Malware and Campaign Analysis September 2020

Calendar Year 2020

BlueVoyant observed thousands of malware families mentioned across various internet forums throughout September 2020. The table below reflects the top 10 malware strains for 2020 by most unique mentions totaled from January to September in the forum categories: Mainstream News, Social Media, and the Cyber Industry.

Note: Stuxnet, WannaCry, and NotPetya results are omitted due to their ubiquity across all 3 forums, and in contexts sometimes far detached from cyber security. The Necurs malware isn’t included because the botnet was taken down by Microsoft and international authorities back in March 2020. The vast majority of its mentions relate to that take-down.

After tabulating September's results, the top 10 list for the 2020 calendar year saw no overall change with previously reported malware families securely maintaining their positions. There were, however, some trend changes from August to September with a few interesting findings of note. Specifically, Ryuk ransomware is back on the list in all three categories for September.

Monthly Trends

The following table displays the malware families logging the most mentions in September across each respective category. Those selected for highlighting below the table include noteworthy new malware as well as interesting events or unique features observed by some of the top malware strains.

Emotet Dominates All Forums

Emotet took the top spot in all three categories. This is in large part to its triumphant return after a month’s-long hiatus. Emotet is currently conducting large scale campaigns to continue its dominance and monetize its infections.

Return of Ryuk

In recent reporting, it appeared as though Ryuk was on its way out. Researchers in the security industry assessed that Conti ransomware was the successor to Ryuk and that the infamous ransomware would fade away. Then, in the final days of September, reports started flowing in indicating a major US Healthcare provider had suffered a devastating ransomware attack. While Universal Health Services (UHS), which operates over 400 facilities in the US and UK, made no official statement on the malware in play, reports from employees started to leak. The information gathered from these leaks all points to a Ryuk ransomware infection - from the text used in the ransom note, to the .ryk file extensions after encryption.

Advanced Intel’s Vitali Kremez shared additional information with security blog, Bleeping Computer, indicating that researchers also observed Emotet and Trickbot on infected hosts. It is likely the infection started weeks or even months earlier and laid dormant until executing overnight on a weekend to help avoid discovery.

UHS stated its IT network was entirely offline due to an unspecified cybersecurity issue. "We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods."

UHS insists patient care continues to be delivered and "no patient or employee data appears to have been accessed, copied or otherwise compromised."

KryptoCibule

A newcomer to the list, KryptoCibule was discovered by ESET researchers in early September. ESET reported the previously undocumented trojan spreads through malicious torrents and uses multiple tricks to exfiltrate as much cryptocurrency as possible while remaining undetected.

Currently, KryptoCibule campaigns primarily focus on targets in the Czech Republic and Slovakia. According to researchers, the malware is a triple threat in regard to cryptocurrency: it uses a victim’s resources to mine coins, tries to hijack transactions by replacing wallet addresses, exfiltrates cryptocurrency-related files - all while deploying multiple techniques to avoid detection. The malware also makes extensive use of the TOR network and BitTorrent protocol for communication.

“The malware, as written, employs some legitimate software. Some, such as Tor and the Transmission torrent client, are bundled with the installer; others are downloaded at runtime, including Apache httpd and the Buru SFTP server,” says Matthieu Faou, ESET Researcher who uncovered the new malware family.

CDRThief

ESET researchers discovered yet another newcomer for September, CDRThief - the Linux-targeting code that can steal phone call metadata, likely for use in spy campaigns or VoIP fraud. To steal the metadata, the malware queries the internal MySQL databases used by the Softswitches.

According to ESET researchers, the malware was custom developed to attack the Linknat VOS2009 and VOS3000 softswitches, which run on standard Linux servers. The code is capable of retrieving private call metadata, including call-detail records (CDRs), which log the call times, duration, completion status, source number and destination number of phone calls flowing through a carrier’s network.

“We can say that the malware’s primary focus is on collecting data from the database,” said ESET researcher Anton Cherepanov. “Unlike other backdoors, Linux/CDRThief does not have support for shell command execution or exfiltrating specific files from the compromised softswitch’s disk. However, these functions could be introduced in an updated version.”

“The attackers demonstrate deep knowledge of the targeted platform, since the algorithm and encryption keys used are not documented,” Cherepanov included.

BlueVoyant is an analytics-driven cyber security company whose mission is to protect businesses of all sizes against agile and well-financed cyber attackers by providing unparalleled visibility, insight, and responsiveness. BlueVoyant provides advanced Threat Intelligence capabilities, Managed Security Service, and effective Incident Response.