Malware figures for the first half of 2018: The danger is on the web

09/07/2018
G DATA Blog

More often than not, today's malware is distributed via the web – executable files are becoming less of a problem. Also, the G DATA security experts were able to identify a particular trend in the first half of the year that targets users' computers.

Main findings

  • More attacks are launched from the web - and not from executable files (PE-files)
  • Overall numbers are decreasing, as attacks are more targeted
  • Illegal hidden cryptomining (Cryptojacking) is on the rise
  • Attackers make use of novel standards such as Webassembly for better efficiency

Like the IT industry in general, the development of current malware families and their use is subject to strong fluctuations. This also shows in the latest analyses from the G DATA SecurityLabs: Nine of the ten most common malware threats for PC users from the past year were no longer among the top 10 threats of the first half of 2018. The attacks are also launched more often from websites and not only via executable files, like in the past.

"Traditionally, malware has been spread mainly through executable files. However, we see a significant increase in web-based attacks, some of which require no files at all," says Ralf Benzmüller, Executive Speaker of G DATA SecurityLabs. "Attacks via macros in office documents are also common and encourage users to interact. The ever faster development cycles of malware mean that users can only be comprehensively protected with proactive technologies from the G DATA SecurityLabs".

The following figures are based on statistics collected by the G DATA SecurityLabs. Information is being compiled through the Malware Information Initiative (MII), where G DATA customers can voluntarily transmit statistical data to the company about identified and averted threats. This allows for a more accurate analysis of current samples with respect to currently active threats.

Cryptojacking dominated 2018 so far

Cryptojacking - the surrepticious mining of crypto currencies, usually Monero - had a special significance in the first half of the year. Especially in the first quarter of this year, cryptominers were hidden on numerous websites. Those websites download scripts to the user's computer and then cause a high processor load. In some cases, however, the mining functions can also be found in executable files such as the game Abstractism that was provided through Steam - for more details on this, you can read our blog article "Abstractism: Cryptomining game removed from Steam Store".

It is not always clear whether or not users have consented to such actions beforehand. Therefore, G DATA partly classifies cryptomining as malware, especially if the intention is clearly malicious. In some cases, cryptominers are classified as a "Potentially Unwanted Program" (PUP).  There are three coin miners among the top 10 malware threats, and four among the top 10 PUP detections.

What is new is that the bytecode web assembly is not only used in website-based miners, but also in malware. Webassembly is a supplement to Javascript, and is now supported by all popular browsers. With Webassembly, web developers can achieve significantly faster loading times and faster code execution – this makes the web standard an ideal technology for a coin miner.

Technically significant: More and more often, malware uses lesser-known Windows system functions to execute malicious commands with command line scripts. For example, the G DATA security researchers were able to use the heuristic detection of Voiv malware-samples to block numerous attacks that use "scheduled tasks" in Windows to make changes to the system. The malware disguises itself by claiming to be a browser-related process. Depending on the variant, they execute different types of code through scripting engines - for example, they do this to update the malware itself or to load additional malware modules.

What is web assembly?

WebAssembly is a web standard from 2017 that enables more efficient and faster access to processor functions. The standard is an extension to JavaScript and is delivered in a binary instruction format (bytecode) for a virtual machine (VM). Bytecode is neither directly machine language (assembler) nor fully compiled source code. In this context WebAssembly is used to mine crypto currencies more effectively.

Tech support scams are dead - Long Live Tech Support Scams

Especially in the summer months G DATA noticed an uptick in a long-known scam: the so-called tech support scam. Users see a screen-filling pop-up which suggests that that their computer is infected with malware and that repairs are necessary - for a fee, of course. For this it is supposedly necessary to call a hotline. The interlocutors usually impersonate Microsoft employees and exert psychological pressure on the users. Payment should usually be made via iTunes debit cards. G DATA Security Evangelist Tim Berghoff did not want to miss the opportunity to talk with a fraudster in the past year. He recorded the call and subsequently provides guidelines and tips on how to handle the fraudsters.

Also known as a chronic security problem is Adobe's Flash plugin. A vulnerability from 2017 (CVE-2017-3077) ranked seventh in the Top 10 of averted threats among G DATA users. Here, a manipulated image in PNG format is used to insert malicious code into a user’s computer and exploit the vulnerabilities. Once such a bridgehead has been created for the attack, further malicious code can be reloaded. G DATA advises you to stop using Adobe's Flash Player and uninstall it. If you can't manage to live without it, you should always install updates immediately, as soon as they become available.

