Anatomy of an Attack 4 – Top 5 Malware in 2022.
Malware is the weapon of choice of our adversaries – the “arm, deliver and detonate” weapon. According to statistics published on Security Boulevard, as of Q1 2022, there are more than 1.1 billion malware programs in existence. And 2. 338,860 new malware programs and PUAs are detected every day! Today’s article includes an overview of malware types using the example of the 5 most popular malware types in 2022 (so far). Malware can be hidden on a server or in a file, injected into an application or published on a website. We discussed their methods of camouflage and delivery in a previous article.
In a word of reference – in most cases, malware spreads via vulnerable software, files, websites, advertisements, email attachments or malicious links. Any unwanted and destructive program – especially one that compromises device functions, steals data, spies on users and generally causes havoc – is malware.
Below is a list of the 5 most popular malware species in 2022, along with comments on their characteristics and delivery methods:
- Clop ransomware
Clop is one of the newest ransomware threats. It is a variant of the infamous CryptoMix ransomware, a dangerous file-encrypting virus that actively evades detection and encrypts saved files with the .Clop extension.
How it works:
Before the encryption begins, the Clop ransomware blocks more than 600 Windows processes and disables many Windows 10 applications, including WIndows Defender and Microsoft Security Essentials, significantly reducing its ability to protect data. It uses AES ciphers to encrypt photos, videos, music, database documents and attaches a .CLOP or .CIOP file extension, which prevents victims from accessing personal data. For example, “sample.jpg” is renamed to “sample.jpg.Clop.”
Emails instructing targets to quickly install an urgent Windows operating system update. When users start downloading the purported update, the ransomware “.exe” files arrive on the device. Email security controls and a comprehensive, consolidated security solution can help stop such malware incidents.
- Gameover Zeus
Gameover Zeus is an extension of the Zeus family of botnet peer-to-peer (P2P) malware that steals bank credentials and is a distributor of the CryptoLocker ransomware. Experts say the most challenging aspect of the software is that it does not require a centralized Command & Control server and encrypted peer-to-peer communication between nodes and servers to complete transactions.
How it works:
The botnet is primarily used to steal large sums of money through fraud by taking over thousands of customer banking sessions. Once a computer is infected, the virus waits for a user to enter its banking site. Gameover then identifies and intercepts their online session using a technique commonly known as man-in-the-browser (MITB). The malware is also capable of bypassing two-factor authentication and displaying malicious banking security messages to trick secure information into authorizing transactions and fraudulently take its victim’s money.
The team behind the P2P ZeuS is known for using Cutwail, one of the largest and most notorious spam botnets, to send out massive amounts of emails that impersonate well-known online retailers, cell phone companies, social networks and financial institutions. Typically, the “triggers” come in the form of an invoice, an order confirmation or a warning about an unpaid bill (usually with a large balance owed to increase the likelihood that the victim will click the link). Referrers in the email are replaced with links to compromised sites that redirect victims to a set of exploits.
- Shlayer malware
Malvertising campaigns delivering Shlayer malware for macOS continue, despite the patching of a critical zero-day vulnerability (CVE-2021-30657) abused for months to compromise victims by bypassing the operating system’s built-in security. Shlayer’s recent malvertising campaigns have returned to using fake Flash updates and social engineering tactics to trick victims into manually installing macOS malware and compromising their systems.
Although Flash Player reached end-of-life for macOS on December 31, 2020, that hasn’t stopped Shlayer’s operators from continuing to abuse it.
How it works:
Shlayer escalates privileges via sudo using a technique that calls /usr/libexec security_authtrampoline.” The next step is to download additional payloads that contain adware and make sure they can be run on the compromised Mac by disabling the Gatekeeper protection mechanism. Once this is done, all additional payloads downloaded and run by Shlayer will be seen as whitelisted software, as the operating system will no longer check if they are signed with an Apple Developer ID. In addition, just in case the malware is unable to disable Gatekeeper on an infected Mac, some second-stage payloaders are also signed with developer IDs.
The most common method of distributing Shlayer is through malicious ads that redirect Safari users to pages displaying an alert about an outdated Adobe Flash Player. An example of a recent and ongoing malicious ad campaign is the approvedfornext[…]com site, which redirects Safari users to a page displaying an alert about an outdated Adobe Flash Player
- Tesla Agent
Agent Tesla is a remote access trojan (RAT) that extracts credentials, logs keystrokes, copies clipboard data and collects images from the victim’s computer. The malware has seen a huge surge in popularity in recent years, with more than 6,000 despicable people paying subscriptions to obtain software licenses.
How it works:
The primary function is to collect sensitive information from the victim’s computer, including logging keystrokes and data on the system clipboard, stealing saved software credentials (browsers, mail clients, VPN, FTP, IM, etc.), stealing browser cookies and taking screenshots.
The malware contains many features designed to help it remain undetected by network systems and often appears as an email attachment e.g. embedded in pdf orders via obfuscation.
Fleeceware is sneaky because there is usually nothing malicious in the code of such applications. They don’t steal user data or try to take control of the device, which means there’s nothing malicious in them that could be picked up by Google and Apple’s verification process. Instead, these scams rely on apps that work as advertised, but come with hidden, excessive subscription fees. A flashlight app that costs $9 per week or a basic photo filter app that’s $30 per month are all scams, since you can get the same types of tools for free, or much cheaper, from other apps.
How it works:
Exposure to excessive “subscription” fees. – Relatively harmless though a nuisance.
Official OS vendor app stores for mobile devices.
The above are just the most common types of malware. The whole phenomenon is a real scourge, as illustrated by the following findings from a Cybereason report entitled Ransomware: The True Cost to Business:
- 2/3 of organizations said they suffered revenue losses after a ransomware attack.
- Just over 1/2 of the organizations said they suffered damage to their brand and reputation after the attack.
- About 1/3 of respondents said they lost C-Level talent after the ransomware attack.
- 3/10 of survey participants indicated that they were forced to lay off employees due to financial pressures caused by the ransomware attack.
- 1/4 of the organizations temporarily shut down their business operations after experiencing a ransomware infection.
Keep in mind that if you belong to an organization that processes particularly sensitive data, you can expect Advanced persistent threat – that is, specially prepared malware designed to infect you. Do you want to know how to defend yourself? Or maybe you already have a strategy and you care about the right tools or validation? Write us!