Cybersecurity threatscape: Q2 2022

In Q2, we noted a rise in the number of malware attacks: the share of such attacks on organizations was 57%, and on individuals 59%, which represents an increase of 12 and 13 percentage points, respectively, against the previous quarter. Ransomware became more active: the share of ransomware attacks on organizations increased quarter-on-quarter by 18 percentage points, amounting to 62%. As in the previous quarter, cybercriminals continued to use data wipers in attacks on institutions. In attacks on individuals, we note the prevalence of spyware and banking trojans (41% and 21% of malware attacks, respectively).

{y:,.0f}%”},”startAngle”:0,”center”:[null,null],”showInLegend”:true},”column”:{“colorByPoint”:false},”bar”:{“colorByPoint”:false},”series”:{“borderRadius”:8,”dataLabels”:{“enabled”:true,”format”:”{y:,.0f}%“}}},”series”:[{“name”:”Organizations”,”color”:””,”marker”:{“enabled”:true,”symbol”:”circle”},”dashStyle”:”Solid”,”data”:[{“name”:”Ransomware”,”y”:62},{“name”:”RATs”,”y”:24},{“name”:”Loaders”,”y”:15},{“name”:”Spyware”,”y”:6},{“name”:”Miners”,”y”:4},{“name”:”Data-wiping malware”,”y”:3},{“name”:”Banking trojans”,”y”:2},{“name”:”Other”,”y”:1}]},{“name”:”Individuals”,”color”:”#ff9999″,”marker”:{“enabled”:true,”symbol”:”circle”},”dashStyle”:”Solid”,”data”:[{“name”:”Ransomware”,”y”:6},{“name”:”RATs”,”y”:27},{“name”:”Loaders”,”y”:20},{“name”:”Spyware”,”y”:41},{“name”:”Miners”,”y”:3},{“name”:”Data-wiping malware”,”y”:null},{“name”:”Banking trojans”,”y”:21},{“name”:”Other”,”y”:4}]}],”colors”:[“#ff0000″,”#ff3333″,”#ff6666″,”#ff9999″,”#ffcccc”,”#86c5ff”,”#53acff”,”#2094ff”,”#007aec”,”#0060b9″],”credits”:{“enabled”:true,”position”:{“verticalAlign”:”bottom”,”align”:”right”,”x”:-5,”y”:-5}},”tooltip”:{“enabled”:true,”shared”:true,”valueSuffix”:”%”},”exporting”:{“enabled”:true,”buttons”:{“contextButton”:{“verticalAlign”:”bottom”,”align”:”right”}}}}”>

Figure 9. Types of malware (share of malware attacks)

New arrival

Researchers at ThreatFabric discovered the new Octo banking trojan, targeting users of Android online banking apps. The new trojan allows attackers to gain remote access to the device screen in streaming mode and execute commands through an overlay on top of the screen. Revive, a piece of spyware adapted as a banking trojan, had similar functionality, as explained by Cleafy researchers in their report. Both trojans have full control over the device and can intercept two-factor authentication codes, which enables on-device fraud—the stealthiest and most dangerous kind of subterfuge, whereby the attacker makes transactions from the same device that the victim uses on a regular basis. This complicates the task of anti-fraud solutions, as there are much fewer suspicious signs.

Due to advancements in user protection and attack detection tools, cybercriminals are having to create and deploy more sophisticated malware and persistence techniques.

Admired by infosec professionals and cybercriminals alike, the post-exploitation tool Cobalt Strike may eventually be replaced by a more recent variant called Brute Ratel. Researchers at Unit42 reported its use in APT29 attacks, adding that many security tools do not detect it as a threat on first detection.

Malware persistence is becoming harder as OS security improves. However, there are ways to remain undetected in the target system, one of which is through
bootkits

A bootkit is malicious code that runs before the OS boots. The main goal of a bootkit is to gain a foothold in the system and shield other malware from detection by security tools.

.
These allow malware to run before the OS boots, allowing it to bypass defenses. In Q2, Lenovo devices found themselves at risk of bootkit attacks. The manufacturer installed insecure firmware versions containing vulnerabilities that could be used to disable secure boot and protection features, and execute arbitrary code. Access to BIOS and UEFI was also of interest to the Conti

Now discontinued (see the «Ransomware: new approaches and a fresh angle» section below).

group, as revealed by Eclypsium. Conti’s activity in H1 2022 was aimed at identifying vulnerabilities in the Intel Management Engine microcontroller, which has privileges over the OS and can be used to modify the BIOS (UEFI) flash memory, execute arbitrary code, and even modify the OS kernel in system management mode (SMM). These actions provided near unlimited opportunities to carry out attacks and achieve persistence in the system.

