It's been a summer of ransomware hold-ups, supply chain attacks and fileless attacks flying under the radar of old-school security. With malware running amok while we were lying on the beach, here's a recap of the most burning strains and trends seen in the wild during the months of July and August 2019.
The heat must have had an effect as this summer saw malware continuing to evolve, particularly around three core trends:
Malware has been increasingly designed to bypass security controls leveraging a host of tactics, most notably by:
Taking evasion techniques one step further, an increasing number of strains are leveraging PowerShell commands and masquerading as legitimate system tools, all while running completely from memory (RAM) to fly under the radar of traditional IoC-based solutions and requiring behavior-based analysis to detect.
No thanks to underground botnet-as-a-service businesses, whole botnets of compromised systems are rented out to hackers, through which they can leverage ready-made access to live and well systems to simultaneously unleash multiple malware strains at their disposal. For example, Emotet serving IcedID (Bokbot) followed by Trickbot or the Ryuk ransomware.
What were this summer's most exotic and lethal malware strains? Here's a roundup.
Targeting European and Brazilian organizations, and posing an immediate threat to 76% of organizations who tested their resilience to it, according to the Cymulate Research Lab, the fileless Astaroth malware evades traditional IoC-based security controls, stealing user credentials, including PII, system and financial data.
At no point during the entire attack kill chain does Astaroth drop any executable files on disk, or use any file that is not a system tool, running its payload completely in memory (RAM).
The Sodinokibi ("Sodi") ransomware is rare in its usage of a Windows vulnerability, namely CVE-2018-8453 patched by Microsoft last year, which enables gaining admin-level access. Suspected to be the successor of the GandCrab ransomware-as-a-service, Sodinokibi is disseminated through managed service providers' (MSP) websites, a form of supply chain attacks, where download links are replaced with the ransomware executable. Initially suspected as being offered as a service in the underground because of its 'master encryption key' approach, it has been confirmed that this is, in fact, the case.
The good news is that none of the organizations simulating this specific variant were found to be vulnerable; however, the exposure rate for other Sodi variants during this summer ranged between 60% and 77%, depending on the strain tested.
Targeting German-speaking countries, GermanWiper does not really encrypt files. Rather, it overwrites all the victim's content with zeroes, irreversibly destroying their data. The ransom note is therefore bogus, rendering any payments made useless, and making offline backups crucial for recovery.
Posing as a job application with a CV attachment, the malware is spread via email spam campaigns. 64% of organizations simulating GermanWiper appeared to be vulnerable when testing controls against it.
Posing a threat to 70% of organizations, based on attack simulations performed, MegaCortex deliberately targets larger firms in a bid to extort larger sums of cash, ranging from $2M-$6M in bitcoin. The MegaCortex operators compromise servers critical to businesses and encrypt them and any other systems connected to the host.
This ransomware was originally executed using a payload encrypted with a password that was manually entered during a live infection. In its newer strain, this password is hardcoded along with other features that have been automated, such as security evasion techniques. The malware has also evolved to decrypt and run its payload from memory.
The Russian-speaking advanced persistent threat (APT) group is one of the most sophisticated in the world and has recently updated its TTPs to encrypt critical strings, including commands issued to bots in order to evade detection. Initially sending recon emails to potential victims to identify the easy-clickers, after initial infection, the hackers now spread additional malware to victims either through their rewritten TrueBot loader or through a fileless loader called Ivoke, hiding C2 communications through DNS tunneling. Over the past year, the group has amassed an estimated $4 million.
84% of organizations are vulnerable to the strain released this summer, according to Cymulate data.
Specifically targeting governments and international bodies, Turla was seen to hijack infrastructure belonging to the Iranian-linked Oilrig APT group. Using a combination of custom malware, modified versions of publicly-available hacking tools and legitimate admin software, the group has been moving towards LOTL techniques, and its victims include ministries, governments, and communications technology organizations in ten different countries.
70% of organizations were found vulnerable to this threat at the time of security testing.
Looking to assess your organization's security posture now that the summer is over? Explore how breach and attack simulation can provide you with the immediate, actionable insights you need.
Malware Evolution Trends
The heat must have had an effect as this summer saw malware continuing to evolve, particularly around three core trends:
Evasion-by-design
Malware has been increasingly designed to bypass security controls leveraging a host of tactics, most notably by:
- Changing hashes via file obfuscation to evade AVs.
- Using encrypted communication with C2 servers to foil EDRs.
- Using feature manipulation and tampering to trick AI, machine-learning engines, and sandboxes through the detection of such environments and the deliberate delay in execution.
