Endpoint security

The worm has turned: What are the trends in malware today?

Malware may not be the greatest cyberthreat to businesses today, but it’s mutating in new and dangerous ways. Alexander Eremin discusses trends in malware today.

Share article

In my daily work as a specialist malware analyst at Kaspersky, I’m often the first to come across and investigate the latest threats. I analyze lots of malicious software and explore the latest trends. Malware is a threat that’s been here since almost the start of computing. And, sorry to say, it’s here to stay.

Every day, Kaspersky’s cybersecurity systems process 346,000 new, previously unseen ‘in-the-wild’ samples. Within these, there can be well-known malware families but with some modification, so they hide from traditional antivirus products.

In this article, I explain some of the growing threats I’ve seen in the last few years that could impact your business and how to prevent them.

The difference between malware and threats

Malware is a widely-used umbrella term for many types of threats caused by malware. But there’s a difference: threats is a category wider than just malware. Threats include adware (programs that display adverts) which can be malicious, and riskware – legitimate programs that can be used to do harm in the wrong hands, like remote admin tools, password recovery and more. These threats aren’t as dangerous as malware, but they’re certainly causes of undesirable activity.

Which countries have the highest malware infection rate?

Kaspersky Security Network (KSN), a distributed antivirus network, uses a special metric that we call ‘infection rate’. This shows what percentage of users in every country face different local threats from malware – found on computers or removable media such as flash drives, memory cards, mobile phones and network drives.

For corporate users, the level of threats is, on average, 16 percent lower than for consumers. This is because users at work do less risky activities online, or face restrictive policies that prevent them from opening suspicious links and files. But the level of threat is still high: the top 10 countries for attacks have seen more than 42 percent of corporate users face local threats in the first six months of 2019. The most attacked countries are Uzbekistan, Afghanistan and Ethiopia.

In the case of web-based threats, the rate for corporate users is relatively low at only six percent. These threats can emerge when different devices connected to computers become infected. Despite the low rate of infection, consequences can be costly. The countries most attacked are Venezuela, Algeria and Albania.

What are the different classes of malware?

Malware is divided into classes by its behavior and level of threat. At Kaspersky, we follow the rule that when a malware sample has several functionalities, the one with the highest risk is assigned. For example, if a newly discovered malware is able to steal passwords (Trojan-PSW) and has backdoor abilities, it will be named ‘Backdoor’, which means that it provides the author with remote admin of the victim’s machine.

Some people call all malicious software viruses but that’s not correct: viruses have the ability to infect other applications on the victim’s device. Worms are so-called as they have the ability to self-replicate and spread over the network. Trojans, unlike viruses and worms, are unable to make copies of themselves or self-replicate, but they are malicious programs that perform actions unauthorized by the user such as deleting, blocking, modifying or copying data, and they impair the performance of infected computers.

Malware in 2019 – what classes pose the biggest threat?

The worst offender so far this year? With a big head start, Trojans are the most proliferous threat, attacking 58 percent of corporate users. Next is Hacktool malware, which affected one in four. It’s a class that includes software designed to bypass protection mechanisms, for example, cunningly disguised as a product activation tool. After that, DangerousObject (22 percent infection rate) which is connected with cloud detection technologies.

Corporate users also face a dedicated type of malware: Trojan-Downloader. As its name suggests, it’s a type of malware that can download files which infected one in 10 users. It’s one of the top corporate threats because attacks are usually multi-staged: first, a small downloader is pushed (for example, by email), next, it downloads a second stage which can be the main malware itself or an exploit (a special code to exploit vulnerability in systems) to enable further attacks.

2017 to 2019: the threat landscape in review

By analyzing the history of cybersecurity incidents, we see how much things fluctuate: one malware type can quickly become the latest hot trend for cybercriminals. Let’s take a look at the trends that have dominated the threat landscape in the last three years:

2017 – the year of ransomware

2017 became the year of ransomware, with three unprecedented outbreaks transforming the landscape forever: WannaCry, ExPetr and BadRabbit. These attacks targeted businesses and used worms and leaked exploits to self-spread and encrypt data before demanding a ransom.

The WannaCry epidemic affected hundreds of thousands of computers around the globe. The worm exploited a vulnerability in the Windows operating system implementation of the SMB protocol. After infecting a machine and executing a routine to spread further, WannaCry encrypted valuable files and displayed a ransom note. Full decryption of the affected files was impossible without paying the ransom – although our analysts discovered several flaws in WannaCry’s code that allowed some victims to restore part of their data.

The impact of WannaCry was brutal and global: carmaker Renault closed its largest factory in France and hospitals in the UK had to turn away patients. German transport giant Deutsche Bahn, Spain’s Telefónica, the West Bengal power distribution company, FedEx, Hitachi and the Russian Interior Ministry were all hit.

As a devastating high-profile attack targeting businesses, WannaCry was extremely successful. But as a ransomware plot to make lots of money, it was a failure – making only an estimated US $55,000 in bitcoins. Data loss can be a more costly threat: according to Kaspersky’s 2017 annual IT security survey, 65 percent of businesses hit by ransomware lost access to a significant amount or even all of their data.

2018 – the rise of the miners

2018 began with a rise in miner-related attacks. A miner is a special program for generating cryptocurrencies. The miner loads the central processing unit or graphics processing unit of a machine as it performs lots of heavy operations to mine cryptocurrency. As a result, the performance of the machine decreases, and other tasks are performed slowly.

