Crimeware: Malware and massive campaigns around the world

Within the world of IT security, one of the biggest concerns for companies and users is malicious code that can compromise their systems and/or information networks. This concern is not at all unfounded, as cases of malware and crimeware incidents are reported daily around the world. Indeed, the number of reports, detections and threats observed by the various antivirus laboratories grows constantly and daily, and shows increasing diversity.

2015 was no exception, and not only was the growth of cybercrime observed worldwide but we also saw a change in its aggressiveness and in the types of attack (ransomware being one particular example).

IOCTA (Internet Organized Crime Threat Assessment) reported a shift in the way attackers acted, with confrontation one of the most significant changes. Further developments include the rise of zombie computer networks that seek to infect users’ systems with ransomware variants – so as to extort money from them – as well as cybercriminals who use physical force to intimidate security companies into not exposing their threats.

“The cybercrime ecosystem has different actors who cover a wide framework of criminal activity.”

When speaking of malware campaigns, we do not mean directed attacks or APTs (advanced persistent threats), but the mass propagation of malware commonly used to steal information from users and companies. 2015 presented different challenges for identifying and blocking mass campaigns that spread malware through channels such as email, mass storage devices or compromised websites that redirect their visitors to different types of exploits. The increasingly rapid changes in code and the volume of threats that affect companies are some of the challenges that victims have to face.

The cybercrime ecosystem has different actors who cover a wide framework of criminal activity involving goods and services that provide infrastructural support for malicious action. Such actions, involving banking trojans and RATs (remote access tools) were the subject of several investigations on the part of security agencies.

However, cybercriminals continue to find ways to reach users. Such is the case with regionalized malware campaigns like Operation Liberpy, initially spread through email; Operation Buhtrap, infecting its victims through compromised websites that served malware installers; Brolux, a trojan that attacked Japanese online banking sites; and cases with global impact such as Dridex.

It is important to stress that these campaigns affect not only home users, but small businesses, medium-sized companies, and even large enterprises. According to a report by the Ponemon Institute, the average cost of these incidents to companies worldwide was $7.7 million for the first half of 2015. Some of the companies cited in the report lost up to $65 million as a consequence of security incidents they suffered.

Botnets, zombies and global campaigns


For several years, zombie computer networks, also known as botnets, have been the most important infrastructural component in the world of cybercrime actors. Their role in the world of cybercrime is central, within a  model where the purchase and sale of services, information theft, or campaigns spreading ransomware are facilitated by botnets.

In other words, hundreds or thousands of computers that are part of such networks are used for sending spam, launching denial of service attacks, and performing other malicious actions.

The threat impact of botnets has inspired many in-depth studies on how to identify their behavior: that is, how to identify patterns that allow security teams to detect and block connections within their networks. Moreover, there are security solutions such as those offered by ESET, which include functionalities capable of recognizing these communications, in order to block them and prevent information theft.

As for botnets dedicated to information theft, ESET Research Laboratories this year reported the actions of Operation Liberpy, a keystroke logger installed on more than 2,000 machines in Latin America – 96% in Venezuela – that stole credentials from its victims for more than eight months. This threat, detected as Python/Liberpy, initially spread through emails and then continued to spread via USB devices, taking advantage of Windows shortcut files to infect new systems. This latter propagation method is similar to that used by other families as Bondat, Dorkbot and Remtasu, all mainly active in Latin America.

Some campaigns are not directed at any particular country, but aim to spread to as many systems as possible. One of the cases reported during 2015 was Waski, a global campaign that sought to install banking trojans worldwide to compromise victims’ systems with a variant of Win32/Battdil. The campaign started by sending emails that attempted to trick users into opening a document that would do nothing but infect their system.

Email is one of the main vectors for spreading malicious code and, as in 2014, there were multiple reports in 2015 of massive mail campaigns related to banking trojans such as Dridex through Microsoft Office documents infected with malicious macros, or the spread of ransomware, such as the waves of CTB-locker in mid-January that reached so many users’ inboxes.

Although during 2015 we have seen many joint operations between security agencies, businesses and governments to disrupt or dismantle these criminal networks, we expect to see botnets continue to be a threat and a risk for organizations and users around the world during 2016.

New families, new techniques, but the same goals

malicious code

Throughout 2015, the emergence of new families of malicious code or even the incorporation of new features into previously known trojans were reported, such as the case of CoreBot, which added to its capabilities the opportunity to steal banking information from its victims. The evolution of families of malicious code to incorporate new modules or tools is constant, and part of the world of cybercrime.

“Botnets were not the only area of innovation where new families of malware code appeared.”

Botnets were not the only area of innovation where new families of malware code appeared. As noted in last year’s trends document, Point Of Sale malware was one of the types of malicious code where new players appeared, as was the case with PoSeidon. This code attacks retail outlets and attempts to compromise terminals that take credit card payments and to scan its memory so as to “scrape” card data. Another instance of PoS malware was Punkey, which appeared a month after PoSeidon and was reported at more than 75 different IP addresses, filtering information from credit cards.

Incidents involving this kind of threat – including cases reported last year such as Home Depot, UPS or Target – showed that cybercriminals seek to access large retail chains to infect outlets and thus steal data from millions of credit cards.

Such incidents accelerated the need for a reassessment of how PoS machines are protected and brought to light some curious cases, such as that of certain manufacturers who used the same default password for 26 years.

At other times, cybercriminals have abused flaws in websites or even fake game pages, where they hosted copies of their malicious code. Through CMS (content management system) plugin flaws, the attackers breached the security of thousands of websites so as to use them to host content harmful for users.

Collaboration is the key to fighting cybercrime

Enforcement agencies and businesses around the world collaborate to fight cybercrime and make the internet a safer place. During 2015, in addition to announcements by Europol on how threatening cybercrime has become, joint operations have been performed to disrupt or dismantle networks of zombie computers. Some of these operations, coordinated and distributed around the world, successfully culminated in cases such as the dismantling of Dridex, Liberpy, Ramnit, and the arrest of the creator of the Gozi Trojan.

In addition to this direct action against certain families of malware, the security agencies also succeeded in arresting a number of cybercriminals associated with criminal forums, such as the case of Darkode where 62 people in 18 countries were arrested for various computer crimes.

Where are we going?

“We can see that the barrier separating general purpose malware from directed attacks is becoming more transparent.”

To summarize the most important events of recent times in terms of more general purpose malware, we can see that the barrier separating it from directed attacks is becoming more transparent. Cybercriminals continue to employ different propagation techniques in order to infect as many systems as they possibly can, either by incorporating newly-discovered vulnerabilities into different exploit kits or by using campaigns to spread malware.

In other words, the evolution of cybercrime continues to threaten users, and malware-spreading campaigns have grown in scale and achieved different levels of effectiveness. To combat these actions, the collaboration of experts, security agencies and other entities is key to disrupting cybercrime and helping users to enjoy the internet without undue anxiety.

2016 will continue to reveal the further development of families of malicious code, either in new variants or in the incorporation of features that they did not have before. As cybercrime has become more threatening, companies globally have increased their investment in security by 4.7%, and security agencies are enhancing their efforts to take down botnets and to put cybercriminals behind the bars. In other words, 2016 will present new security challenges, but also a more active and organized front in the fight against cybercrime.

This article is an adapted version of the corresponding section from ESET’s 2016 trends paper(In)security Everywhere.

Author , ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.