Botnet masters are shifting their preference from spreading specific, single-purpose malware toward multifunctional malware, according to a new report by Kaspersky Lab on botnet activity from January through June.
Such malware allows the masters, or those who control botnets, to have full control over the infected hosts and makes it more profitable for botnet masters with more opportunities to steal users' sensitive data.
The report is the result of an analysis of more than 150 malware families and their modifications circulating through 60,000 botnets globally.
Alexander Eremin, security expert at Kaspersky Lab, tells Channel Partners that multifunctional malware is taking the lead because "botnet ownership costs a significant amount of money, and in order to make a profit, criminals should be able to use each and every opportunity to get money out of malware."
"The most surprising fact we discovered was the share of banking malware decreased," he said. "However, we cannot state that this type of malware has become unpopular with criminals, as banking malware is often distributed via downloaders, which share in analyzed files have increased significantly."
Remote access tools (RAT) malware provides almost unlimited opportunities for exploiting an infected PC, according to Kaspersky Lab. Since the beginning of 2017, the share of RAT files found among the malware distributed by botnets almost doubled — rising from a little less than 7 percent to more than 12 percent.
Njrat, DarkComet and Nanocore topped the list of the most widespread RATs. Due to their relatively simple structure, the three back doors can be modified by experienced or inexperienced threat actors. This allows the malware to be adapted for distribution in a specific region.
The only type of single-purpose malicious programs to demonstrate impressive growth within botnet networks were miners. Even though their percentage of registered files is not comparable to highly popular multifunctional malware, their share increased twofold and this fits in the general trend of a malicious mining boom, Kaspersky said.
"Significant growth of miners’ share in files, downloaded by bots, shows that criminals try to use infected machines as a source of cryptocurrency," Eremin said. "Files don’t have an impact on user’s real money, unlike banking malware, but still can lead to an inconvenience in using the infected device. The miner itself can be a legal software as well as legal password recovery tool we noticed being used by botnet masters to recover victim’s credentials. The challenge is to protect the user from such unwanted installations of legal software."
Trojans did not demonstrate as much growth as RATs, but their share of detected files still increased from nearly 33 percent percent in the second half of 2017 to a little more than 34 percent in the first half of 2018. One trojan family can be modified and controlled by multiple command and control (C&C) servers, each with different purposes, for example, cyberespionage or theft of credentials.
Regarding declines, the share of single-purpose malware distributed through botnets dropped in comparison to the second half of 2017. For example, in the second half 2017, more than 22 percent of all unique malicious files distributed through the botnets monitored by Kaspersky Lab were banking trojans, while in the first half of 2018, the share of bankers dropped by more than 9 percentage points to approximately 13 percent of all malicious files.
The share of spamming bots, another type of single-purpose malicious software distributed through botnets, also decreased from about 19 percent in the second half of 2017 to just more than 12 percent in the first half of 2018. Distributed denial-of-service (DDoS) bots, yet another typical single-purpose malware, also dropped, from nearly 3 percent in the second half of 2017 to about 2 percent in first half of 2018.
"We recommend installing updates to software that is used in the organizations," Eremin said. "Vulnerabilities in software may be used by criminals to install botnet malware on the targeted PC. Also, install and use a reliable protection solution, especially when surfing the web."
Also this week, Trend Micro released its Midyear Security Roundup 2018, revealing that cybercriminals are moving away from attention-grabbing ransomware attacks to more covert methods intended to steal money and valuable computing resources.
Cryptojacking attempts are making the biggest impact so far this year. Trend Micro recorded a 96 percent increase in cryptocurrency mining detections in the first half of 2018 compared to all of 2017, and a 956 percent increase in detections versus the first half of 2017. This indicates cybercriminals are shifting away from the quick payout of ransomware in favor of the slower, behind-the-scenes approach of stealing computing power to mine digital currency.