Latest Malware Trends from Botconf 2019, Bordeaux, France.

Last week RealClear attended Botconf the malware and botnet conference in Bordeaux, France. Here, malware researchers from the USA, UK, Germany, France, Spain, The Netherlands and many other countries shared their latest findings.

Cyber-security incidents can have a devastating impact on your business. Customer or intellectual property can get stolen. Online financial transactions can be compromised. Email accounts can be hijacked. Ransomware attacks can wipe your Windows or Mac systems in a matter of seconds. All of these threats can result in significant downtime, financial loss and reputational damage. A common denominator in most of these attacks is the use of malware by cyber-criminals. Typically, malware is malicious software which gets installed surreptitiously onto your PC. Once installed, it can perform all manner of nefarious actions in your system or network. For instance, malware can secretly record keystrokes, take screenshots, steal online banking credentials and email passwords. Increasingly, today’s data stealing malware are connected to remote “command and control” centres in places like as Russia, Ukraine and China. Once your data is in their hands, it can be used to launch further cyber-attacks or sold on the darkweb.

Some interesting findings from this conference include:

1 in 5 malware threats goes undetected

1 in 5 malware threats goes undetected, even when using the most advanced firewalls or security software. This stealthiness is achieved by obfuscating the malware’s payload using encryption (such as RC5 or XoR), manipulating code which produces different cryptographic hashes, and programming the malware to “phone home” using multiple IP addresses.

Data exfiltrating Android phones

Certain brands of Android phone secretly exfiltrate your data to remote “command and control” servers. The malware runs at firmware level on the device.  So, even running and applying OTA (over the air) operating system updates for your device, the malware still persists. Just another reason why should never store passwords for email or cloud services in plaintext on a smartphone device.

Password Stealing

Some researchers explained how the Darknet is awash with password stealing kits such as Azorult. This malware can steal passwords from popular email clients such as Outlook. It can also create a hidden administrator account on your Windows computer and set up an RDP connection, giving the hacker free rein over your system. This attack can start with just one infected macro-enabled Office document being opened. Users should use extreme prudence when opening office documents.

Malware is getting more difficult to detect and mitigate

Malware is getting more difficult to detect and mitigate. For example, new breeds of smart malware, once installed on your computer, will perform reconnaissance on your system. If anti-virus software is detected running in the background, the malware can silently disable it. Moreover, some malware runtime processes will even temporarily stop if they detect the presence of malware scanning or analysis software. Malware creators and propagators continue to pick surprising and unusual locations to hide their creations such as using the COM1 (serial port) driver folder in Windows environments. Old reliables like the Svchost.exe Windows process is still commonly emulated by malware creators.

Remote Access Trojans (RATs) are in widespread use

Remote Access Trojans (RATs) such as Nanocore, WSH and Houdini are still in widespread use by cyber criminals. These tools can enable the attacker to have remote control of your PC. Ports 80 and 443 are commonly (but not exclusively) used as busy ports make a RAT hard to detect. You can become infected with a RAT by opening just one infected email attachment or URL (web link).  

The Problem with Two Factor Authentication

Many business owners believe that two factor authentication (2FA) is a panacea for their email security. While it does enhance protection, it can also be broken. Many threat actors now present their victims with cleverly timed fake 2FA authentication pages to bypass this defense.

Beware of the Webinject

Webinject attacks are still rampant. These occur when, for example, HTML or JavaScript code is injected into a website to exfiltrate data. If you’re a business owner who has a website with data collection capability (even just a contact form), it is essential there is no vulnerable code. Otherwise, your website contact form could be exploited for use in a phishing campaign.

Mind the NAS

Increasingly, many Irish businesses use a NAS device as a file server or backup device. Some brands of NAS, however, are also capable of exfiltrating your data via a secret inbuilt backdoor left by the manufacturer. One researcher found that an off-the-shelf NAS device from a well-known manufacturer was generating some unusual outgoing HTTP traffic and was utilising some unusual running processes. On further investigation, a root-level backdoor was found communicating to 4 remote IPs via API call and DDNS. And not only that. NAS devices are also targets for ransomware. In fact, they are almost perfect targets as they are connected to your network, they hold data and often don’t have the protection afforded to a traditional server. Between backdoors and ransomware, your NAS device could easily be a security blind spot and you won’t find mentioned on any glossy GDPR guides.