Well-disguised attacks: Malware samples threaten PCs and networks every few seconds

03/03/2020
G DATA Blog

Cyber criminals’ targets have not changed in the past year. They are after passwords and confidential data and try to encrypt data and systems. The current Malware Top 10 showing the ten most active malware families indicate how active the attackers have been in 2019.

Anti-virus providers’ technology is getting better and better, identifying new attacks on company networks or private PCs and laptops every day. Consequently, malware authors are forced to use sophisticated methods to protect their malware from detection by protection programs - it’s an endless cat-and-mouse game. Last year, experts at G DATA discovered more than 13,500 variants of known malware families every day - more than 4.9 million malware samples in total.

Undisputed leader: GandCrab

By far the most active was the GandCrab ransomware. The malware analysts in Bochum identified over 408,000 versions - on average more than 1,100 new variants per day. GandCrab used various distribution channels and infected Windows PCs. The ransomware often entered company networks via an attachment to an application email camouflaged as a zip archive. If the attachment was opened, the malware encrypted files on the system. The blackmailers then demanded a ransom. Another distribution channel was exploit kits that were activated via disguised links, usually on infected websites, and that exploited browser or flash vulnerabilities. However, the group behind the malware had already officially ended its activities on June 1, 2019. By that date, the criminals claimed to have received more than 2 billion US dollars in ransom payments. Even though GandCrab is no longer active, new samples are being generated because automated systems request this.

The Malware Top Ten at a glance:

PositionNameVariantsType
1GandCrab408.182Ransomware
2njRAT208.235Remote Access Trojan
3BlackShades193.105Remote Access Trojan
4Tinba127.589Banking Trojan
5AveMariaRAT102.374Remote Access Trojan
6Emotet70.833Malware Distributor
7Shifu61.225Banking-Trojan
8AZORult60.834Information Stealer
9SakulaRAT53.799Remote Access Trojan
10Nanocore50.535Remote Access Trojan

Manipulation via the backdoor

In second and third places are njRAT, with 208,000 versions, and BlackShades, with 193,000. Both belong to the group called Remote Access Trojans (RATs) - a special type of Trojan that allows cyber criminals to take administrative control of the target system. RATs use common methods of infection such as intrusion through an unpatched vulnerability, infected email attachments, or downloading and installing manipulated software. The malware then opens a kind of backdoor and launches a program on the computer system that the attacker can connect to. The method of operation is similar to remote maintenance software - with the difference that the processes for third-party administrative control are not visible to the user. Cyber criminals often use RATs to set up botnets. Because the control of the computer is complete, there are actually no limits to the attack and manipulation possibilities. This ranges from activating the microphone or the webcam to keylogging and reading confidential data and downloading other malware, to encrypting files and extorting ransom money, for example. Five of the top 10 can be classified as RATs in total.

No end to Emotet

The best-known malware family, Emotet - which we have already reported on multiple times - ranks sixth in the annual charts, with over 70,800 different samples. For comparison, in the same period last year, malware analysts discovered around 28,000 new variants. An average of 194 new versions of the all-purpose cyber crime weapon appeared every day. The former banking Trojan Emotet was back in the limelight, at the end of the year especially. In Germany, public administrations, universities and, once again, hospitals were among the victims of the all-purpose cyber crime weapon. In this role, the former banking Trojan merely acts as a door opener. The initial spam emails look very authentic, so many users regard them as genuine and open the infected attachment. Users then click on the infected attachment and disaster strikes. The malware automatically downloads other malicious software such as Trickbot and Ryuk to spy on other access data and encrypt the system. The result is major or complete outage of the IT infrastructure.

Stealing data, encrypting systems

Banking Trojans such as Tinba or Shifu are also still active. They use man-in-the-browser technology to read login data for banking applications. They enter the system via traditional distribution channels and wreak havoc. They generate a fake pop-up to copy login information for banks or to redirect transfers to the criminal's own account - to the user there is no difference to a real login. These are used to steal logins for online services from Google, Facebook, Microsoft or other web services and also to log all HTTPS connections.

It is noticeable that a large part of the malware has been in circulation for several years. For example, SakulaRAT and Tinba were first discovered in 2012, and Nanocore in 2013. This is also related to the concealment techniques the cyber criminals use to camouflage the malware. The most recent malware in the Top 10 is AveMariaRAT. This RAT was first identified by security researchers in 2018. A total of 332 different malware families are currently classified in G DATA's databases.

Stefan Karpenstein
Public Relations Manager