Fileless Attacks and Living-Off-The-Land (LOTL)
Taking evasion techniques one step further, an increasing number of strains are leveraging PowerShell commands and masquerading as legitimate system tools, all while running completely from memory (RAM) to fly under the radar of traditional IoC-based solutions and requiring behavior-based analysis to detect.
(Jack-in-the-box)2 or Jack-in-the-box, Squared
No thanks to underground botnet-as-a-service businesses, whole botnets of compromised systems are rented out to hackers, through which they can leverage ready-made access to live and well systems to simultaneously unleash multiple malware strains at their disposal. For example, Emotet serving IcedID (Bokbot) followed by Trickbot or the Ryuk ransomware.
Deadliest Immediate Threats
What were this summer's most exotic and lethal malware strains? Here's a roundup.
Astaroth Malware Uses Living-Off-The-Land (LOTL) Techniques
Targeting European and Brazilian organizations, and posing an immediate threat to 76% of organizations who tested their resilience to it, according to the Cymulate Research Lab, the fileless Astaroth malware evades traditional IoC-based security controls, stealing user credentials, including PII, system and financial data.
Credit: Microsoft |
At no point during the entire attack kill chain does Astaroth drop any executable files on disk, or use any file that is not a system tool, running its payload completely in memory (RAM).
Sodinokibi Exploits a CVE to Push Ransomware Via MSP websites
The Sodinokibi ("Sodi") ransomware is rare in its usage of a Windows vulnerability, namely CVE-2018-8453 patched by Microsoft last year, which enables gaining admin-level access. Suspected to be the successor of the GandCrab ransomware-as-a-service, Sodinokibi is disseminated through managed service providers' (MSP) websites, a form of supply chain attacks, where download links are replaced with the ransomware executable. Initially suspected as being offered as a service in the underground because of its 'master encryption key' approach, it has been confirmed that this is, in fact, the case.
#Sodinokibi #REvil Ransomware as a Service arrived in russian hacking forum. pic.twitter.com/inT5BYWDIN— Damian (@Damian1338) August 28, 2019
The good news is that none of the organizations simulating this specific variant were found to be vulnerable; however, the exposure rate for other Sodi variants during this summer ranged between 60% and 77%, depending on the strain tested.
GermanWiper Ransomware Adds Insult to Injury
Targeting German-speaking countries, GermanWiper does not really encrypt files. Rather, it overwrites all the victim's content with zeroes, irreversibly destroying their data. The ransom note is therefore bogus, rendering any payments made useless, and making offline backups crucial for recovery.
Posing as a job application with a CV attachment, the malware is spread via email spam campaigns. 64% of organizations simulating GermanWiper appeared to be vulnerable when testing controls against it.
MegaCortex Ransomware Extorts US and EU-based Enterprises
Posing a threat to 70% of organizations, based on attack simulations performed, MegaCortex deliberately targets larger firms in a bid to extort larger sums of cash, ranging from $2M-$6M in bitcoin. The MegaCortex operators compromise servers critical to businesses and encrypt them and any other systems connected to the host.
This ransomware was originally executed using a payload encrypted with a password that was manually entered during a live infection. In its newer strain, this password is hardcoded along with other features that have been automated, such as security evasion techniques. The malware has also evolved to decrypt and run its payload from memory.
Silence APT Spreads Malware Targeting Banks Worldwide
The Russian-speaking advanced persistent threat (APT) group is one of the most sophisticated in the world and has recently updated its TTPs to encrypt critical strings, including commands issued to bots in order to evade detection. Initially sending recon emails to potential victims to identify the easy-clickers, after initial infection, the hackers now spread additional malware to victims either through their rewritten TrueBot loader or through a fileless loader called Ivoke, hiding C2 communications through DNS tunneling. Over the past year, the group has amassed an estimated $4 million.
84% of organizations are vulnerable to the strain released this summer, according to Cymulate data.
Turla Attacks Govt's using Hijacked Oilrig APT Group's Servers
Specifically targeting governments and international bodies, Turla was seen to hijack infrastructure belonging to the Iranian-linked Oilrig APT group. Using a combination of custom malware, modified versions of publicly-available hacking tools and legitimate admin software, the group has been moving towards LOTL techniques, and its victims include ministries, governments, and communications technology organizations in ten different countries.
70% of organizations were found vulnerable to this threat at the time of security testing.
Looking to assess your organization's security posture now that the summer is over? Explore how breach and attack simulation can provide you with the immediate, actionable insights you need.