Cryptominers plateau while backdoors shoot up

Illicit cryptocurrency mining appears to be slowing down, but backdoors increased rapidly in the second quarter of the year, a report warns

Although illicit cryptocurrency mining detections still dominate the enterprise cyber threat landscape, they are slowly declining, the latest report from Malwarebytes shows.

Many criminals are not getting the return on investment from crypto mining – also known as cryptojacking – that they were expecting, according to the security firm’s cyber crime tactics and techniques report for the second quarter of 2018.

The report said that although cyber criminals continue to experiment with cryptojacking, the craze is likely to stabilise as it follows market trends in cryptocurrency. However, this means that a big spike or downturn in the currency market could quickly affect the numbers.

Another key finding of the report is that backdoor malware detections against businesses soared by 109% compared with the first quarter.

Although this was mainly driven by a single campaign dubbed Backdoor.Vools that was associated with cryptocurrency miners, the report said this threat is likely to outlive the popularity of cryptomining and businesses should pay attention.

The report pointed out that Vools uses some of the exploits used in the WannaCry attack, including the EternalBlue server message block (SMB) protocol exploit, adding that users infected with Vools should investigate any servers running on their networks with vulnerable SMB protocols.

“Since this malware uses exploit technology, a system or network may become infected with little or no interaction from users,” the report said. “The primary fear of Vools’ capabilities is not due to its mining component or even its use of EternalBlue, but the additional threats that this malware can and will install on the system once cryptomining goes out of fashion.”

According to Malwarebytes, this matters because backdoor methods mean cyber criminals can gain access to systems undetected, then listen in to businesses and consumers without their knowledge. They can also use it to add malware onto systems at a later date.

GandCrab now king of ransomware

Although ransomware detections against businesses saw an overall drop of 35% in the second quarter, Malwarebytes said GandCrab is not the top malware variant being used in the wild.

This “incredibly popular” payload of multiple spam campaigns was dropped via email in the first quarter, but in the second quarter, GandCrab moved over to the Magnitude exploit kit for distribution, researchers found.

While GandCrab led the way in ransomware, the report said other families also made appearances in Q2, such as SamSam and Spartacus, continuing the trend of smaller, experimental campaigns over global-scale outbreaks.

Adware detections hold steady

Adware is still a top consumer detection in terms of volume, the report said, increasing by 19% compared with the first quarter. It remains a top business detection as well, just behind cryptominers and banking Trojans.

However, the report said the only significant development of this malware category in Q2 is Kwik, a Mac adware campaign, which used system configuration profiles as a means of attack, which the report described as a “novel and sneaky” approach.

VPNFilter malware makes its debut

Another key highlight of the second quarter, the report said, was the debut of  the VPNFilter malware, which was used to carry out advanced, multi-staged attacks that reportedly infected more than 500,000 small office and consumer-grade routers and network- attached storage (NAS) devices.

The attack spanned more than 50 countries and affected major brands such as Asus, D-Link, Linksys, and Netgear, the report said.

VPNFilter is capable of covertly monitoring all traffic on the network in order to exfiltrate data, serve up man-in-the-middle attacks, or even the destroy infected devices, the report said.

This malware is not only able to harvest usernames and passwords, but it can also change webpages and insert artificial data to deceive users. VPNFilter could also be used to perform distributed denial of service (DDoS) attacks or as a catalyst to install other software, such as coin miners.

Zero-days exploits experienced a resurgence in the second quarter, the report said,  thanks in part to exploits that capitalise on critical flaws identified in popular software. While software suppliers have been quick to issue fixes, the report said many consumer and enterprise users do not patch promptly and therefore remain exposed.

The exploits in Adobe Flash Player, VBScript engine and Adobe Reader were first used in either MS Office or Adobe documents, which the report said is a sign that the threat landscape has shifted from drive-by attacks to social engineering schemes.

Scammers target PII

Finally, the report highlighted that scammers are increasingly targeting personally identifiable information (PII). In the second quarter, researchers observed scammers blatantly stealing PII from victims with bitcoin scams.

“Light regulation, limited fraud protection and poor support on exchanges contributed to making social engineering attacks against bitcoin wallets highly lucrative,” the report said. “But as the victim pool for traditional tech support scams has contracted in the face of user awareness and increased enforcement, scammers have been stealing passwords, bank account information, and email accounts with increasing frequency.”

It added that the EU General Data Protection Regulation (GDPR) is likely to drive PII theft even further because of the value of PII on the black market.

Read more on Hackers and cybercrime prevention