Computer security researchers released the Q3 2017 virus report indicating the latest threats which signals the intentions of the hackers that are behind the malware. The quarterly report gives insight on where the criminals are headed and how they have shifted tactics from previous periods.
Q3 2017 Malware Threats Reveal Constant Malware Activity
The security reports give a broad overview of what tactics computer criminals have used in the malware creation process. The three month period also reveals some of the latest trends and progress by those criminal collectives that continue to use code based on the famous malware families such as Hidden Tear (EDA2), Dharma and others. By having this information we can illustrate some of the key trends and large-scale attacks that are carried out against both end users and corporate targets.
Malware Threats Utilize Espionage Techniques
One of the key findings in the report is the fact that a very large part of high-impact computer viruses included an advanced Trojan or spying component. Espionage is rated as one of the most lucrative activities when it comes to criminal planning. The experts note that 10 out of 24 specialist virus reports specifically mention espionage as a main goal behind the analyzed threat. The analysts have come to the conclusion that the actors based from China or affiliate with organizations from the country tend to use such strategies.
Two noteworthy attacks are mentioned:
- Netsarang ‒ The Netsarang distribution site was the main attack vector of a dangerous malware known as the ShadowPad backdoor. The hackers were able to intrude onto the vendor’s site and place the counterfeit software installers in place of legitimate files. The security incident was later reported and confirmed by an independent cybersecurity company that was behind the analysis after suspicious activity was detected coming from a package located on the infected company’s networks. This is a sophisticated backdoor threat which has the capability to cause a lot of malware activities. Examples include the following modules: data stealing, virus infections, network infections, DDOS attacks and etc.
- The CCleaner Backdoor Incident ‒ One of the most alarming events in the last few months was the CCleaner infection that happened in September. The Piriform servers were found to include a backdoor version of their most popular software ‒ the freeware CCleaner app, consequently this affected millions of users. Several versions are believed to have been impacted. As a result of the infection a two-stage backdoor is imposed on the target machines. It is capable of receiving commands from the hacker operators and spy on the victims actions.
The Q3 2017 Virus Reports Discuss the Noteworthy Attacks
An important part of the Q3 2017 virus reports is the analysis concerning the large-scale attacks against state institutions and government servers. The analysts speculate that the incidents may be related to political actions such as policy implementations or negotiations. An example is the Iron Husky virus campaign which targeted specific Russian and Mongolian government aviation companies and research centers. The attacks were discovered back in July following earlier talks between the two countries to modernize the air defense of Mongolia with Russia’s help. A few weeks the attacks were initiated presumably by Chinese criminals.
Another similar attack happened after India and Russia signed an agreement regarding the expansion of a nuclear power plant in India. Both countries experienced attacks from a dangerous virus called “H2ODecomposition” which masqueraded as a popular anti-virus product from an Indian vendor.
ATM Malware on the Rise
Dedicated reports were made concerning the rising trend of attacking ATM machines with advanced forms of malware. Two specific threats have been noted as being high-profile and quite succesful in compromising a large number of hosts.
The first one is called “Cutlet Maker” and its success seems to come from the fact that the code has been publicly sold on the popular Alphabay hacker underground market. It is composed of three modules that are part of the core infection module ‒ an ATM balance check, cash withdrawal and interactions client. The hackers posted a detailed tutorial on how to hack the victim machines and using the Cutlet Maker virus contaminate them so that cash withdrawal can be initiated.
The other threat is called “ATM Proxy” and is designed to sit dormant on the on infected machine until a malware card with specific hardcoded code is introduced to the ATM. Once this is done cash is dispensed in a predefined amount to the hackers.
Infections with the ATMii ATM Virus are not mentioned in the main reports however they deserve to be mentioned in this category. Instances belonging to this family are made up of two main components: The injector module and the virus engine. It allows the hackers to control the machines and conduct operations from the operating system running on the compromised devices. A dangerous fact related to the infections is that depending on the security checks in some cases the infections cannot be detected by all methods.
Details on the Lambert Toolkit Malware Attacks
The Lambert Toolkit is a dangerous malware which has been featured in numerous iterations since 2014. Its various versions are named after colors: blue, green, pink and gray. The newest addition is the “red” version which has been discovered during a thorough analysis of compromised computers. It featured hard coded SSL certificates built in the hacker controlled command and control servers. As it is based on older code it is very possible that some of the key features of the older variants have been retained.
Some of the noteworthy capabilities associated with different strains that are identified as interim versions of the Lambert toolkit includes the following mechanisms: second stage attacks, Mac OS X intrusions, custom payload delivery, modular harvesting function, passive infections and user mode infiltration.
South Korean Activities Are Actively Monitored
The security specialists detected that two high-impact malware have been produced from South Korean criminals. Two specialist report have been dedicated to the viruses called Scarcruft and Bluenoroff. Scarcruft is a designated APT group. Virus strains have been found to attack other targets as well including Russia, Nepal, China, India, Kuwait and Romania. Main attack vectors include vulnerability exploits for popular software such as the Adobe Flash Player and Microsoft Internet Explorer.
Bluenoroff is operated by a hacker collective part of the Lazarus hacking group. Like the former malware it is used in attacks in other countries as well: Mexico, Uruguay, Russia, Australia, Norway, India, Nigeria, Poland and Peru. Infections have been made against both state institutions as well as private finance companies, casinos, trade software vendors and crypto currency businesses.
The Reports Indicate Varied Campaigns
During the investigation of the hacker activities during the period the specialists have also used some other sources of information as well. A notable example is an anonymous user that paid computer hackers on the underground communities to access sensitive file hashes. This identified a malware tool called “Triple Fantasy” which is a tool used to verify targets by the Equation Group. This is the same attack mechanism which is suspected of being used by the US NSA to conduct espionage activities.
The computer criminals continue to use freely available code and open-source tools to infect targets. Some of the worrying aspects is that the majority of the campaigns seem to be politically motivated such as Dark Cyrene which impacted countries located in the Middle East. A large espionage campaign in Chile also took place (called “Pisco Gone Sour”) and attacks in Ukraine continue with a new series of phishing sites and DDOS attacks. Financial institutions also were impacted by a dangerous trojan called “The Silence”.
As always we urge computer users to rely on a trusted and quality security solution which is capable to protect their systems and remove active infections with a few mouse clicks.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter