Malware & Campaigns Analysis for October 2020

BlueVoyant continued tracking and analyzing thousands of malware families’ mentions across various internet forums in October. The table below reflects the Top 10 malware strain mentions in 2020 totaled from January to October in the forum categories: Mainstream News, Social Media, and the Cyber Industry.

Note: Stuxnet, WannaCry, and NotPetya results are omitted due to their ubiquity across all 3 forums and in contexts sometimes far detached from cybersecurity. The Necurs malware is also removed as the botnet was taken down by Microsoft and international authorities back in March 2020 and the vast majority of its mentions relate to that take-down, vice recent malicious activity.

Top 10 Malware CY 2020

1. Emotnet

2. Trickbot

3. Maze Ransomware

4. Ryuk Ransomware

5. Sodinokibi Ransomware

6. WastedLocker Ransomware

7. Mirai

8. DoppelPaymer Ransomware

9. Netwalker Ransomware

10. Pegasus

Once October results were incorporated, there were some noted shifts among the top 5 and towards the bottom of the list. A hubbub of activity surrounding Trickbot and Ryuk Ransomware translated to a spike in mentions and pushed each further up the list.

Trickbot

Trickbot has routinely maintained a leading spot in the 2020 Top 10; the Wizard Spider operators behind the malware run one of the most successful malware-as-a-service operations in cybercriminal circles. The operators employ large-scale spam campaigns to proliferate, following infection with a range of information-stealing capabilities. In early October, reports surfaced the US Cyber Command was concluding an operation against the Trickbot botnet that directed all botnet slaves to disconnect from the malware’s C2 servers and pushed millions of bogus “new victims” records into the Trickbot database.

A week or so later, Microsoft had convinced a US Court in Virginia that the use of Windows Software Development Kits (SDKs) inside the malware code represented a trademark infringement and gained approval to take over several Trickbot servers. Teamed with FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT and Broadcom’s Symantec, Microsoft moved to do just

that, eventually reporting having disabled 62 of 69 identified servers. Microsoft’s Corporate Vice President of Customer Security, Tom Burt, wrote after the joint takedown, “We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or

activate ransomware already dropped into computer systems.”

Wizard Spider operators reacted quickly and by 13 October, cybersecurity researchers had indicated new infrastructure had already been stood up to replace the seized servers and domains. In an update issued on 20 October, however, Microsoft shared the joint public/private partnership had continued its monitoring and identified 59 new servers added to the

infrastructure, of which it had disabled all but one. Echoing the US Cyber Command operational objective of protecting US elections, Microsoft admitted it had taken a methodical approach and intended to continue the fight through US election day, 3 November.

Besides this back-and-forth, security researchers documented new features of the Trickbot malware in October as well. Reporting by Netscout revealed the malware authors had updated their code in order to infect Linux OS devices as well, essentially expanding the list of potential victims it might target.

Ryuk Ransomware

Ryuk ransomware trends that emerged in September continued into October and has translated to a one-spot bump for the dangerous malware on the 2020 Top 10 list. The Wizard Spider operators noted above are also reported to be behind the Ryuk ransomware strain. In October, the threat actors were not only busy countering attacks to their Trickbot infrastructure as noted above, but also wreaking havoc on victims, possibly even as retaliation.

In the aftermath of the US Cyber Command operation in early October, Milwaukee-based Hold Security’s Alex Holden, the CISO and President, indicated to Krebs on Security that “the Russian-speaking cybercriminals behind Trickbot have been discussing how to recoup their losses, and have been toying with the idea of massively increasing the amount of money demanded from future ransomware victims.” Therefore, retaliation was definitely being discussed.

In an October blog documenting a recent post-incident engagement following a Ryuk ransomware attack, Sophos researchers noted how quickly the attack unfolded. Within 3.5 hours after the initial compromise from a phishing email, the threat actors were carrying out network reconnaissance, then took over a domain controller within a day and were in the prep stage for ransomware deployment. In reporting by The DFIR Report on 18 October, the threat actors transitioned from a phishing email to full domain-wide encryption in 5 hours, leveraging the Zerologon (CVE-2020-1472) exploit to maximum effect. Following up that report on 5 November, The DFIR Report shared that a recent Ryuk ransomware case bettered the 5-hour mark. According to their analysis, Ryuk ransomware was deployed within 2 hours of initial compromise and the threat actor completed all objectives in 3 hours.

Reinforcing the notion of retaliation as well as the expertise and wide-ranging operational nature Wizard Spider plies their trade, the Washington Post reported that during a 24-hour period starting on 26 October, Ryuk ransomware was deployed in attacks against at least six US hospitals ranging from California to New York. Threat intelligence analyst Allan Liska with the cyber firm Recorded Future highlighted, “Though criminals have been deploying ransomware against hospitals since the beginning of the pandemic, having one group hit six separate hospital organizations in 24 hours is a step up in tactics.” This threat actor continues to be very effective and quite dangerous.

Monthly Trends

TRISIS (aka Triton or HatMan) registered significant mentions in October in the Social Media and Mainstream News categories. TRISIS is a malware strain that targeted ICS systems and gained notoriety in 2017 for attacks on a Saudi Arabian oil company. The uptick in mentions noted in October is due to news late in the month. The US Department of Treasury issued sanctions against the Scientific Research Institute of Chemistry and Mechanics State Research Center, claiming the Russian Federation State Research Center was responsible for developing the customized tools associated with this malware and the attacks.

