Malicious Threat Detection RedSocks

Cyber Threat Landscape 2018: a first glance at the cyber trends

Ahead of the new year 2018, cyber threat intelligence analysts at RedSocks Security gave their predictions on what trends could make the highlights. Seven months later, they are looking back at seven months of data to set the major cyber threats spotted on the Malicious Threat Detector and the labs.

No major attack yet but many breaches

2017 was marked by major worldwide attacks such as Wannacry and NotPetya. As of Summer 2018, no attack of this type has yet made the news. On the other hand, major breaches have occurred leaking sensitive files and costing even more to companies, some of them happening under the now enforced GDPR.

Example: SingHealth, TicketFly, Reddit.

 

The peak of appeal of cryptocurrencies

After the massive rise of their value in late 2017, the rise of criminal activities regarding cryptocurrencies was to be expected. If the peak of attraction seems to have happened in the first quarter, RedSocks analysts still believe crypto-motivated crimes will follow for the rest of the year in the following forms:

  • Ransomware demanding cryptocurrencies

  • Crypto jacking, defined by the action of sneaking a mining malware into one’s devices to use the power in order to mine cryptocurrencies.

  • Theft

  • Phishing: our phishing labs have shown numerous campaigns hijacking crypto brands, promoting fake air drops or give aways.

 

 

More untraditional threats: smart malware, fileless malware and legitimate environments

Smart malware are programs which will automatically choose their action based on the environment they have been installed on. For instance, a variant of Rakhni ransomware can decide what will be the most profitable attack: mining crypto currencies or encrypting files to demand ransom.

Another type of untraditional malware are fileless ones. The latter are malware operating directly from the memory of the computer, using Windows tools as Powershell, installed on every device, which are as of now, not detected yet by Antivirus software. Another way to bypass them has been seen in the use of .iqy files, specifically in spams. Once the user has opened the link, these files are opened by default on Office and are used to download data from the Internet, and eventually to install remote access trojans.

Similar to fileless malware using legitimate Windows tools, RedSocks Security has noticed the rise of programs using legitimate environments like Cloud Storage Services and Social Media.

 

Trickbots

Trickbot is a Trojan targeting customers of financial institutions. As an active threat since 2016, this malware is know for regular updates, remaining one step ahead of security measures. Among its features, this Trojan uses phishing campaigns and EternalBlue vulnerability for infection. The new variant discovered early 2018 installs itself on TeamViewer and proceed to lock the user’s device as a lateral movement.

The Trickbot gang behind the malware seems to prove good knowledge on their targets, which they applied to an interesting business model. Last but not least, Trickbots have since late 2017 been involved in crypto thefts.

Examples of IPs, URLs and hashes found in our labs

tcp    15616.royalwebhosting.net/PreLoader_c07.bin

tcp    36.37.176.6/lindoc3/trickbot

tcp    autopin.co.uk/sdfgdsg1?

185.158.114.129/32    tcp:447

 185.158.115.151/32    tcp:443

185.158.115.57/32    tcp:447

185.158.115.61/32    tcp:443

185.158.175.95/32    tcp:443

80fe464c8c6c0740c3b54e38ef772e14104e2792b457add054acf8db933e49bb
8fa6431aece9b32a7919d4fe125c8b45c39efb97a42b6949a4061aaf02476001
bc4f37789e623292c05311468c79813ea6360b1495b9505597253e617a593a64
20a22d038955cdb6d421fc1ed64762ab8ba4c39d344b6145cb6de06ded7abda0
ef4a3f65c5cf85e17c18750eadff96e9f7351eabe2986590112f00cccad6481e
6ec4d5ab51a585ba4993e7beeb51d5702af5326ebcf3f5f834f9fe9d8963484f
5c5afef95cfcd116ef27df03e179ed7c8461ea7630c45450d63e83d4785906b6
215ab58ce411f68191bcc7c238953ffe6b48a148b88e61b0b93a79a73cd703a4
15e9075124e7187719fe8989570f3f1e2cda4190b6524a9cb41ba471808e4aca

Malicious delivery campaigns

Major malicious delivery campaigns have been active for the first half of 2018, including the Keitaro one and the EITest malware. The latter processes through a scam: the targeted user is redirected to a fake technical support page, blocking the browser, in hope the user will panic and contact the malicious organization.

 

Social Engineering: phishing, spear-phishing, scareware and false flags operations

It is no news cyber attacks are technical and social operations and the threat seems to only grow along with the use of social media. Common attacks such as CEO frauds, phishing, spear phishing, prank calling do not seem to decrease, while some campaigns are still copying processes from 2016.

Along these usual trends, our analysts have observed a rise in scareware and false flags operations.

Scareware are malware design to deceit users and trick them into buying or download malicious programms.

Example: some scareware might indicate the victim of the presence of a virus on their device. Others might practice extortion and maliciously inform the user the actor owns information about them.

False flags operations are attacks designed to appear as if they were conducted by another specific actor. This type of deception is frequently used by nation-state actors

Ransomware-as-service and own botnets

The trends in the hacking community have shown a continuous development and interest for cybercrimality-as-service practices, especially regarding ransomware and financial malware. The latter have become more accessible to Script Kiddies. RedSocks Security analysts expects to see their actions multiply in the near future. They have also noticed hackers tend to create their own bots, more advanced and leaving no trace on the computers

Most exposed targets to the 2018 cyber threats

Over the past few months, popular targets have been energy organizations, hospitals which tend to have paid ransom in the past, political organizations, supply chain actors and users of IoT devices, a domain where security measures are still running far behind attackers.

cyber threat intelligence 2018

Back to overview