Cyber crime gangs recruiting and rewarding supporters

According to Avast malware research director Jakub Kroustek, the research team found that cyber criminals are recruiting supporters via crowdsourcing.

“An interesting trend we observed this quarter was cyber gangs actively crowdsourcing and paying people to support their criminal activities, including the improvement, marketing and distribution of their malware.

“In terms of attacks, we noticed an uptick in DealPly adware towards the end of Q3/2022, a massive spike in Raccoon Stealer infection attempts, increased MyKings botnet activity, and a new botnet called Pitraix, written in Go, gaining a bit of traction.

“Overall, the volume of cyber attacks remained high, despite cyber criminals appearing to relax a bit over the winter months,” Kroustek said.

Data exfiltration

At a global level, people faced a slightly lower risk of ransomware attacks quarter on quarter, according to Avast researchers.

“Ransomware strains increasingly use complicated methods of partial encryption, for example, only encrypting the beginning or end of a file, or blocks of files, to rapidly encrypt files, to avoid user detection,” Kroustek explained.

“Furthermore, ransomware gangs are now exfiltrating data from enterprises, threatening to publish sensitive files, and then deleting or corrupting the files rather than encrypting them.

VIEW ALL

“We also observed an interesting series of events involving the LockBit ransomware group.

“The events include the group offering bug bounties to those who discover vulnerabilities or deliver ideas to the group, rewards for people tattooing their logo onto their bodies, group members retaliating and leaking code, and a back and forth between the gang and a security company called Entrust,” Kroustek added.

In comparison to Q2/2022, the Avast data showed that the risk of Canadians encountering ransomware increased by 16 per cent. In Germany and Spain, people were 12 per cent more likely to encounter ransomware.

Businesses and governments targeted by hacking and APT groups

Pro-Russian group NoName057(16) targeted companies such as banks and news agencies, and governments supporting Ukraine throughout Q3/2022.

The group uses a botnet of computers infected with Bobik malware to perform retaliatory DDoS attacks. According to Avast’s observations, the group has a 40 per cent success rate, and about 20 per cent of the attacks they claim responsibility for cannot be accounted for in their configuration files.

In August, the group announced a new project called DDOSIA and created a new, private Telegram group with more than 700 members. The DDOSIA project allows anyone on the internet to download a binary through which they can carry out DDoS attacks on sites determined by NoName057(16). In return, they are rewarded with cryptocurrencies.

The Gamaredon APT group also targeted Ukraine in Q3/2022, attacking military and government institutions and foreign embassies. The group introduced new tools to its toolset, including file exfiltration tools, various droppers, and new ways of distributing payloads and IPs of C&C servers.

LuckyMouse, a well-known Chinese-speaking threat group, targeted several government agencies in the United Arab Emirates, Taiwan, and the Philippines. Avast found backdoors on infected computers, password stealers for Chrome, and open-source tools, like BadPotato, which is used for privilege escalation. The attackers likely infected devices through a compromised server.

Other groups Avast researchers are tracking are the Donot Team, also known as APT-C-35, and Transparent Tribe, also known as APT36. The Donot Team was most active in Pakistan in Q3/2022.

Avast researchers discovered DLL modules from yty’s framework on several infected devices.

Transparent Tribe, believed to be a Pakistani group, continued to attack victims in India and Afghanistan, infecting PCs using spear-phishing and Office documents with malicious VBA macros. Avast data also identified that the executables belong to the CrimsonRAT strain, Transparent Tribe’s custom malware used to access infected networks.

Rise in DealPly, Racoon Stealer, and MyKings

DealPly, adware installed by other malware, peaked at the end of September 2022.

The adware is a Chrome extension capable of modifying new pages within the browser and can replace newly opened tabs, read browser history, change bookmarks, and manage apps, extensions, and themes in the browser. These capabilities allow the cyber criminals behind the extension to modify search results and replace them with ads, read passwords and credit card details stored in the browser and read what users enter in forms (as well as what they filled in in the past).

Raccoon Stealer, an information stealer capable of stealing data and downloading and executing additional malware, made a big comeback in Q3/2022. Avast protected 370 per cent more users from the stealer during this quarter.

“Raccoon Stealer spreads when users attempt to download ‘cracked’ versions of software like Adobe Photoshop, Filmora Video Editor, and uTorrent Pro,” Kroustek said.

“People often ignore or turn off antivirus shields when attempting to download files like cracked software versions, putting themselves at risk of downloading malware like Raccoon Stealer.”

While botnet activity stabilised in Q3/2022, MyKings botnet activity increased. Avast researchers have found MyKings is a botnet focused on stealing cryptocurrencies, active since 2016.

“Malware is often capable of downloading additional malicious programs, which is how DealPly is spread, for example.

“Therefore, users must install antivirus software and leave protections on at all times,” Kroustek noted.

Mobile malware

Adware remains the dominant mobile threat, with adware like HiddenAds and FakeAdBlockers prevailing.

Avast protected the largest number of people from adware in Brazil, India, Argentina, and Mexico.

Despite Europol’s recent disbanding of Flubot, the global risk of falling victim to a banking trojan went up by 7 per cent in Q3/2022 compared to Q2/2022. Banking trojans are mainly spread via SMS phishing but can also spread via dropper malware.

TrojanSMS, or premium SMS scams, continue to target mobile users, with SMSFactory and Darkherring leading in the category, while UltimaSMS and GriftHorse retired. SMSFactory and Darkherring are distributed via pop-ups, malvertising, and fake app stores.

In contrast, Avast researchers have reported that UltimaSMS and Grifthorse were distributed on the Google Play Store, but not since Google removed them from the Store.

[Related: How to stop high-severity vulnerabilities in OpenSSL]