Banking malware grows 50% while cryptominers decline – Check Point
Check Point has released its Cyber Attack Trends: 2019 Mid-Year Report, revealing that no environment is immune to cyber-attacks.
Threat actors continue to develop new toolsets and techniques, targeting corporate assets stored on cloud infrastructure, individuals' mobile devices, trusted third-party supplier applications and even popular email platforms:
- Mobile banking: With a 50% increase in attacks compared to 2018, banking malware has evolved to become a very common mobile threat. Today, banking malware is capable of stealing payment data, credentials and funds from victims' bank accounts, and new versions of these malware are ready for massive distribution by anyone that's willing to pay.
- Software supply chain attacks: Threat actors are extending their attack vectors to focus on the supply chain. In software supply chain attacks the threat actor typically installs malicious code into legitimate software, by modifying one of the building blocks the software relies on.
- Email: Email scammers have started to employ various evasion techniques designed to bypass security solutions and Anti-Spam filters such as encoded emails, images of the message embedded in the email body, as well as complex underlying code which mixes plain text letters with HTML characters. Additional methods allowing scammers to remain under the radar of Anti-Spam filters and reaching targets' inbox include social engineering techniques and personalised email content.
- Cloud: The growing popularity of public cloud environments has led to an increase in cyber-attacks targeting enormous resources and sensitive data residing within these platforms. The lack of security practices such as misconfiguration and poor management of the cloud resources, remains the most prominent threat to the cloud ecosystem in 2019, subjecting cloud assets to a wide array of attacks.
"Be it cloud, mobile or email, no environment is immune to cyber-attacks. In addition, threats such as targeted ransomware attacks, DNS attacks and crytominers continue to be relevant in 2019, and security experts need to stay attuned to the latest threats and attack methods to provide their organisations with the best level of protection," says Check Point threat intelligence and research products director Maya Horowitz.
Top Botnet Malware During H1 2019
- Emotet (29%) – Emotet is an advanced, self-propagating and modular Trojan. Emotet once used to be employed as a banking Trojan, and recently is used as a distributor for other malware or malicious campaigns. It uses multiple methods for propagation and evasion techniques to avoid detection. In addition, it can also be spread through phishing spam emails containing malicious attachments or links.
- Dorkbot (18%) – IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system, with the primary motivation being to steal sensitive information and launch denial-of-service attacks.
- Trickbot (11%) – Trickbot is a Dyre variant that emerged in October 2016. Since its first appearance, it has been targeting banks mostly in Australia and the UK, and lately it has started appearing also in India, Singapore and Malaysia.
Top Cryptominers During H1 2019
- Coinhive (23%) – A cryptominer designed to perform online mining of the Monero cryptocurrency without the user's approval when a user visits a web page. Coinhive only emerged in September 2017 but has hit 12% of organisations worldwide.
- Cryptoloot (22%) – A JavaScript Cryptominer, designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user's approval.
- XMRig (20%) – XMRig is open source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in the wild on May 2017.
Top Mobile Malware During H1 2019
- Triada (30%) – A Modular Backdoor for Android which grants superuser privileges to downloaded malware, as it helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in users' browsers.
- Lotoor (11%) – Lotoor is a hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
- Hidad (7%) – Android malware which repackages legitimate apps and then releases them to a third-party store. It is able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
Top Banking Malware During H1 2019
- Ramnit (28%) – A banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
- Trickbot (21%) - Trickbot is a Dyre variant that emerged in October 2016. Since its first appearance, it has been targeting banks mostly in Australia and the UK, and lately it has started appearing also in India, Singapore and Malaysia.
- Ursnif (10%) – Ursnif is Trojan that targets the Windows platform. It is usually spread through exploit kits - Angler and Rig, each at its time. It has the capability to steal information related to Verifone Point-of-Sale (POS) payment software. It contacts a remote server to upload collected information and receive instructions. It also downloads and executes files on infected systems.
These findings are based on data drawn from Check Point's ThreatCloud intelligence between January and June 2019, highlighting the key tactics cyber-criminals are using to attack businesses.