Malware: A month in review – February 2018

The main trend in malware in February, as it was in January and had been throughout 2017, is the rise of ransomware. Detections of new families are reported on a daily basis, and variants of previously known strains are also frequently noted. The threat was significant throughout all of last year and into this, and shows no sign of abating.

Ransomware authors continue to be creative in the ways that they package their product. Thanatos, a previously unknown ransomware, was the first we have ever seen to accept Bitcoin Cash, the currency created after a fork with Bitcoin, and BlackRuby was the first family to combine both ransomware and a coinminer in one. There is a theory that the malicious actors behind BlackRuby would still be able to make some profit from victims, even if no ransom is paid.

Sometimes threat actors can get too creative, however, as was the case with Annabelle, a ransomware with so many processes that security researchers believed it was simply a way for the author to show off his skills.

The GandCrab ransomware was also a new family incorporating never-before-seen features. In this case the ransomware was the first ever to accept the DASH cryptocurrency, and it also uses the NameCoin .BIT TLD, which is not recognised by ICANN, but is instead managed by a decentralised DNS run by NameCoin. This makes it harder for law enforcement to track the developers. A decryptor was released later in the month for this ransomware, but it continues to be distributed, with the malicious actors behind it employing the HoeflerText scam to push it.

Another important event was the discovery of a new variant of the Hermes ransomware in the wild. Hermes was used as a distraction in the hack of the Far Eastern International Bank (FEIB) in Taiwan, which also saw the SWIFT international banking network compromised.

There were a few major events concerning malware in February, not least a cyberattack on the opening ceremony of the Winter Olympics in Pyeongchang, South Korea, which caused issues for around 12 hours. The attackers used the Olympic Destroyer malware. Reports suggest that Atos, the main IT service provider for the Winter Olympics, may have been hacked several months before the attack, leading to the theft of a large number of authentic login credentials that were then used by the malware to propagate quickly and destructively throughout the target system.
One other major malware development concerned the return of the @OilRig APT with a new Trojan, dubbed OopsIE. The malware was being dropped by the group in phishing campaigns, with an insurance agency and a financial institution targeted.

Lastly, the Google Play Store continues to be plagued with malware problems. It seems every month there are reports of malware having been loaded surreptitiously into apps on the Store, despite the rigorous checks in place. Android in general is the OS most targeted by malware, primarily because of its market share.

Scroll to Top