To learn more about bootkits and ways to detect them,
see our report

Dedicated to pirated software lovers

{y:,.0f}%”},”startAngle”:0,”center”:[null,null],”showInLegend”:true},”column”:{“colorByPoint”:true},”bar”:{“colorByPoint”:true},”series”:{“borderRadius”:8,”dataLabels”:{“enabled”:true,”format”:”{y:,.0f}%“}}},”series”:[{“name”:”Share”,”color”:””,”marker”:{“enabled”:true,”symbol”:”circle”},”dashStyle”:”Solid”,”data”:[{“name”:”Email”,”y”:45},{“name”:”Compromise of computers, servers, and network equipment”,”y”:42},{“name”:”Websites”,”y”:5},{“name”:”Social networks”,”y”:3},{“name”:”Other”,”y”:5}]}],”colors”:[“#ff0000″,”#f57c00″,”#ffcc00″,”#00d359″,”#53acff”,”#b7698e”,”#53acff”,”#007aec”,”#993d6b”,”#313695″],”credits”:{“enabled”:true,”position”:{“verticalAlign”:”bottom”,”align”:”right”,”x”:-5,”y”:-5}},”tooltip”:{“enabled”:true,”shared”:true,”valueSuffix”:”%”},”exporting”:{“enabled”:true,”buttons”:{“contextButton”:{“verticalAlign”:”bottom”,”align”:”right”}}}}”>

Figure 10. Malware distribution methods in attacks on organizations

As in the previous quarter, malware distributed via email had a dominant share. Security researchers discovered a massive campaign to spread the new META malware, an enhanced version of the popular RedLine infostealer. Users received an email with a bait document and a text prompting them to open it and run the macro. When macro was enabled in the malicious document, the malware loaded itself into the system and stole credentials stored in the browser.

{y:,.0f}%”},”startAngle”:0,”center”:[null,null],”showInLegend”:true},”column”:{“colorByPoint”:true},”bar”:{“colorByPoint”:true},”series”:{“borderRadius”:8,”dataLabels”:{“enabled”:true,”format”:”{y:,.0f}%“}}},”series”:[{“name”:”Share”,”color”:””,”marker”:{“enabled”:true,”symbol”:”circle”},”dashStyle”:”Solid”,”data”:[{“name”:”Websites”,”y”:45},{“name”:”Email”,”y”:23},{“name”:”Official app stores”,”y”:10},{“name”:”Compromise of computers, servers, and network equipment”,”y”:8},{“name”:”Social networks”,”y”:7},{“name”:”Messengers and SMS messages”,”y”:6},{“name”:”Other”,”y”:1}]}],”colors”:[“#ffcc00″,”#ff0000″,”#ffaaaa”,”#f57c00″,”#00d359″,”#b7698e”,”#53acff”,”#007aec”,”#993d6b”,”#313695″],”credits”:{“enabled”:true,”position”:{“verticalAlign”:”bottom”,”align”:”right”,”x”:-5,”y”:-5}},”tooltip”:{“enabled”:true,”shared”:true,”valueSuffix”:”%”},”exporting”:{“enabled”:true,”buttons”:{“contextButton”:{“verticalAlign”:”bottom”,”align”:”right”}}}}”>

Figure 11. Malware distribution methods in attacks on individuals

In attacks on individuals, we noticed an increase in the proportion of malware delivered through websites, including torrents: this method had a 45% share, which is 9 percentage points above the 2021 average.

