Recent analysis by Kaspersky Lab researchers indicates that threat actors are increasingly distributing multipurpose malware, which can be deployed in a variety of attack scenarios.
More than 150 Malware Families Analyzed
The team analyzed more than 150 malware families along with their modifications across 60,000 botnets across the globe. The results show that the distribution of multipurpose remote access tool (RATs) has nearly doubled since the beginning of 2017 (from 6.5% in 2017 to 12.2% in 2018).
Kaspersky Lab has been tracking the activity of botnets using Botnet Tracking, a technology that emulates infected computers (bots) to retrieve operational data about the actions of botnet operators, the report clarifies.
After analyzing the files downloaded by the bots, the researchers were able to identify the most widespread families. It should be noted that the top of the list of most “popular” downloads changes little over time.
Most Widespread RATs
The most widely spread RATs are njRAT, DarkComet, and Nanocore, all of which are described as malware tools that can be modified according to the attackers’ needs. This also means that the malware tools can be adapted for specific regions. For instance, njRAT was found to have command and control centers in 99 countries, simply because it is extremely easy for threat actors to configure a personal backdoor based on the tool, without needing special knowledge in malware development.
In 2018, as last year, the backdoor njRAT accounted for many downloads. Its share among all files downloaded by bots increased from 3.7% to 5.2%, meaning that more than 1 in each 20 bot-downloaded files is njRAT. This widespread distribution is due to the variety of versions of the malware and the ease of setting up one’s own backdoor, creating a low entry threshold.
For instance, one recent version of the njRAT malware is the njRAT Lime Edition. What makes it unique is the fact that even in its first releases it includes almost all of the modules contained in advanced threats. The programmers behind it have also posted the executable file for free on the underground sites. The latest version is 0.7.8 released in December, 2017.
We have been able to obtain a copy of the threat via the dangerous sources. It’s interesting to note that the malicious piece was being advertised as a malware remote hacking tool while at the same time bearing the notice “For educational use only”. The first public release version tracked by the community (11/9/2017) is known 0.7.6.
Another important discovery is that the number of ransomware pieces downloaded by botnets has increased compared to 2017.
Despite the overall decline in the distribution of ransomware programs, botnet operators continue to deliver them to victims, Kaspersky Lab notes. Their data shows that most ransomware in 2017 were downloaded by the so-called Smoke Bot, but in 2018 the most popular downloader is Nitol.
Last year, the EternalBlue exploit deployed in the WannaCry ransomware outbreak was also being used to deliver the Nitol backdoor and the Gh0st RAT. Both threats have been around for several years and were once again included in malicious operations, with the trend continuing throughout 2018.
GandCrab Enters the Malware Scene
The nefarious GandCrab ransomware has entered the top 10 most downloaded families in 2018. The ransomware was first detected this year, and was quickly adopted by several botnet operators, the most active among them being the Trik botnet.
Talking about GandCrab… Its creators do not sleep as the ransomware has been detected to infect users via new methods such as game and other software cracks.
The GandCrab ransowmare has been steadily updated with more and more improvements to its methods of infection and to the malware itself. The ransomware has gone through several internal versions and is now officially in its 4.4 version. While some features have been removed, others have been added, with the fourth version only using.exe files of cracks for games or license software to infect users worldwide.
Read more about GandCrab version 4.