Rang Name % Description
1 JS:Trojan.JS.Agent.SAP 8,5% Webbased obfuscated Javascript which calls WebAssembly files for Cryptomining.
2 Generic.Trojan.Agent.3T6Y7T 4,0% Cryptominer using Cryptonight algorithm. It is embedded in websites and written in WebAssembly to avoid detection.
3 Trojan.CoinMiner.I 2,5% Cryptominer embedded on websites using WebAssembly to avoid detection. Mainly using Cryptonight algorithm for mining.
4 Trojan.Generic.16801423 2,3% Generic detection for highly obfuscated Trojan horses in cracked software (often games).
5 Gen:Heur.BZC.Voiv.5.0497934E 2,3% Malicious scheduled tasks which run malware scripts using Windows Scripting. The scheduled tasks are pretending to be related to search engines like Yahoo or Bing.
6 JS:Trojan.JS.Agent.RB 2,0% This is a JavaScript-based, heavily obfuscated Trojan-Downloader
7 Exploit.CVE-2017-3077.Gen 1,9% Detection on malicous png files which exploit Adobe Flash Player 25.0.0.171 and earlier to run any code.
8 Win32.Trojan.Agent.A08EX5 1,6% Trojan horse that pretends to be a game crack for popular games like The Sims.
9 Gen:Heur.BZC.Voiv.5.092F8CAD 1,6% Malicious scheduled tasks which run malware scripts using Windows Scripting. The scheduled tasks are pretending to be related to search engines like Yahoo or Bing.
10 Script.Trojan-Ransom.TechSupportScam.S 1,5% Webpages that show fake warnings about infections and urging the user to call a fake Microsoft tech support. Users usually get scammed for a 100 US Dollars to be paid via anonymous means like prepaid cards.
  Other 71,8%  

Gamers, beware!

Ranking in a #4 and #8 are generic malware detections that disguise themselves as cracked versions of games. Malware authors often hide their malware in games. This tendency is not limited just to Windows computers. Especially on Android, games for children are a focus of fraudsters. G DATA recently warned against fake versions of the Fortnite app for Android in a blog article .

Many Potentially Unwanted Programs (PUP), in addition to the Monero miners, come in the shape of applications that manipulate browser settings of the users without being asked - for example, they change the set start page or the preset search engine or install annoying toolbars. “Open Candy" and the "Mindspark"-Framework, which are mainly hidden in freeware-installers, have been known for this type of behavior for years. These are still being spread and recognized by the G DATA security solutions. It is interesting that software which is classified as a PUP, such as Win32.Application.DownloadGuide.T, now also recognizes virtual machines and tries to avoid detection by antivirus programs by displaying a less aggressive behavior in case it runs on a virtual machine.

Potentially Unwanted Programs (PUP)

Rang Name % Description
1 Application.BitCoinMiner.SX 6,2% BitCoinMiners utilize the computing capacity of the device, in order to mine Monero. In most of the cases they are delivered via websites.
2 Win32.Application.DownloadSponsor.R 4,5% DownloadSponsor.R comes as a bundled installer. The distributors take legitimate free software, bundle it with their PUP installer and distribute these bundles online for the sake of monetization. Offers and offer dialogues are downloaded dynamically from the DownloadSponsor servers. Each and every ad impression results in earnings for the distributors of the manipulated software.
3 Win32.Application.OpenCandy.G 3,4% This variant of OpenCandy is a Potentially Unwanted Program (PUP). It is installed alongside various legitimate freeware like DVD player, PDF reader, archiver and more, which have been bundled with the unwanted extra. The software detected as Win32.Application.OpenCandy.G is developed by SweetLabs, a company based in San Diego, USA. This PUP modifies the browser's behavior, by changing its home page and search engine settings, it redirects the user to potentially unwanted websites and also displays pop-ups. The purpose of the modification: generate revenue by displaying advertisements.
4 Application.BitCoinMiner.UB 3,0% BitCoinMiners utilize the computing capacity of the device, in order to mine CryptoCoins. In most of the cases they are delivered via websites.
5 Win32.Application.DownloadGuide.T 2,8% Bundle installer which has detection for virtual machines. Offers during installation will be less aggressive if a virtual machine was detected. On a physical machine fraudulent behaviour is the usual case.
6 Application.BitCoinMiner.AAM 2,4% BitCoinMiners utilize the computing capacity of the device, in order to mine CryptoCoins. In most of the cases they are delivered via websites.
7 Application.Alphaeon.1 2,4% Alphaeon is a PUP installer using InstallCore. It tries to avoid detection by encrypting its payload. Tries to trick the user into installing various other PUP during installation.
8 Script.Application.MindSpark.G 2,3% Generic Trojan horse that (ab)uses folder icons to get executed. Depending on variant this may show worm like behaviour, use a backdoor or download another malware.
9 Application.BitCoinMiner.ZV 2,2% BitCoinMiners utilize the computing capacity of the device, in order to mine crypto currencies like Monero or BitCoin. This one is using webasm and is calling various crypto mining services such as coinhive and authedmine to mine Monero in the background of webpages or webapps.
10 JS:Application.Miner.CF 1,9% Miner.CF installs PUP using InstallCore. Its payload is encrypted. The user is to installing more PUP during installation.
  Other 68,9% n/a

Prevented attacks are slightly declining

The number of overall reports on prevented attacks in the past six months were slightly lower than in the previous year. In the second quarter of 2018 in particular, the figures reported were lower than before. 

The statistics also show that the malware situation varies greatly from country to country. Most prevented malware and PUP infections were reported from Turkey in the first half of 2018, well ahead of second-placed Israel. In Turkey, G DATA security solutions have primarily prevented infections with well-known tools for cracking Microsoft software. Germany is in the middle of the field when it comes to prevented threats.

The development of new types of malware also declined slightly in the first half of the year compared with the previous year. In total, G DATA SecurityLabs has classified 2,396,830 new samples as harmful. On average, about 13,000 new malware samples were detected every day, i.e. about 9 per minute. Benzmüller comments on the figures: "We expect the number of new malware types to increase slightly again in the second half of the year. It will probably not be a record year. But the individual attacks are becoming more and more sophisticated and targeted."