If exploits and malware were stocks and bonds, the third quarter of 2018 would have been a bull market. That’s the broad takeaway from Fortinet’s Q3 2018 “Global Threat Landscape Report,” which found malware, exploits, and threats all on the increase. From July through September, unique malware variants grew 43%, while the number of malware families grew by nearly 32%.
Despite those numbers, Anthony Giandomenico, senior security strategist/researcher at FortiGuard Labs, says cryptojacking is one of the more serious threats he’s seeing. Giandomenico realizes that many researchers view crypto-jacking as more of an annoyance, but he sees two problems with that view.
Read more about the findings of the Fortinet report on DarkReading.
McAfee Labs researchers have discovered new Russian malware, dubbed WebCobra, which harnesses victims’ computing power to mine for cryptocurrencies. WebCobra silently drops and installs the Cryptonight miner or Claymore’s Zcash miner, depending on the architecture WebCobra finds. This cryptocurrency mining malware is uncommon in that it drops a different miner depending on the configuration of the machine it infects.
The researchers believe this threat arrives via rogue PUP installers. They have observed it across the globe, with the highest number of infections in Brazil, South Africa, and the United States.
Read more about the WebCobra cryptojacking malware on McAfee.
As the popularity of cryptocurrency rises, so does the amount of cryptominer Trojans that are being created and distributed to unsuspecting victims. One problem for cryptominers, though, is that the offending process is easily detectable due to their heavy CPU utilization. To make it harder to spot a cryptominer process that is utilizing all of the CPU, a newly discovered Linux variant attempts to hide its presence by utilizing a rootkit.
According to a new report by TrendMicro, this new cryptominer+rootkit combo will still cause performance issues due to the high CPU utilization, but administrators will not be able to detect what process is causing it.
The Trickbot banking malware has added yet another tool to its arsenal, allowing crooks to steal passwords as well as steal browser data including web history and usernames.
The malware first appeared in 2016, initially focused on stealing banking credentials — but Trickbot is highly customisable and has undergone a series of updates since then. The latest trick — picked up by researchers at both Trend Micro and Fortinet — is the addition of a new module designed to steal passwords. This new Trickbot variant first emerged in October.
Read more about the latest version of the Trickbot malware on ZDNet.
A malicious group known as the “Inception attackers” has been using a year-old Office exploit and a new backdoor in recent attacks, Palo Alto Networks security researchers warn. Active since at least 2014, the group has used custom malware and against targets spanning various industries worldwide, with a special interest in Russia.
In October 2018, the threat actor was observed hitting various European targets in attacks employing an exploit for a vulnerability (CVE-2017-11882) that Microsoft patched in November 2017. Furthermore, the hackers were using a new PowerShell backdoor dubbed POWERSHOWER, which revealed high attention to detail in terms of cleaning up after infection.
Researchers from Symantec have uncovered the malware tool North Korea’s infamous Lazarus Group has been using since 2016 to empty millions of dollars in cash from ATMs belonging to mostly small and midsize banks in Asia and Africa.
In a report this week, the security vendor described the malware as designed to intercept and approve fraudulent ATM cash withdrawal requests before they reach a bank’s underlying switch application server that processes them.
Read more about the Lazarus Group ATM malware on DarkReading.
The Cyber National Mission Force (CNMF), a subordinate unit of US Cyber Command (USCYBERCOM), has set in motion a new initiative through which the DOD would share malware samples it discovered on its networks with the broader cybersecurity community.
The CNMF kicked off this new project by creating an account on VirusTotal, an online file scanning service that also doubles as an online malware repository, and by uploading two malware samples. In addition, USCYBERCOM also created a new Twitter account where it would tweet a link to all new VirusTotal malware uploads. USCYBERCOM’s decision was met with universal praise by leading voices from the cybersecurity private sector.
Read more about USCYBERCOM’s popular initiative on ZDNet.
Stuxnet allegedly has a vicious little brother, or perhaps it is a malicious cousin; the complex malware was likened to being similar to Stuxnet but “more violent, more advanced and more sophisticated.” Iran, according to the Times of Israel, admitted that its “infrastructure and strategic networks” were hit by a meaner, leaner version of Stuxnet. A TV news report added that the Iranians are “not admitting […] how much damage has been caused.”
The report came after Iranian Supreme Leader Ayatollah Khamenei said Iran needed to step up efforts to fight enemy “infiltration.” Reuters also reported that Gholamreza Jalali, the head of Iran’s civil defense agency, said, “Recently we discovered a new generation of Stuxnet which consisted of several parts … and was trying to enter our systems.” Jalali didn’t go into more detail.
Webroot highlights the top cyberattacks of 2018 in its latest nastiest malware list, which showcases the malware and attack payloads that have been most detrimental to organisations and consumers alike.
Emotet is this year’s nastiest botnet that delivers banking Trojans. It aspires to increase the number of zombies in its spam botnet, with a concentration on credential gathering. Threat actors have recently developed a universal plug and play (UPnP) module that allows Emotet to turn victims’ routers into potential proxy nodes for their command-and-control infrastructure.
A new member of the GPlayed Trojan has been discovered which has been designed to attack customers of a Russian-owned state bank. Earlier this month, researchers from Cisco Talos revealed GPlayed, an “extremely powerful” Trojan which pretends to be a Google service when infecting Android mobile devices.
At the time of discovery, the researchers said they believed the malware was still in development due to clues in the code — but this did not detract from the fact the Trojan was extremely flexible, used obfuscation, and contained strong destructive and data-stealing capabilities. It has now been found that GPlayed is not the only member of the new Trojan family. Talos said that the malware’s “younger brother” has also appeared on the radar.
Read more about the the GPlayed Trojan’s “younger brother” on ZDNet.