MosaicRegressor notched fifth-place finishes in the Cyber Industry and Mainstream News categories and ninth-place showing in Social Media. MosaicRegressor was reported in early

October by Kaspersky researchers Mark Lechtik and Igor Kuznetsov, who discovered it. Malware affecting UEFI firmware is highly persistent and MosaicRegressor boasts various features that include multiple downloaders as well as one component that includes information

stealing, archiving, and exfiltration properties. Kaspersky researchers conclude the rootkit is a customized variant of Hacking Team’s VectorEDK bootkit that was leaked in 2015. Their analysis further revealed it was mainly discovered on computers targeted by traditional nation-state threat actors, Non-governmental Organizations, and diplomatic entities from Africa, Asia, and Europe between 2017 and 2019.

Kaspersky researchers were unable to pin down the exact initial attack vector but assess it may include the possibility of physically accessing a machine (with a USB for example) or possibly as a follow-on infection from previously compromised BIOS updates. The malware is only the second-ever Unified Extensible Firmware Interface (UEFI) rootkit observed in active attacks.

GravityRAT earned the seventh spot in the Social Media category after reporting emerged it has been continuously developed since at least 2015. The malware family has been tied to Pakistani-based hackers and the primary targeting of Indian military organizations underpins that assessment. Kaspersky reporting in October revealed the malware strain had an added ability to infect Android and macOS devices, whereas previously, it targeted Windows computers only.

The expansion in targeting further confirms the RAT has been under active development and usage since originally deployed. Kaspersky identified new variants of GravityRAT hidden as legitimate Android and macOS applications and used more as an information stealer.

The MontysThree malware logged an eighth-place finish in the Cyber Industry category during October. In early October, Kaspersky researchers published their discovery of the industrial espionage malware they dubbed MontysThree. Kaspersky believes the threat actors behind this malware family are new and Russia-based due to clues in the malware, although the actors made some effort to point the finger at a China-based actor. Nevertheless, the researchers observed targeting of the industrial sector within Russia specifically, where documents and files of specific targets represented the goal.

MontysThree uses some sophisticated techniques during deployment, like leveraging steganography for obfuscation in the loader module of the malware as well as using big-name cloud storage providers for storing the stolen information. However, researchers note the threat actor employs some basic remote access techniques over RDP and appear to still be perfecting their methods. Nevertheless, the threat actor’s intent was plainly industrial espionage according to the analysis, as there was no cybercrime nexus noted from the observed operations. It is possible that this malware represents further evidence of the growing hacking-for-hire operations noted throughout 2020. Kaspersky indicated it will continue to monitor the threat actor.

MalLocker.B registered an eighth-place finish in the Mainstream News category after Microsoft blogged about the Android ransomware in early October. The ransomware is tracked by Microsoft Defender for Endpoint as AndroidOS/MalLocker.b, hence the name. Microsoft researchers note the ransomware has been active in the wild for some time, however, the malware is under active development.

The latest variant of MalLocker.B caught the eye of Microsoft researchers because it increased its evasion techniques and is registering low detection rates from security solutions. This variant employs a new technique to show the ransom note, which is plastered across the display screen and more difficult to remove. The note itself is usually a fake police warning that says explicit or illegal images were found on the phone and the user must pay a fine within 24 hours.

As possible forecasting of what may be in store for the next evolution of the malware, Microsoft also found a snippet of code that borrows from an open-source machine learning module to resize the ransom note image so it corresponds to the device specifications, allowing it to be fully displayed and clear for the victim.

IPStorm (aka InterPlanetary Storm) garnered the tenth spot in both Cyber Industry and Mainstream News during October. IPStorm is a malware botnet that was first noted in May 2019 with around 3,000 infected devices under its control. In early October, Barracuda networks reported the botnet had grown to more than 13,000 infected devices across 84 different

countries. Moreover, the latest versions of the malware strain are capable of targeting Android, Linux and Mac platforms in addition to previously known Windows devices.

To compromise Android, Barracuda and Bitdefender researchers noted the malware scans for Android devices that have their Android Debug Bridge port open. Linux and Mac systems are being targeted through brute-force dictionary attacks via SSH. Once initial access is gained, the malware secures persistence and stops a list of processes that might threaten its operations.

Nevertheless, researchers admit to remaining in the dark as to the botnet’s intent. Upon its first discovery, researchers believed the malware may have simply been an experiment by a bored programmer. Since it has continued expanding in size, however, that theory has been cast aside and researchers are still stumped.

The malware loads a reverse shell on its slaves and maintains backdoor access, but security researchers have not seen the operators actually do anything with the compromised devices. Typically, botnet operators install cryptominers, perform DDoS attacks, facilitate the movement of malicious traffic, or simply sell access to the bots...none of which has been observed.

BlueVoyant is an analytics-driven cybersecurity company whose mission is to protect businesses of all sizes against agile and well-financed cyber attackers by providing unparalleled visibility, insight, and responsiveness. BlueVoyant provides advanced Threat Intelligence capabilities, Managed Security Service, and effective Incident Response.