For computers, tablets, smartphones, or corporate networks, no seasonal infections can be predicted. In these cases, it is always flu season. But here the symptoms are not body aches and fever, but an ailment that appeared on the device: malware.
Malware infections are coming at us with increasing frequency, and with different attack methods, from stealthy and cunning to subtle as a sledgehammer.
DRIDEX Malware
Dridex first appeared around 2011-2012. Initially, it was capable of receiving dynamic configuration files and using web injections to steal money. At the time, the malware was called Cridex and is classified as a Trojan.
Dridex is a form of malware that targets its victim’s banking information.
Its main Dridex objective is to steal sensitive information from its victims’ bank accounts, for example, their online banking credentials and financial access.
This malware will target Windows users by sending spam email campaigns to trick people into opening an email attachment for a Word or Excel file.
Hidden within these files is the Dridex malware, which will then infect computers to steal personal information, primarily banking credentials.
Financial institutions and customers within financial services, primarily from English-speaking countries, can be targeted. In 2020, Dridex became more relevant, impacting between 3% and 4% of organizations worldwide.
This banking Trojan is a type of malware to be aware of as it exposes people to potential bank robberies.
The malware has also been meticulously updated over the last 10 years, so it is likely to be developed and updated by a group of people. EvilCorp is the group allegedly responsible for Dridex.
FLYTRAP Malware
FlyTrap malware hijacks a user’s Facebook account. Information collected from the victim’s Android device includes their Facebook ID, location, email address, IP address, and the cookies and tokens associated with the Facebook account.
These hijacked Facebook sessions are used to spread malware by sending personal messages with links to the victim’s contacts.
The Trojan also uses the victim’s geolocation details in propaganda and disinformation campaigns to spread to a wider audience.
The threat group’s specialty is using social engineering such as free Netflix coupon codes, Google AdWords coupon codes, and online poll sharing where users vote for things like their favorite soccer teams or players to mask malicious apps.
These fake and highly graphic coupons entice users to log into their Facebook accounts.
Based on collected geolocation data, it is estimated that more than 10,000 users have fallen victim to FlyTrap apps. The victims come from 144 countries, including the United States and Vietnam, the country of origin of the threat actors behind this campaign.
Google has already removed apps with FlyTrap hiding below the surface following Zimperium’s disclosure.
It’s disturbing, though, that such apps have managed to get past Google’s app review and Google Play Protect, the company’s built-in security tool for Android.
KOOBFACE Malware
Koobface Malware is among the viruses that use social networking sites and spam email campaigns to infect systems and steal data.
It made its first appearance in the cyber world in December 2008. It became one of the most devastating Internet viruses in 2009. After being dormant for years, it resurfaced in the year 2013, wreaking havoc all over the world.
Social engineering and phishing are the best means of spread use for this virus to spread.
Behavioral analysis of the Koobface virus has revealed what can affect emails, VOIP (such as Skype, Team Speak, Ventrilo), and social networking sites running on Microsoft, Linux, and Mac systems.
Major countries like the United States, Australia, and Europe have been targeted by the Koobface virus. The most recent Koobface attack was reported in 2016 in the United States.
Cybercriminals exploited social media to commit more than 18,712 online crimes, leading to an overall loss of $66.4 million.
TRICKBOT Malware
TrickBot is a modular banking Trojan that targets sensitive information and acts as a dropper for other malware. Since June 2019, there has been an increasingly close relationship between initial TrickBot infections and eventual Ryuk ransomware attacks.
Malware authors continually release new modules and versions of TrickBot to expand and refine its capabilities. TrickBot uses man-in-the-browser attacks to steal financial information, such as login credentials for online banking sessions.
Additionally, some of TrickBot’s modules abuse Server Message Block Protocol (SMB) to spread malware laterally across a network.
TrickBot spreads through spam campaigns. These campaigns send unsolicited emails that direct users to download malware from malicious websites or trick the user into opening malware via an attachment.
The opened attachment will prompt the user to enable macros, which run a VBScript to run a PowerShell script to download the malware.
Once executed, TrickBot redeploys itself to the “%AppData%” folder and creates a scheduled task that provides persistence.
TrickBot is also dropped as a secondary payload by other malware, especially Emotet.
TROJAN GLUPTEBA
If you find Trojan.Glupteba malicious program installed on your computer (either Windows, Mac, or Linux), you’d better remove it with powerful security programs as soon as possible. This type of Trojan virus will quickly spread to users’ computers all over the world.
Symantec, McAfee, Kaspersky, and MacUtility.com labs have successfully detected and removed thousands of Trojan horse threats. Different Trojan viruses will show other symptoms on the computer, but remember that their primary purpose of them is totally illegal.
Obviously, Trojan.Glupteba is programmed to steal sensitive data on targeted users’ computers by generating malicious files and activation codes on the compromised computer.
Cyber hackers will sell personal information to interested third parties or steal from the user.
Trojan.Glupteba allows the author to do anything he wants on the infected computer, including sending, receiving, starting, and deleting files, displaying data, and restarting the computer.
Furthermore, Trojan.Glupteba leaves more backdoors and vulnerabilities for virus writers or cybercriminals who will inject other types of malware such as adware, spyware, and ransomware.
UNC3524
While the initial compromise remains unknown at this point, UNC3524 implements a previously unreported backdoor tracked by Mandiant as QUIETEXIT immediately after gaining initial access.
QUIETEXIT malware is based on the open-source DropBear SSH client-server tool.
According to the developer of this software, “Dropbear is particularly useful for ’embedded’ Linux (or other Unix) systems, such as wireless routers” and can run on a wide variety of systems. This is probably one of the reasons UNC3524 decided to develop its malware based on this software.
For example, UNC3524 decided to install the QUIETEXIT backdoor on opaque network devices within the victim environments: backdoors on SAN arrays, load balancers, and wireless access point controllers.
As Mandiant mentions, “These types of devices are not supported by antivirus or endpoint detection and response tools, so the underlying operating systems are left up to the vendors.”
By installing its malware on trusted systems that do not support security tools, UNC3524 remained undetected in victims’ environments for at least 18 months.