Cybercriminals have been quite active in developing new malware samples and improving their malicious approaches. According to PurpleSec statistics, cybercrime activity throughout 2021 has been up 600% due to the COVID-19 pandemic.
As a result, cybersecurity researchers have analyzed some new, previously unseen malware pieces. We have selected 10 new threats with various capabilities that were detected in the wild in the past several months, targeting Android, macOS, Windows, and Linux:
- Two new malware loaders: Wslink and SquirrelWaffle;
- A Linux rootkit, called FontOnLake/HCRootkit;
- Two Android banking trojans: GriftHorse and Ermac;
- Two sophisticated backdoors: FoggyWeb and Solarmarker;
- The Meris DDoS botnet;
- The LockFile ransomware that uses unique encryption;
- The detected in 2020 XCSSET Mac malware, now updated with new capabilities.
Disclaimer: The cyber threats listed in this article are a small portion of all the malware that emerged in 2021. Our top 10 selection of 2021 malware is a mere example of the ever-evolving threat landscape.
Wslink Malware Loader
A previously unknown malware loader was uncovered in October, 2021. Called Wslink, the tool is “simple yet remarkable,” capable of loading malicious Windows binaries. The loader has been used in attacks against Central Europe, North America, and the Middle East.
What is unique in this previously undocumented loader is its capability to run as a server and execute received modules in memory. According to the report compiled by ESET researchers, the initial compromise vector is also unknown. The researchers were unable to obtain any of the modules the loader is supposed to receive. No code, functionality or operational similarities suggest that the loader was coded by a known threat actor.
SquirrelWaffle Malware Loader
Another malware loader emerged in October 2021, with the potential to become “the next big thing” in spam operations. Dubbed SquirrelWaffle, the threat is “mal-spamming” malicious Microsoft Office documents. The end goal of the campaign is delivering the well-known Qakbot malware, as well as Cobalt Strike. These are two of the most common culprits used for targeting organizations worldwide.
According to Cisco Talos researchers Edmund Brumaghin, Mariano Graziano and Nick Mavis, “SquirrelWaffle provides threat actors with an initial foothold onto systems and their network environments.” This foothold can later be utilized to facilitate further compromise and malware infections, depending on the hackers’ monetization preferences.
“Organizations should be aware of this threat, as it will likely persist across the threat landscape for the foreseeable future,” the researchers said. A previous threat of the same caliber is Emotet, which has been plaguing organizations for years. Since Emotet operations were disrupted by law enforcement, security researchers have been waiting for a new similar player to rise. And it has…
FontOnLake/HCRootkit Linux Rootkit
FontOnLake/HCRootkit is a new, previously unseen malware family targeting Linux systems. Dubbed FontOnLake by ESET researchers, and HCRootkit by Avast and Lacework, the malware has rootkit capabilities, advanced design and low prevalence, suggesting that it is primarily meant for targeted attacks.
According to researchers, the FontOnLake rootkit is continuously being upgraded with new features, meaning that it is in active development, and it is highly likely that it will continue to be used in 2022. VirusTotal samples of the malware reveal that its first use in the wild dates back to May 2020. It appears that the malware targets entities in Southeast Asia, but other regions may soon be added to its target list.
The malware grants remote access to its operators, and could be used for credential harvesting and as a proxy server.
GriftHorse Android Trojan
A nefarious Android trojan, called GriftHorse and hidden in an agressive mobile premium services campaign has stolen hundreds of millions of Euros. The discovery comes from Zimperium zLabs researchers who uncovered that the trojan has been using malicious Android applications to leverage user interactions for wider spread reach and infection.
“These malicious Android applications appear harmless when looking at the store description and requested permissions, but this false sense of confidence changes when users get charged month over month for the premium service they get subscribed to without their knowledge and consent,” the report revealed.
Forensic evidence points that GriftHorse threat actor has been running its operation since November 2020. Not surprisingly, the involved malicious Android apps were distributed through Google Play, but third-party app stores were also leveraged. Following a disclosure to Google, the company removed the malicious apps from the Play Store. The bad news is that the apps were still available for download on third-party app repositories at the time of the original report (September 2021).
Ermac Android Trojan
ERMAC is another, previously undetected Android banking trojan detected in September 2021. The malware appears to be coined by the BlackRock cybercriminals and is based on the roots of the infamous Cerberus.
“If we investigate ERMAC, we can find out that ERMAC is a code-wise inheritor of a well-known malware Cerberus. It uses almost identical data structures when communicating with the C2, it uses the same string data, et cetera,” said ThreatFabric. The researchers’ first impression was that the new Trojan is another variant of Cerberus. Despite having a different name and using different obfuscation techniques and a new string encryption, ERMAC is another Cerberus-based trojan.
