2014 was a year that was marked with numerous changes in the threat landscape. We saw a lot of improvements in existing malware, either with new evasion techniques or versions. We even saw some old techniques and attacks resurface in the landscape.
We are seeing more malware incorporate Tor in their routines as a method of evasion. We have seen ZBOT variants include a Tor component to hide the malware’s communication to its command-and-control (C&C) servers. We have also seen a variant of BIFROSE malware, often used in targeted attacks, include Tor in its communications routine.
In a span of a few months, we witnessed the malware POWELIKS increase its anti-detection techniques. At first, POWELIKS hid its malicious codes in the Windows Registry, making detection and forensics difficult. We later found new variants employ a new autostart mechanism and removes users’ privileges in viewing the registry’s content.
Spam also upped the ante by using snippets of current news articles in the body text of the email. This technique, adding random clips of incidents or news that maybe relevant given the date and time, is used by spammers to avoid email filters.
The Rise of 64-Bit Malware
In 2014, Google made the observation that majority of Windows users are now using 64-bit operating systems. Unfortunately, attackers are also following suit with 64-bit malware.
Notorious banking malware ZeuS/ZBOT was found targeting 64-bit systems. This 64-bit version for ZeuS/ZBOT is a progression for the malware. Upon analysis, we found that this new versions has upgraded its antimalware evasion techniques, including execution prevention of certain analysis tools.
In the 2H 2013 Targeted Attack Trends report, we noted that almost 10% of all malware related to targeted attacks run exclusively on 64-bit platforms. Activity in the threat landscape supports this statistic. We spotted an upgraded 64-bit KIVARS used in targeted attacks. Meanwhile, 64-bit versions of the malware MIRAS was discovered to have been used in data exfiltration stage in a targeted attack. Yet another malware, HAVEX, was also found to have 64-bit versions.
The Continued Reign of Ransomware and Banking Malware
The past year saw the continued rise of ransomware, especially crypto-ransomware. A ransomware variant dubbed as POSHCODER surfaced that leveraged the Windows PowerShell feature for its encryption routines to avoid being detected in the target system and network. Meanwhile, BAT_CRYPTOR.A uses the GNU Privacy Guard application to encrypt files. We also saw numerous crypto-ransomware use the Tor browser as means of paying the ransom.
This doesn’t mean that other types of ransomware have disappeared from the landscape. We came across police ransomware that uses patched malware as its infection vector.
2014 saw banking malware use (and abuse) tools and features in order to steal information. The malware VAWTRAK was found to abuse and manipulate a Windows security feature called Software Restriction Policies. It uses this feature to disable security software that might be running in the infected software, increasing the risk of other malware infection.
We also came across banking malware that uses network sniffing to steal information. This malware, known as EMOTET, can even “sniff” out data sent over secured connections through its capability to hook to specific Network APIs to monitor network traffic. This method is notable as other banking malware often rely on form field insertion or phishing pages to steal information.
Old Threats Made Anew
Macro-based attacks were last popular in the 2000s, reaching peak notoriety with the Melissa virus. But it seems like cybercriminals deemed them again worthy of use. We found banking malware ZEUS and DRIDEX as the final payload of malicious macro-enabled files. Another macro-enabled file was found to lead to backdoor malware NEUREVT.
Another “old” technique—malvertisement—experienced a revival thanks to a new attack platform, YouTube. The malicious campaign used ads in YouTube to redirect users to malicious sites. Users who click the ads wound up with computers infected with malware tied to ransomware attacks.
Improved Mac/iOS Threats
iOS users were not spared this year. In fact, two of the bigger stories in 2014 were the discovery of Wirelurker, an iOS/OS X threat, and Masque Attacks, an iOS threat. Both threats were found to abuse the enterprise provisioning feature offered by Apple.
WireLurker has been found to install fake or malicious apps via USB. Masque Attack, meanwhile, can replace installed apps with malicious versions via the same signing key or bundle ID. The replacement (and malicious) app can then perform routines such as steal sensitive data.
What 2014 has shown is that there is no place for complacency when it comes to security. Threat actors will use any possible trick or technique to get what they want—even if that means upgrading an existing threat or bringing back an old one. “Newer” attacks can come in the form of old techniques, which can be successful especially if victims are not aware of older techniques. 2014 has also shown that no computing platform is safe from threats.
While it is important that users employ some form of security solution, they shouldn’t treat it as their end-all and be-all for security. Best practices such as avoiding clicking unknown links or emails can still a go long way in protecting their computers.
More in-depth information about the malware that dominated the threat landscape in 2014 can be found in our report, TrendLabs 2014 Annual Security Roundup – Magnified Losses Amplified Need for Cyber-attack Preparedness.