The Astaroth Trojan steals credentials and other user data through antivirus software, Avast, and services. It sends scam campaigns with
Do you have valuable data on your network? Noticing odd network behavior? You could be the victim of an APT attack. An advanced persistent threat (APT) is a cyberattack executed
The post What is an advanced persistent threat (APT)? And 5 signs you’ve been hit with one appeared first on The Cyber Security Place.
Researchers have discovered a new Trojan campaign that creates a Linux backdoor. Referred to as SpeakUp, the backdoor malware exploits
In the survival guide for million-dollar cyberattacks that we published in 2017, we warned how dangerous banking Trojans can be, and highlighted them as one of the key trends in financial cybercrime, along with phishing and keyloggers. Banking Trojans steal their victim’s online identity and use this information to trick financial institutions and steal money from their accounts. Generally this is done by installing applications or inserting malicious code into the browsers from which users access their bank accounts.
But over the last few years, it seems that the level of banking Trojan activity has decreased considerably. On the one hand, institutions have reacted to the threat by considerably improving their security and their customers’ authentication factors; one example of this is the implementation of virtual keyboards for user sign-in. This way, it is not possible for a cyberattacker to use a keylogger to steal the details that the user enters with a physical keyboard.
On the other hand, developers have implemented barriers and mechanisms to make injecting code into browsers more complex. For this reason, as we have been pointing out for some time, cyberattackers have been focusing their efforts on other kinds of attacks that are simpler and more profitable, such as ransomware or cryptojacking.
However, in the last few weeks, banking Trojans have started to gain momentum once again, using new, alternative techniques, rather than infiltrating browsers directly. This is the case with BackSwap, a new banking Trojan that has managed to infiltrate several Spanish banks, and which could pose a serious threat to other companies, especially if it comes into contact with employees who work closely with banking institutions. But how does BackSwap work?
BackSwap and its new techniques
BackSwap is an improved and updated variant of the malware Tinba, which was developed in 2015. This malware was noteworthy because of its small size (between 10 and 50Kb) and its capacity to steal the user’s credentials. As ESET researchers discovered, there is one key difference between BackSwap and its predecessor and other banking Trojans, which inject malicious code such as Zbot, Gozi or Dridex. The difference lies in its methodology, which circumvents browsers’ barriers, and can be more difficult for less modern cybersecurity solutions. There are three new techniques that BackSwap uses:
- It detects when the user is accessing a banking institution online via a mechanism native to Windows called “Message loop”: BackSwap clicks on the Windows message loop to search for patterns similar to a URL, such as “https” chains and other terms related to the name of a bank.
- Once it detects that the browser is accessing and loading a banking website, BackSwap proceeds to manipulate the loaded content, but does not inject code directly into the browser. Rather, it simulates a user’s keystrokes, and copies the code to the clipboard, then pastes it to the developer’s console. All of this is done in a way that is invisible to the user.
How can we prevent it?
As is the case with other banking Trojans such as Trickbot, which we previously analyzed, the main attack vector for BackSwap is email. It is mainly spread via spam containing malicious files such as attached Word documents into which the malware is inserted. Once the file has been executed, it stays on the machine, waiting for the victim to access a banking-related website.
For this reason, the first line of continuous prevention should be employee caution about suspicious emails containing attachments. This is especially true of employees such as CFOs and members of the administration or accounting teams, whose role involves having a close working relationship with financial institutions. It is important to remember that the subject “Invoice” was the cause of 6 out of 10 of the most effective phishing campaigns in 2018.
Likewise, it is a very good idea to have advanced cybersecurity solutions with 360º monitoring, such as Panda Adaptive Defense. On one hand, it performs a complete scan of all emails and attachments in real time as soon as they enter the inbox. On the other hand, it constantly monitors employees’ website use, detecting any suspicious activity in their computers’ browsers. Advanced solutions like Adaptive Defense mean that the negative impact of banking Trojans as complex as BackSwap are reduced to the minimum.
Each quarter, the Malwarebytes Labs team gathers to share intel, statistics, and analysis of the tactics and techniques made popular by cybercriminals over the previous three months. At the end of the year, we synthesize this data into one all-encompassing report—the State of Malware report—that aims to follow the most important threats, distribution methods, and other trends that shaped the threat landscape.
Our 2019 State of Malware report is here, and it’s a doozy.
In our research, which covers January to November 2018 and compares it against the previous period in 2017, we found that two major malware categories dominated the scene, with cryptominers positively drenching users at the back end of 2017 and into the first half of 2018, and information-stealers in the form of Trojans taking over for the second half of the year.
But that’s not all we discovered.
The 2019 State of Malware report follows the top 10 global threats for consumers and businesses, as well as top threats by region and by corporate industry verticals. In addition, we followed noteworthy distribution techniques for the year, as well as popular scams. Some of our findings include:
- In 2018, we saw a shift in ransomware attack techniques from malvertising and exploits that deliver ransomware as a payload to targeted, manual attacks. The shotgun approach was replaced with brute force, as witnessed in the most successful SamSam campaigns of the year.
Malware authors pivoted in the second half of 2018 to target organizations over consumers, recognizing that the bigger payoff was in making victims out of businesses instead of individuals. Overall business detections of malware rose significantly over the last year—79 percent to be exact—and primarily due to the increase in backdoors, miners, spyware, and information stealers.
The fallout from the ShadowBrokers’ leak of NSA exploits in 2017 continued, as cybercriminals used SMB vulnerabilities EternalBlue and EternalRomance to spread dangerous and sophisticated Trojans, such as Emotet and TrickBot. In fact, information stealers were the top consumer and business threat in 2018, as well as the top regional threat for North America, Latin America, and Europe, the Middle East, and Africa (EMEA).
Finally, our Labs team stared into its crystal ball and predicted top trends for 2019. Of particular note are the following:
Attacks designed to avoid detection, like soundloggers, will slip into the wild.
Artificial Intelligence will be used in the creation of malicious executables.
Movements such as Bring Your Own Security (BYOS) to work will grow as trust declines.
IoT botnets will come to a device near you.
To learn more about top threats and trends in 2018 and our predictions for 2019, download our report from the link below.
The post 2019 State of Malware report: Trojans and cryptominers dominate threat landscape appeared first on Malwarebytes Labs.
The hackers installed mining software developed by Dalian Yuping Network Technology Company ( 大连昇平网络科技有限 ) that was designed to steal three types of coins. Digibyte Coins (DGB, currently valued at USD$0.03 each), Siacoin (SC, currently valued at $0.01 each) and DeCred coins (DCR coins, currently valued at $59.59 each).