Besides standard miners in the form of an executed file, in 2018 a new technique became prevalent: web-mining through a special script executed in a browser. The longer the user spends online, the more money the site’s corrupt owner can earn from mining. There could also be legal cases where such scripts are used, when a user allows the site’s owner to mine (for example, in the ‘small print’ of terms and conditions of the site) but the technology is misused and the user isn’t properly notified.

This rise of miners in 2018 even led to a decrease in DDoS (denial of service) attacks in the third quarter of 2018 as, supposedly, some botnets ‘re-profiled’ from DDoS attacks to mining cryptocurrencies. There’s a plethora of different distribution methods for mining include pirated software, social engineering, vulnerability exploitation and USB devices.

Fortunately, mining incidents are now decreasing since the 2018 peak, but the volume of attacks is still high. Our user data shows that almost 80,000 corporate users were attacked by Trojan.Win32.Miner and its modifications – the most generic family for most of the malicious miners. It’s not only anonymous miners who can attack your network from outside, sometimes the enemy comes from within. We’ve seen examples where an employee takes advantage of their position to gain access to their organization’s network.

2019 – Banking malware, supply chain attacks and more

During the last year, we’ve seen the number of cybercriminals stealing passwords on specialized forums stabilize. Trojans can steal passwords, credit card details and cookies saved in browsers. They’re also capable of stealing files that are desired by cybercriminals. At Kaspersky, we track this activity with our Botnet Attack Tracking system and have seen that thieves usually targeted text or Microsoft Office files stored on desktops. This could be done to find credentials that users store in text files, or steal sensitive corporate information. Even though most of the attacks are targeted towards consumers (almost four times as frequently), corporate users can also become the victims.

Another trend that emerged towards the end of 2018 was banking malware designed to steal user account data relating to online banking and eCommerce. The data is then transmitted to the malicious user controlling the Trojan. To perform an attack, malware is configured from a command and control server that contains a mask related to a banking service. Our data, however, showed that attacks on users in financial organizations decreased in 2018. We can explain this decrease with the unification of targets, so the masks become wider and can be applied to several services. Some bankers added cryptocurrency exchanges to the targets, so a user’s credentials for the exchange can be stolen.

There have been a lot of publicly available exploits for different vulnerabilities in the last two years. When I say exploit, I mean an illegal program or piece of code that can exploit a vulnerability in an operating system or application, like the ones used in the WannaCry campaign. Public disclosure of exploitation instruments of APT (advanced persistent threat) groups made it easier than ever before to penetrate, which could have led to new actors using this method. Publicly available exploitation tools are customizable and can be further improved by newcomer cybercriminals, so they can extend their attacks from poorly secured victims to branch out to more serious targets.

Another trend we’ve seen recently is supply chain attacks which target small companies who provide bigger organizations with a product or service. MageCart went after users of Magento, one of the most popular online store platforms. Vulnerabilities found in Magento’s platform gave cybercriminals the ability to infect dozens of sites. As a result, they could access a huge amount of payment card data that users had entered onto these sites. Victims included large companies like British Airways, who paid a record-breaking fine relating to the loss of customer data. This ‘success story’ inspired other cybercriminals, and now MageCart is attributed to several actors. I think this trend will continue, as plenty of large companies use third-party services, which can be less secure.

How to protect your business from malware threats

The threats related to malware will always be around, but it’s definitely possible to improve the security of your corporate data. Here’s my recommendations about how you can protect yourself and your business.

Train your employees to be cyber-aware

One of the top ways malware roots its way into your organization is through emails that trick employees to open a malicious attachment or go to a phishing web page. Advise employees to be wary of clicking on links in emails from people unknown to them and set restrictions on employee laptops to avoid the temptation for them to install illegitimate software.

Consider launching a training program for employees to learn about basic cybersecurity hygiene and avoid mistakes. Give them the practical skills to apply to their day-to-day work in a delivery format that isn’t too boring or laborious. I recommend using short engaging lessons based on a real-life event.

Practice makes perfect. Regularly remind staff how important it is to follow cybersecurity rules. For example, place posters in the office or hand out take-away cards with simple and practical advice.

Back up your data

Always make backups of essential data to ensure corporate information is safe. If any information is damaged or encrypted, you can always recover it from the backup.

Keep your systems secure

Regularly update IT equipment, software and applications to avoid unpatched vulnerabilities that may allow malware to penetrate the corporate network.

Use a dedicated endpoint security solution equipped with web and application control, anomaly control and exploit prevention components that monitor and block suspicious activity on the corporate network. It should include protection from ransomware, anti-phishing and anti-spam technologies.

Enhance your existing security controls with threat intelligence to keep up-to-date with the new tactics, techniques and tools used by threat actors.

For your security specialists, give them training on incident response, malware analysis and digital forensics to arm them with the knowledge they need to detect, analyze and respond to malware.

Become cyber-immune

And the good news? Corporate users are actually facing fewer threats in 2019 than they did last year. But the variety and severity of these threats is significant. The price of one mistake can be excessive: just one employee’s infected machine could destroy the whole of your organization’s systems.

No one knows when the next threat will appear on the horizon or where it will come from – it’s a case of when, not if. Keep up-to-date with the latest cybersecurity trends and focus on becoming cyber-immune, securing your entire infrastructure (including weak points like links to your suppliers’ systems) so you’re ready and prepared for the next WannaCry.

True Cybersecurity

Attackers don’t stand a chance with Kaspersky’s True Cybersecurity – end-to-end solutions to protect and respond to every kind of enterprise-level cyberattack.

About authors

Alexander Eremin is a malware analyst at Kaspersky. He analyzes malware, supporting Kaspersky Botnet Attack Tracking system, and is a trainer for its educational programs. He enjoys board sports – particularly snowboarding and wakeboarding.