the locked screen of a fully patched Windows 10 machine.
BILLING-FRAUD APPS
A new billing-fraud campaign has affected at least 15 apps on Google Play. It demonstrates that cybercriminals keep finding new ways to steal money from victims using apps on official stores.
The actors behind the new campaign, the AsiaHitGroup Gang, have been active since at least late 2016 with the distribution of the fake-installer applications Sonvpay.A, which attempted to charge at least 20,000 victims — primarily from Thailand and Malaysia — for the download of copies of popular applications.
In November last year, the Sonvpay.B campaign was discovered on Google Play. It used IP address geolocation to confirm the country of the victim and added Russian victims to the billing fraud to increase its potential to steal from unsuspecting users.
THREAT ACTIVITY
In the second quarter of 2018, McAfee Labs detected five new threats a second, including some showing notable technical developments that improve on the latest successful technologies and tactics to outmanoeuvre their targets’ defences.
Ransomware: The total number of ransomware samples has increased by 57% over the past four quarters. Although the appearance of new ransomware families has slowed overall, established ransomware families such as Scarab have spawned new variants.
Mobile malware: New mobile malware samples increased 27% in the second quarter; this is the second successive quarter of growth. Users in South America reported the highest rate of infection, at 14%. Total mobile malware grew 42% in the past four quarters.
JavaScript malware: A 204% increase in new samples suggests that hackers have shifted to a new generation of JavaScript malware. After decreasing significantly over the last three quarters, JavaScript malware accounted for more than 7 million new samples, a record high, and up from around 2 million in the first quarter.
LNK malware: While PowerShell has been active among fileless malware developers, new samples slowed to 15% growth. But new LNK malware continues to grow, as cybercriminals are increasingly using .lnk shortcuts to surreptitiously deliver malicious PowerShell scripts and other malware.
Spam botnets: The Gamut spam botnet outpaced all others in the second quarter. Most notably, it pushed high volumes of “Canada Revenue Agency” phishing scams. Notable recent campaigns were related to bogus employment offers that are commonly used as a “money mule” recruitment tactic.
Although the appearance of new ransomware families has slowed overall in recent quarters, established ransomware families have spawned new variants.