by Jennifer Hernandez, Anjali Patil, and Jay Yaneza
Current data on the threat landscape of North America shows the need for a comprehensive and proactive approach to security. A traditional approach would be to build a threat response team. However, to be effective against current threats, a threat response team needs to have a considerable amount of skills, time, and resources, which may not be feasible for some organizations. This is only exacerbated by the daily tasks associated with keeping the business up and running. If treated as just a part of the broader job of regular IT staff, threat management can prove overwhelming, as it includes vulnerability assessment, patching, firmware upgrades, vendor management, intrusion detection and prevention systems (IDS/IPS) and firewall monitoring, and other specialized focus areas. And even if enterprises were willing to allot people to react to security incidents, the sheer volume of events and the time-consuming tasks of prioritizing and analyzing them often prove too much to handle.
These could be handled better by security professionals especially focused on threats — an advantage that managed detection and response (MDR) can bring to organizations. MDR provides advanced threat hunting services, faster alert prioritization, root cause analysis, detailed research, and a remediation plan that empowers organizations with better ability to respond to sophisticated attacks, examples of which were found in North America in the second quarter of 2018.
Compared to the first quarter, where the prevalence of threats was the most pronounced trend, the second quarter in North America’s security landscape this year showed notable techniques that we foresee will be further honed. These include: combining the capabilities of cryptocurrency-mining or information theft malware and ransomware; hiding in the system until the payload is triggered; and embedding more functionalities in malware tools to steal more data.
Indeed, the persistent as well as prevalent threats in North America — information stealers, cryptocurrency-mining malware, and ransomware — highlight the need for equipping organizations with actionable insights and contexts needed to prepare and defend themselves against tenacious and evolving threats.
Of note was the prevalence of the Powload downloader trojan, which abuses PowerShell to deliver various payloads. When used by threat actors, system administration tools like PowerShell can let attacks, for instance, hide behind normal network traffic. Applying the principle of least privilege and proactively monitoring systems and networks for anomalous activities can help mitigate threats that abuse these tools.
We also detected AMCleaner and Genieo, malicious tools that affect the Mac platform. This underscores the significance of applying the same high level of security to systems running on other platforms.
Information stealers continued to rise
While the increase of information stealers during the first quarter was uneven, a steady monthly increase of the same was observed in the second quarter. These threats can pose broad-based risks, as they can indiscriminately target systems in enterprises and industries across North America — from regular PCs used to pay bills online and update social media accounts to devices managed in the workplace.
Emotet, which made up the bulk of our detections, is notable in its propagation in that it can zombify systems to become part of a botnet to launch more attacks and further spread itself (via spam email). Fareit evades detection by abusing PowerShell.
Loki and Ursnif evolved. Loki can now use the contact list of compromised email accounts to spread itself. Additional functionalities can be also added, such as stealing cryptocurrency wallets or altering the system’s IP and domain configurations. Ursnif now evades detection by using the original names of normal system files and processes for the files it drops in the system.
ZBOT, Dridex, Banker, and Ramnit, which focus on stealing online banking-related information, are still prevalent despite being old. Trickbot was almost inactive during the first quarter but gained traction during the second quarter.
These threats highlight the significance of actively keeping an eye on activities in an organization’s online premises — from systems and networks to servers — even if they seem innocuous. Correlating these activities, along with having context on the threats involved, equips organizations with foresight on how to thwart them.
For instance, we saw a variant of Trickbot that attempts to hide in the system for a long period. Upon successfully infecting the system, it checks the network it is connected to if it is unpatched, and sends that information to the command-and-control (C&C) server. Its second phase of attack entails locking computer screens and infecting numerous devices on the network. It’s indeed unusual for an information stealer to also take the infected system hostage, but this could also be a novelty for cybercriminals as they try to further monetize their malware.