The difference with the original Cerberus is that ERMAC utilizes another encryption scheme when communicating with the command-and-control server. The data is encrypted with AES-128-CBC, and prepended with double word containing the length of the encoded data, the report said.
A definite connection with the BlackRock malware operators is the usage of the same IP address as command-and-control.
FoggyWeb Post-Exploitation Backdoor
According to Microsoft Threat Intelligence Center (MSTIC), the so-called FoggyWeb is a post-exploitation backdoor. The NOBELIUM threat actor employs multiple techniques to carry out credential theft. Its current target is gaining admin-level access to Active Directory Federation Services (AD FS) servers.
The backdoor is also described as “passive” and “highly targeted,” with sophisticated data exfiltration capabilities. “It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server,” the researchers added. It is also noteworthy that the malware operates by allowing abuse of the Security Assertion Markup Language (SAML) token in AD FS.
“Protecting AD FS servers is key to mitigating NOBELIUM attacks. Detecting and blocking malware, attacker activity, and other malicious artifacts on AD FS servers can break critical steps in known NOBELIUM attack chains,” Microsoft concluded.
Solarmarker activities were observed independently by researchers at Crowdstrike and Cisco Talos. Both companies detected Solarmarker last year, in October and September, respectively. However, Talos says that some DNS telemetry data even points back to April 2020. This is when the researchers discovered three primary DLL components and multiple variants presenting similar behavior.
“Solarmarker’s ongoing campaign and associated family of malware are concerning. It was initially able to operate and evolve over a significant amount of time while remaining relatively undetected,” the researchers note in conclusion. They also expect to see further action and development from Solarmarker’s authors who are likely to include new tactics and procedures to the malware.
Meris DDoS Botnet
At the end of June, 2021, security researchers from Russian firm Qrator started observing “a botnet of a new kind.” A joint research with Yandex followed to discover more about this new DDoS threat “emerging in almost real-time”.
A pretty substantial, constantly growing attacking force, as Qrator put it, was uncovered in the form of ten of thousands of host devices. The botnet has been dubbed Meris, meaning Plague in Latvian.
“Separately, Qrator Labs saw the 30 000 host devices in actual numbers through several attacks, and Yandex collected the data about 56 000 attacking hosts,” according to the official report. This number is most likely even higher, reaching 200,000. It is noteworthy that this botnet’s devices are highly capable and are not the statistically average devices connected via Ethernet.
The New Mirai?
“Some people and organizations already called the botnet “a return of Mirai”, which we do not think to be accurate,” Qrator noted. Since the researchers haven’t seen the malicious code behind this new botnet, they can’t say for sure whether it is somehow related to Mirai. However, since the devices it bands together come from only one manufacturer, Mikrotek, it is more likely that the Meris botnet has nothing to do with Mirai.
The LockFile ransomware emerged in July 2021. The ransomware has been exploiting the ProxyShell vulnerabilities in Microsoft Exchange servers in its attacks. The flaws are deployed “to breach targets with unpatched, on premises Microsoft Exchange servers, followed by a PetitPotam NTLM relay attack to seize control of the domain,” according to Sophos’ Mark Loman.
What’s mostly notable about this ransomware, however, is its encryption. Intermittent encryption hasn’t been used by any known ransomware so far, and it has been chosen by the threat actors for evasion purposes.
How does intermittent encryption work? The cryptovirus encrypts every 16 bytes of a file in an attempt to evade detection by ransomware protection solutions. Apparently, a document encrypted this way looks very similar to the encrypted original.
Evasion is possible in cases when anti-ransomware tools use the so-called “chi-squared (chi^2)” analysis, altering the statistical way this analysis is done and thus confusing it.
It is also noteworthy that the ransomware doesn’t need to connect to a command-and-control server, making its under-the-radar behavior even more sophisticated, meaning that it can encrypt data on machines that do not have internet access.
XCSSET Mac Malware
In March, 2021, Sentinel Labs researchers became aware of a trojanized Xcode project targeting iOS developers. The project was a malicious version of a legitimate, open-source project available on GitHub, enabling iOS programmers to use several advanced features for animating the iOS Tab bar.
A similar campaign was detected in April, targeting Xcode developers, equipped with Macs running Apple’s new M1 chips. The malware is also capable of stealing sensitive information from cryptocurrency applications.
It should be noted that the so-called XCSSET malware was first discovered in August, 2020, when it was spreading via altered Xcode IDE projects. The malware usually acts by repackaging payload modules to appear as legitimate Mac apps, which end up infecting local Xcode projects.
Newer XCSSET variants are compiled specifically for Apple M1 chips. This is a clear sign that the malware operators are adapting their malware to fit the latest Apple technologies.
All the malware cases described above depict the importance of adequate protection, prevention and excellent online hygiene habits. In these troubling times, let’s not forget how crucial it is to think of our online safety, too.
PS: If you found this article useful, make sure to read: