We ought to understand the evolution of malware, to tackle it, writes Darrel Rendell, UK Intelligence Analyst at anti-phishing product company Cofense.
A phishing campaign was recently observed to be distributing a form of ransomware known as Hermes. The similarities between this particular campaign and those used to distribute ‘GandCrab’ and ‘Sigma’ ransomware demonstrate the efficacy and ubiquity of the recently coined “Ransomware-as-a-Service” model, which has become prevalent in the last 24 months.
This is just one example of how, by taking a look back – even into the recent past – and understanding the evolutionary steps undergone by forms of malware, and how malicious actors have developed their products over time, it’s possible to predict the direction in which that malware is heading. Knowing this provides incident responders a level of proactivity and speed for remediation.
Following the WannaCry ransomware attack that crippled the NHS in May 2017, and the NotPetya attack that brought companies to a halt across the globe only a month later, the threats posed by cyber-criminals to our information security and even our critical national infrastructure have now become headline news.
At the same time as these events took the limelight, however, less visible evolutions were continuing to take place, forever changing the threat landscape. Over time, bad actors have demonstrated how quickly they are able to exploit recently disclosed vulnerabilities, change how they use or modify malware, and shown the speed at which they can profit from new attacks surfaces. Indeed, as a result of the proliferation of cryptocurrencies, the growth in enterprise use of cloud platforms, and ongoing leaks of sophisticated and highly effective exploitation methods, attackers now have more means of accessing sensitive corporate, financial and personal information than ever before, allowing a new avenue of direct revenue generation beyond classic banking attacks. What’s more, by providing them with improved tactics, techniques and procedures, the public disclosure of sophisticated capabilities can help less-sophisticated actors catch up with their more experienced peers.
Examining these developments, to understand what vulnerabilities malicious attackers took advantage of yesterday, and how they went about, is key to preparing for the threats of tomorrow.
Trends
In compiling its Malware Report 2018, Cofense analysed millions of messages from a range of sources from which it identified a number of notable trends in the evolution of malware during 2017. It was observed how malicious actors continue to innovate new phishing delivery techniques to keep up with changing technology, and exploit new attack surfaces in order to increase infection rates and evade detection. There was a noticeable increase in the abuse of legitimate software features to deliver malware which, by its very nature, complicated its detection and mitigation by traditional network and endpoint defence solutions. The report’s authors analysed almost 600 Office-based attack campaigns, and noted how Windows-based interoperability functionality was used for malicious purposes. Around a hundred of these campaigns, for example, abused Microsoft Office Object Linking and Embedding (OLE) within a Windows document to deliver or run malware.
Following this particular incident, it was noticed how quick cyber-criminals are to take advantage of leaked vulnerabilities, with exploits being carried out across various malware utilities within a week of the abuse technique being disclosed by a security researcher.
Ransomware was seen to be on the rise too. While Locky and Cerber ransomware continued to hold encrypted files hostage from the previous year, and whilst WannaCry and NotPetya virtually became household names, several other prominent new ransomware families rose to prominence in 2017. Indeed, according to the report, varieties of ransomware accounted for half of the top ten new varieties of malware delivered via phishing email, illustrating the willingness of ransomware operators to adapt their methods in order to survive. Bitcoin was seen as the preferred method of ransom payment, with many actors actually providing their victims with instructions on how to pay using cryptocurrency.
Just as cryptocurrency grew in popularity, so 2017 also saw a rise in the number of cryptominers, using phishing emails to infiltrate and recruit their victim’s computers for use in the growing number of illicit cryptomining pools, in addition to in-browser data miners such as Coinhive. Once compromised, these computers then perform cryptocurrency mining for their new masters which, in turn, reduces their own efficiency.
Remaining mindful
It’s clear from the findings of the report that, as technology develops, delivery methods continue to evolve, and malware innovations become ever more sophisticated. While we should always be mindful of those attacks that make the headlines, we should also be aware that cyber threats are taking iterative development steps on a daily basis. From understanding the patterns of the past, we can better predict the threats of the future.
Timely attack intelligence is, therefore, critical and must extend throughout every level of an organisation. Every inbox must be a sensor, and every employee a security evangelist able to trigger organisation-wide security orchestration capable of breaking an attack kill chain at delivery level.