Cryptocurrency-mining malware burgeoned
Our detections for malicious cryptocurrency miners outstripped ransomware in the second quarter (as can be seen in Figure 1). Compared to the loss of availability and confidentiality that ransomware or banking trojans can cause, unauthorized cryptocurrency mining on a host is often more bothersome. The impact to an enterprise setting can be significant as it consumes computational resources and slows down business-critical assets, or worse, stops affected systems from functioning effectively. Cryptocurrency-mining malware can also result in financial losses, from electricity costs to downtime in operations, if these malicious miners are left unnoticed, let alone unimpeded.
A tactic we’ve observed recently points to the careful management by threat actors of the impact of cryptocurrency-mining malware on an infected host to evade detection and remediation. Organizations may not actively detect and respond to cryptocurrency-mining malware as it can be underestimated as a less harmful and disruptive threat than ransomware. As such, it’s likely to extend its unwelcome stay, thereby providing the malware operators more time to generate revenue.
Among malicious cryptocurrency miners in the second quarter, malicious versions of Coinhive were the most pervasive despite emerging less than a year ago.
Another notable trend we’re seeing is how ransomware and cryptocurrency-mining malware are intersecting. This highlights defense in depth: arraying multilayered security mechanisms that can proactively detect and thwart threats that combine multifaceted routines. For example, we saw how a malicious cryptocurrency miner would lie dormant in an affected computer for months until the ransomware it was bundled with went into action. We also found indicators of attack showing that the victim’s servers were used for cryptocurrency mining prior to manual infection and ransom demand, and vice versa.
The most common malicious miners we saw that used this mining-ransomware combo were COINMINER_MALXMR and COINMINER_COINHIVE.SM1-JS. While Crysis (RANSOM_CRYSIS) was the ransomware family most commonly paired with malicious cryptocurrency miners in the beginning of the year, it was WCry aka WannaCry during the second quarter.
Ransomware remained a cybercriminal mainstay
Our detections for ransomware in the second quarter paled in comparison to those for information theft and cryptocurrency-mining malware. However, our data showed that it was still a relevant threat, and in certain cases, was reworked to serve its operator’s purpose.
Our detections for Gandcrab, which is distributed mostly via Rig and GrandSoft exploit kits, increased in the second quarter on the back of several large-scale spam campaigns. Other notable ransomware families in the second quarter were Nemucod (which can also serve as a backdoor), Locky, and WCry aka WannaCry (which was the top ransomware detection).
Their prevalence reflects the perennial challenge of patching, as fixes for the vulnerabilities they exploit had already been released. And given the disruptive and destructive impact of ransomware, especially to enterprises, defensive measures should be complemented with a strategy that proactively hunts for these threats or similar indicators of attacks to better thwart them and, in the event of compromise or infection, remediate them.
How managed detection and response (MDR) helps
While many organizations have the technologies that can provide threat research and analysis, such as endpoint detection response (EDR) tools, it takes significant time and specialized skills to effectively use them. MDR enables organizations to draw on the exhaustive knowledge of professionals with years of experience as well as on powerful technologies that can help further secure both endpoints and the network. This is especially useful for organizations without their own security operations centers (SOCs).
Trend Micro solutions
Trend Micro endpoint solutions such as the Smart Protection Suites and Worry-Free Business Security solutions can protect users and businesses from threats by detecting malicious files and messages as well as blocking all related malicious URLs. The Trend Micro™ Deep Discovery™ solution has an email inspection layer that can protect enterprises by detecting malicious attachments and URLs.
Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques to protect systems from all types of threats, including ransomware and cryptocurrency-mining malware. It features high-fidelity machine learning on gateways and endpoints, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen security protects against today’s threats that bypass traditional controls; exploit known, unknown, or undisclosed vulnerabilities; either steal or encrypt personally identifiable data; or conduct malicious cryptocurrency mining. Smart, optimized, and connected, XGen security powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
Backed by 30 years of experience in threat research, Trend Micro’s managed detection and response service provides access to experts who are proficient with live response and are familiar with products that can provide meaning to security incidents that happen to organizations and their industries. Our experts have the necessary tools and technologies to analyze threats and assist organizations in maintaining a good security posture.
Updated as of July 31, 2018, 9:48 PM PDT to reflect changes in the introduction highlighting other approaches for organizations to manage threats.