Webroot: Beware the Worst Malware of 2018

Written by Edward Gately
October 30, 2018

Criminals are quickly moving to cryptomining and cryptojacking for faster, less risky ways of netting cryptocurrency.

Ransomware takes a backseat to botnets and banking trojans, and cryptomining and cryptojacking on Webroot‘s latest “nastiest malware” list.

The list highlights the top cyberattacks of 2018. Webroot also recently revealed the top five riskiest states when it comes to cybersecurity practices.

Webroot’s Tyler Moffitt

“This year, we’ve seen cyberattacks changing faster than ever, evading traditional defenses and wreaking havoc on businesses and everyday internet users alike,” said Tyler Moffitt, Webroot’s threat research analyst. “From gaping security holes, such as unsecured remote desktop protocol (RDP), to tried-and-true tactics like phishing and exploits, to stealing crypto in the form of CPU power, cybercriminals are exploiting vulnerabilities in increasingly malicious ways. Businesses and individuals must be vigilant, stay informed, and focus on improving their overall cyber hygiene to avoid the devastating effects of these attacks.”

Botnets and banking trojans are the most commonly seen type of malware, with Emotet being the most prevalent and persistently seen to date, according to Webroot. Emotet, which delivers banking trojans, aspires to increase the number of zombies in its spam botnet, with a concentration on credential gathering. Threat actors recently developed a universal plug and play (UPnP) module that allows Emotet to turn victims’ routers into potential proxy nodes for their command-and-control infrastructure.

Trickbot follows a similar attack plan, but contains additional modules (with more added each day) and has even been seen dropping ransomware. Also, Zeus Panda has similar functionality to Trickbot, but has more interesting distribution methods including macro-enabled Word documents, exploit kits and even compromised remote monitoring and management services.

Criminals are quickly moving to cryptomining and cryptojacking for faster, less risky ways of netting cryptocurrency, Webroot said; however, what some may call a victimless crime has a significant impact for businesses and consumers alike.

GhostMiner’s distribution method is the scariest part for its victims because they don’t know its entry point. WannaMine’s Windows management instrumentation (WMI) persistence technique allows it to remain stealthy, and difficult to find and remove.

Coinhive, initially innocent, was quickly added to the standard toolkit for attackers compromising websites. Even legitimate website owners are using Coinhive without knowing the impact it will have on their visitors. If your computer processing power spikes to 100 percent when simply visiting a website, it might be Coinhive.

And while overtaken by the rise of cryptomining, ransomware has become a more targeted business model for cybercriminals, with unsecured RDP connections becoming the focal point of weakness in organizations and a favorite port of entry for ransomware campaigns.

The three “nastiest” ransomware are: Crysis/Dharma, which specifically targets the RDP vector; GandCrab, which is distributed via malspam campaigns, exploit kits and RDP; and SamSam, which now is bringing down entire cities or at least portions of them.