by Erika Mendoza, Anjali Patil, Jay Yaneza, and Jessie Prevost
Smart Protection Network (SPN) data and observations from Managed Detection and Response (MDR) for the North American region show the persistence of older threats and tactics: delivery methods such as spam emails are still going strong, while ransomware attacks have seen a renewed vigor alongside newer threats such as cryptocurrency mining malware in the third quarter of 2018.
However, the prevalence of these older threats should not be misconstrued as a sign that threat actors are resting on their laurels. In fact, it should be taken as proof that they are constantly improving proven tools and techniques to get ahead in the never-ending cat-and-mouse game between cybercriminals and security providers.
Spam emails are the preferred method for delivering malware
Figure 1. The top 15 malware detections in North America for the third quarter of 2018
Based on our Smart Protection Network (SPN) data, the top 15 malware in North America for the quarter is a diverse list: EMOTET emerged as the malware with the most number of detections, followed by the cryptocurrency mining malware COINHIVE. The trojan POWLOAD and the potentially unwanted application (PUA) known as AMCleaner were in third and fourth place, respectively.
What ties the top threats together is that most were delivered via the most effective form of social engineering: fraudulent spam email. These emails are prevalent because they rarely require sophisticated tools to be successful, and they’re effective because an attacker only needs to understand human behavior and tendencies to trick unsuspecting users into clicking links or downloading malicious attachments.
The more notable spam campaigns we found in the third quarter demonstrate how threat actors are refining this malware delivery method. The three examples below show how a single attack vector can be used in different ways. One is a classic phishing attempt with all the elements typically found in these types of attacks, while another used old malware that still proved to be effective. The last example involves a new, ingenious technique that takes advantage of email hijacking and existing conversations to attack users.
Phishing campaign in Canada use tax-related PDF files as lure
As is typical of most phishing attacks, email is the primary entry vector used in this attack scenario. The email comes from what seems a legitimate government agency, the “Canadian Revenue Agency” (CRA), and even has a PDF document attachment with the filename CRA-ACCESS-INFO.pdf. This email contains a fake message informing the recipient that the CRA has sent them an INTERAC e-Transfer with which they can use to deposit funds either by following the instructions or by clicking the link embedded in the PDF.
Figure 2. Phishing attack disguised as an email from the CRA
As seen in the image above, the PDF message body includes a “Deposit Your Money” tab that links to a malicious URL that redirects the victim to a phishing page. The phishing page then checks the victim’s Geo-IP location. If the Geo-IP is found to match that of the targeted region (North America in this case), it will redirect to a page where the user is asked to enter personal details and financial credentials, otherwise, it will redirect them to YouTube. We see a very consistent pattern in the North American region with the same email and attachment pdf for all cases.
The Interac Corporation found in the email is a legitimate Canadian interbank network that links financial institutions and other enterprises for the purpose of exchanging electronic financial transactions. Interac serves as the Canadian debit card system, with broad-based acceptance, reliability, security and efficiency. The organization is one of the Canada’s leading payment brands and used an average of 16 million times daily to pay and exchange money. The use of such a major financial institution adds to the seeming “legitimacy” of the phishing email.
Spam emails with EMOTET payloads
EMOTET is a perfect example of a malware that has evolved over time, not only in terms of features, but also in the way it is used. First discovered in 2014, EMOTET started out as a banking trojan, but it has since been repurposed as a threat distributor for other malware such as DRIDEX. Recently, we found a large number of EMOTET spam campaigns, using various social engineering methods to lure users into downloading and launching its malicious payload, usually in the form of a malicious MS Word or PDF document.
The combination of polymorphism and worm-like capabilities allow it to quickly spread across the network without any other user interaction. The malware’s tenacious behavior renders it difficult for all but the most secure organizations to deal with, especially when considering the impact it can have on an organization. Beyond information theft, EMOTET can also wreak havoc on network infrastructure and trigger account lockouts, leaving companies to endure both monetary and reputation loss.
Hijacked emails used to deliver URSNIF
URSNIF is a banking trojan that steals sensitive material and collects data on the affected host, including email credentials, certificates, browser cookies and financial information from webinjects. We recently detected a new campaign that makes use of hijacked legitimate emails to deliver URSNIF (discussed in-depth in this blog entry). A notable aspect of this new series of attacks is that the malicious spam email is sent as part of an ongoing conversation, making it more difficult for the targeted user to detect. This campaign shares some similarities to Business Email Compromise (BEC), but without the wire transfer fraud.
Figure 3. North American ransomware trends for the third quarter of 2018
GANDCRAB, which emerged as the highest detected ransomware for the third quarter of 2018, has seen a refinement in its encryption and decryption routines, as well as its persistence in the system. The updates and improvements to the ransomware’s code have made it difficult to detect. Contributing to GANDCRAB’s effectiveness is its wide variety of entry vectors, which include EMOTET phishing emails, exploit kits, fake applications and remote access tools.
Aside from GANDCRAB, we also found other familiar names in the top five, including BLOCKER, NEMUCOD, LOCKY and WCRY. The overall numbers for ransomware in North America are up compared to the second quarter of 2018.
