Coalition against Stalkerware to combat this threat.
AllTracker Family – the command & control center which shows information about tracked devices
Banking trojans have always been very active among Android malware and 2020 was no exception. Apart from the tactic of using COVID-19 as a pretext, banking threats have also followed their classic approach: masquerading as a commonly used app, requesting unusual permissions, and attempting to steal bank card data.
An example of such tactics can be seen in a variant of the Android banking trojan family Wroba, which disguises itself as Google Chrome and uses overlay techniques to capture card credentials from certain monitored banking applications. In most cases, the overlay used is a clone of the monitored banking application’s login screen.
It is often thought that the macOS operating system is immune to malware. There may have been a time when this was the case, but not today. The adoption rate of macOS means malware writers actively target it and have developed ways to break into macOS systems.
Adware and potentially unwanted applications (PUAs) account for more than half of macOS detections this year. Script or Office-based attacks are prevalent on macOS and together account for 21.5% of attacks.
Some malicious applications, distributed through install packs, spam, or bogus Adobe Flash Player updates, exhibit several potentially unwanted behaviors such as intrusive ads or changing the user’s default search engine (which may pose a problem for user privacy).
Scripts or Office-based attacks are usually first-phase infections, which means that they download the payload after it successfully infiltrates the system.
macOS malware writers and adware distributors focus on the main markets for Apple devices. Consequently, the United States is the most targeted (very high threat on OSX), followed by Canada, Western Europe, Australia and Japan (high to a very high threat on macOS).
A few countries are in the “middle ground”, such as Italy and China. Although the number of attacks per device is high, they are significantly lower than in North America or Western Europe. With a few exceptions, Latin America, Africa and Asia see low rates of macOS-based attacks.
This year, the macOS environment has seen a special kind of ransomware, named “EvilQuest”. This malicious program uses torrent websites as its infection vector, disguising itself as certain legitimate applications (Google Chrome or Mixed in Key 8 as examples). After installing itself on the victim’s computer, the malware makes itself persistent via a launch agent (meaning that the malicious program will start automatically).
In terms of ransomware capabilities, EvilQuest targets all sorts of files: from office documents (doc, xlsx) to PDFs and files related to keys, certificates and wallets (using regular expressions such as *id_rsa*/I, *wallet*.pdf/i).
What really makes this malware family special is its viral capabilities. Once the initial malware binary makes itself persistent, it will list the/Users directory’s content and infect every binary which is not part of an application bundle.
The infection mechanism works as follows: the original malware content is written to the start of the target file, then the target file is appended to it. After this, it writes a trailer to the end of the file, containing a specific string (DEADFACE) and the offset in the infected file where the original target is located (this offset is used to run the original file needed after the malware has been activated).
Adware and PUA are closely related to each other and, combined, they make up more than 50% of the total number of detections for macOS in 2020.
Some malicious applications exhibit multiple potentially unwanted behaviors such as intrusive advertisement and changing the user’s default search engine (which can cause privacy issues for the user). These include Tapufind, distributed via installation bundles, spam, or fake Adobe Flash Player updaters.
Another example of adware that is particularly aggressive is SurfBuyer. This adware doesn’t have to deploy itself on the user’s machine. In most cases, it’s included in other (legitimate or not) software that the user installs willingly. This behavior matches Avira’s definition of Potentially Unwanted Application, strengthening the fine line between PUA and Adware.
An example of advertisements that appear after the installation of Surfbuyer
Installing Surfbuyer on the user’s machine enables it to display different kinds of advertisements and “coupons” and, in some cases, even download and install other PUA applications. Some users fall for these tricks thinking that the promotions are real (they sometimes are, but clicking them is still ill-advised).
Threats to ‘Internet of Things’ devices continued to increase in 2020. People spend increasing amounts of time at home and are investing in smart devices permanently connected to the internet. Granted, many of these devices are relatively secure, but a large minority remain vulnerable as a result of security flaws in the hardware or software configuration.
Since they generally do not require the regular intervention of users, threats that target connected objects focus their efforts on two infection vectors:
The second technique relies on default passwords that have never been changed or are not sufficiently complex and remains a significant issue for IoT devices.
Threats that are more difficult to avoid are those that exploit known vulnerabilities on devices. IoT devices, particularly older ones, are likely to have unpatched security vulnerabilities that cybercriminals can use to gain unauthorized access to a home or office network.
Instead of categories, we have focused our analysis on family names for IoT. In the last few months, Sora samples were the most observed most by our IoT lab. Sora is one of the most notorious variants of Mirai malware, known for its high volume of samples found in the wild. It targets embedded systems, usually through exploiting device vulnerabilities.
One example of a device exploited by Sora is the Rasilient PixelStor5000 video surveillance storage system. Sora breaches by exploiting its vulnerability CVE-2020-6756.
This vulnerability allows an attacker to perform a Remote Code Execution. Mirai itself is one of the mainstays of the IoT threat landscape. Thanks to its publicly available source-code, Avira’s IoT Labs are continually discovering new variants. We have previously reported on Mirai and its evolution.
Owari is also a Mirai variant that made waves in 2018 when it managed to compromise nearly 20.000 IoT devices delivered via GPON vulnerability CVE-2018-10561. After successful exploitation, it then downloads its payload from the remote server. The authors of Sora and Owari are thought to be the same and dubbed “WICKED”.
Meerkat is a botnet that runs as a single instance by binding port 13324. It is often known as Lazy Meerkat. The botnet tries to manipulate the watchdog and prevents the device from restarting to establish persistence.
Other common IoT threats not shown here, and part of the “Other” group are Gafgyt and Katana. Latest Gafgyt samples exploit the Pulse Secure Connect vulnerability CVE-2020-8218. Gafgyt has exploited LG SuperSignEZ CMS, CCTV/DVR & ThinkPHP, and targeted GPON and Huawei routers through a command injection vulnerability.
Like many other IoT malware, Gafgyt also manipulates the watchdog and prevents the device from restarting.
Katana is a relatively new Mirai variant. Although the Katana botnet is still in development, it already has modules such as layer 7 DDoS, different encryption keys for each source, fast self-replication, and secure C&C.
Katana has its own Youtube Channel called VEGASec, where it can be bought and sold. The Katana botnet attempts to exploit old vulnerabilities via Remote Code Execution/Command Injection vulnerabilities present in LinkSys and GPON home routers.
Learn more about new and novel malware, or automatically receive our next malware threat report by subscribing to Avira Insights blog’s research section.
Visit oem.avira.com to determine how you can improve your detection rates using Avira’s anti-malware SDKs or threat intelligence.