{y:,.0f}%”},”startAngle”:0,”center”:[null,null],”showInLegend”:false},”column”:{“colorByPoint”:false},”bar”:{“colorByPoint”:false},”series”:{“borderRadius”:8,”dataLabels”:{“enabled”:true,”format”:”{y:,.0f}%“}}},”series”:[{“name”:”Share”,”color”:””,”marker”:{“enabled”:true,”symbol”:”circle”},”dashStyle”:”Solid”,”data”:[{“name”:”Q1 2021″,”y”:36},{“name”:”Q2 2021″,”y”:31},{“name”:”Q3 2021″,”y”:34},{“name”:”Q4 2021″,”y”:43},{“name”:”Q1 2022″,”y”:34},{“name”:”Q2 2022″,”y”:45}]}],”colors”:[“#ff0000″,”#ff3333″,”#ff6666″,”#ff9999″,”#ffcccc”,”#86c5ff”,”#53acff”,”#2094ff”,”#007aec”,”#0060b9″],”credits”:{“enabled”:true,”position”:{“verticalAlign”:”bottom”,”align”:”right”,”x”:-5,”y”:-5}},”tooltip”:{“enabled”:true,”shared”:true,”valueSuffix”:”%”},”exporting”:{“enabled”:true,”buttons”:{“contextButton”:{“verticalAlign”:”bottom”,”align”:”right”}}}}”>

Figure 12. Malware distribution through websites (share of malware attacks on individuals)

FFDroider malware was detected on various sites, distributed under the guise of programs for accessing licensed versions of software without purchasing a subscription, as well as freeware. When installed, FFDroider disguised itself as a desktop version of Telegram and accessed browsers, retrieving cookies and hash sums of passwords for Twitter, Facebook, and Instagram. Using the Windows CryptoAPI service, the stealer decrypted the passwords and sent them, together with the cookies, to the attackers’ C2 server.

Researchers at Zscaler uncovered several domains mimicking the official Microsoft Windows download page and distributing an ISO image of the operating system with a backdoor; in several cases, the cybercriminals distributed backdoor versions of Adobe Photoshop via Github repositories. The images weighed more than 300 MB, which allowed the attackers to bypass some antivirus products; after running the image, the Vidar infostealer was installed in the system, communicating with C2 through Telegram.

Cross-platforming: the be-all and end-all

In our analytical reports ([1], [2], [3]), we noted the prevalence of Unix systems and their appeal to cybercriminals looking to create (and adapt) their own malicious programs for them.

Corporate virtualization servers make especially attractive targets for cybercriminals. They can run multiple virtual machines, all of which get encrypted during an attack, while the server’s computing resources only accelerate the encryption process. Having been ported to Linux in Q2, Black Basta, a strong new ransomware player, has already been used in attacks against VMware ESXi servers. Analysis of the ported version found that it targets the folder containing all virtual machines on the server, and deploys multithreading to hide its tracks and speed up encryption, as well as a utility to gain full access rights to target files.

At the start of Q3 2021, we reported the first recorded use of Windows Subsystem for Linux (WSL) to deliver malware; as of Q2 2022, Black Lotus researchers had detected more than 100 malware variants targeting WSL, which shows an impressive rate of development for a relatively new attack vector. Also discovered was a RAT sample that used Telegram to communicate with C2 and boasted a wide range of features: stealing browser cookies, downloading files, and remotely executing commands. Attackers can use WSL to target both Linux and Windows. Add in the low antivirus detection rates, and this vector looks very promising for them.

{y:,.0f}%”},”startAngle”:0,”center”:[null,null],”showInLegend”:false},”column”:{“colorByPoint”:false},”bar”:{“colorByPoint”:false},”series”:{“borderRadius”:8,”dataLabels”:{“enabled”:true,”format”:”{y:,.0f}%“}}},”series”:[{“name”:”Share”,”color”:””,”marker”:{“enabled”:true,”symbol”:”circle”},”dashStyle”:”Solid”,”data”:[{“name”:”Windows”,”y”:87},{“name”:”Linux”,”y”:12},{“name”:”Android”,”y”:9},{“name”:”iOS”,”y”:1},{“name”:”Other”,”y”:6}]}],”colors”:[“#ff0000″,”#ff3333″,”#ff6666″,”#ff9999″,”#ffcccc”,”#86c5ff”,”#53acff”,”#2094ff”,”#007aec”,”#0060b9″],”credits”:{“enabled”:true,”position”:{“verticalAlign”:”bottom”,”align”:”right”,”x”:-5,”y”:-5}},”tooltip”:{“enabled”:true,”shared”:true,”valueSuffix”:”%”},”exporting”:{“enabled”:true,”buttons”:{“contextButton”:{“verticalAlign”:”top”,”align”:”right”}}}}”>

Figure 13. Target OS in malware attacks (share of attacks)

Read the full article here

Cybersecurity threatscape: Q2 2022

Leave a Reply Cancel reply

Recent News

Topics

Get Informed

Welcome Back!

Create New Account!

Retrieve your password