Cryptocurrency Mining Malware is staying strong
Figure 4. The top cryptocurrency-mining malware for the third quarter of 2018, which is dominated by COINHIVE
Cryptocurrency mining malware, colloquially known as cryptominers, has emerged as a top threat in 2018, as seen in its prominence in the first and second quarters of the year. The third quarter sees this trend continue, as ease of use and increased value of cryptocurrencies make it attractive for threat actors.
Cryptominers loads crypto mining code onto a victim’s computer, usually done using legitimate looking phishing emails or injecting the malicious code into websites and browsers. Once infected, the computer drastically slows down and exhibits performance issues, resulting in decreased productivity and hardware reliability.
Comparing ransomware to cryptocurrency mining malware
Figure 5. 2018 monthly comparison between ransomware and cryptocurrency-mining malware. Note the resurgence of ransomware in August 2018
In our last entry, we discussed how ransomware was declining in comparison to other threats, particularly cryptocurrency mining malware and information stealers. We observed a slight but steady decline in cryptocurrency mining malware in the third quarter of 2018, while ransomware saw a resurgence, particularly in August, where it had higher detections than cryptominers.
The evolution of certain ransomware, particularly GANDCRAB, could explain the uptick of ransomware over the period. One example is the use of the Fallout exploit kit, which provides additional distribution methods and an expanded reach for the ransomware.
File vulnerabilities: EternalBlue and MS Office exploits on top
Serious vulnerabilities present significant problems for organizations — not only do they leave machines open to covert attacks, the issue of detection and updating machines often split limited security resources and divide the focus of IT administrators.
Based on our data, the top 10 file vulnerabilities for 2018 are the following:
Figure 6. The top detected vulnerabilities for 2018
The majority of the vulnerabilities, comprising more than half observed in 2018, involves CVE-2017-0147, the vulnerability related to the EternalBlue exploit and came to the forefront during the emergence of WannaCry ransomware. Two other relatively new exploits, the 17-year old memory corruption flaw CVE-2017-11882 and a previous zero-day, CVE-2017-0199 were also among the top detected vulnerabilities. Both of these vulnerabilities are used to exploit MS Office products, and typically involve spam emails.
Unsurprisingly, Microsoft Windows is the most targeted application due to CVE-2017-0147, which abuses SMB vulnerabilities in various Windows versions. Microsoft Office is second, which matches the second and third most prevalent vulnerabilities.
Figure 7. The industries most affected by vulnerabilities. Aside from the top six, other industries include materials, F&B, telecommunications, and real estate, among others
Based on our data, the most affected industries in the first 3 quarters of 2018 are Healthcare, Manufacturing and Technology. The numbers were especially high during the first quarter, but dropped from the second quarter onwards. While healthcare was on top of the list during the initial months in terms of vulnerability detections, it dropped significantly during the second quarter, and picked up again slightly during the third.
Although most of the vulnerabilities were from the past four years, we can also observe older vulnerabilities dating back to 2003. This highlights the need to look beyond recent vulnerabilities and consider patching even older exploits.
How Managed Detection and Response can help combat both old and new threats
To achieve the highest level of protection, organizations and their security teams must always proactively secure their network and endpoints, not only from new threats, but also from improved older threats that use innovative distribution methods.
This can prove problematic for enterprises with smaller security teams that might not have the knowledge to handle more advanced threats. Often, the in-house IT department also serves as the organization’s de-facto security team, which means additional work on top of their daily tasks. This can prove to be overwhelming especially when considering the number of alerts that toe the line between being legitimate and malicious in nature.
One option for organizations to consider is the use of an outsourced security service such as MDR. Comprised of security professionals with years of experience under their belts, MDR can provide the specialized skills needed to stay on top of old and new threats, as well as the expertise needed to operate the most advanced Endpoint Detection and Response (EDR) tools. MDR allows organizations to detect threats before they can affect an organization, preventing potential losses and reputation damage.
Trend Micro Solutions
Trend Micro endpoint solutions such as the Smart Protection Suites and Worry-Free Business Security solutions can protect users and businesses from threats by detecting malicious files and messages as well as blocking all related malicious URLs. The Trend Micro™ Deep Discovery™solution has an email inspection layer that can protect enterprises by detecting malicious attachments and URLs.
Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques to protect systems from all types of threats, including ransomware and cryptocurrency-mining malware. It features high-fidelity machine learning on gateways and endpoints, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen security protects against today’s threats that bypass traditional controls; exploit known, unknown, or undisclosed vulnerabilities; either steal or encrypt personally identifiable data; or conduct malicious cryptocurrency mining. Smart, optimized, and connected, XGen security powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
Backed by 30 years of experience in threat research, Trend Micro’s managed detection and response service provides access to experts who are proficient with live response and are familiar with products that can provide meaning to security incidents that happen to organizations and their industries. Our experts have the necessary tools and technologies to analyze threats and assist organizations in maintaining a good security posture.