Group-IB analysts report that more than half (53%) of all malicious mailings in the first half of 2019 came from ransomware, with Troldesh ransomware being the leader in the number of attacks.
A study conducted by CERT-GIB showed that email remains the main method for delivering malware as encryptors, banking Trojans, backdoors.“In the second half of 2018, the share of malware downloads using a browser was reduced to the minimum and amounted to no more than 5%, and in the first half of 2019, only every 19th download was not associated with mailing”, – report experts of Group-IB.
In the first half of 2019, there is a tenfold increase in the use of password-protected objects – documents or archives. In 2017, password-protected archives accounted for only 0.08% of the total number of malicious objects. In 2018, their number increased to 3.6%. In the first half of 2019, an abnormal increase is observed to 27.8%.
Read also: Pipka skimmer can delete itself from an infected site
Another trend was masking of malware in letters. To bypass corporate security features, cybercriminals increasingly tend to archive malicious attachments. During the first six months of 2019, over 80% of all malicious objects were delivered through the archives, mainly were used zip (32%) and rar (25%) formats were used. The attackers indicated the password to decrypt the contents in a letter with a malicious attachment, in the subject letters in the name of the archive, or in the course of further correspondence with the victim.
“Also, attackers are increasingly using links in letters that lead to the download of malicious objects, instead of using traditional attachments: 29% are links, 71% are attachments. Whereas for the whole of 2018, links accounted for half as much malware”, – inform Group-IB analysts.
Another way to bypass anti-virus solutions is to target an attack with delivery of the message outside the working hours: during the security check, the link in the message is not available, which qualifies as legitimate mail and the message successfully reaches the recipient. Attackers activate a malicious link during business hours, significantly increasing the likelihood of a successful computer infection.
If in 2018 the threat of losing money was associated with attacks by banking Trojans and backdoors, then in the first half of 2019 the situation with cryptographers worsened: they again confidently returned to first place (54%). The three most massive attacks included Troldesh (53%), RTM (17%), Pony (6%).
Experts note that Troldesh is the most common crypto encryption company that was encountered in the past few years. The main task of malware is to encrypt data on the victim’s computer and demand a ransom for decrypting it. Troldesh is sold and rented, and therefore constantly acquires new functionality.
“Recent campaigns with Troldesh have shown that now it’s not only encrypting files, but also mining cryptocurrencies and generating traffic to websites to increase traffic and revenue from online advertising”, – say researchers at Group-IB.
In second place is the banking Trojan RTM, created by the hacker group with the same name. Having appeared in 2016, RTM attracted special attention by the fact that the list of control servers was obtained when accessing the profile page on the Livejournal site.
After analysis, it was found that RTM aims stealing of funds through banking accounts. Using various distribution schemes, RTM disappeared for a while and in mid-2018 emerged again, spreading through a network of fake accounting sites. Next, throughout the reporting period it was used in various attacks on financial institutions and enterprises. Since the beginning of 2019, the number of malicious mailings with RTM has remained at a consistently high level.
