Data from our Smart Protection Network shows that information stealers were still the most prevalent malware type in the North American region. The pervasiveness of cryptocurrency-mining malware could be due to cryptocurrency’s popularity, while the decline in ransomware detections could be due to cybercriminals finding an alternative trade in cryptojacking or cryptocurrency-mining malware use.
Figure 2 shows that Trend Micro’s MDR service’s detections of information stealers in North America were slightly lower than those for cryptocurrency mining malware because MDR proactively blocked information stealers at the email gateway, network, and endpoint.
Many of the threats we saw and blocked targeted Windows-based systems. Of note is the increased abuse of legitimate system administration tools such as PowerShell and Windows Scripting Host to evade detection and carry out further attacks. Powload is a classic example of an evasive threat that uses fileless techniques. It has evolved with capabilities that can bypass protections such as disabling macros inside documents or using preview mode. Indeed, data from both Smart Network Protection (Figure 3) and Trend Micro’s MDR service (Figure 4) show that Powload was the most detected threat in 2018.
In October, for instance, Trend Micro’s MDR team observed a huge spike of Powload-related activities in logs from monitored systems. The attackers’ modus involved hijacking email accounts and then sending attachments in response to an existing email thread that would result in the unwitting recipients downloading the data-stealing Ursnif malware. Ursnif itself went through changes in its routines and evasion tactics. The prevalence of Emotet, Ursnif, and Loki is a reflection of Powload’s pervasiveness, as these information stealers are also delivered via Powload. There were also isolated cases of worms, which had high detections simply because of the actual number of files detected in a single infection. Further, we also detected various hacking tools, which corroborate the increased instances of Powload being downloaded on endpoints via infected emails.
Apart from the notorious Emotet banking trojan, we also saw notable phishing campaigns in the North American region that delivered Ursnif via email hijacking and spam emails with attachments that redirected to phishing URLs.
Cryptocurrency-mining malware has surpassed ransomware in terms of detections. While it may not be viewed as a critical threat — by itself, it doesn’t steal data, wipe the system, or deliver other malicious payloads — it's still a security risk. Cryptocurrency-mining malware does not just steal an infected system’s computing resources and damage the system, which can result in disruptions. It also undermines the integrity of the system and its components, as well as the privacy of the data stored in it.
We also noticed that endpoints affected with cryptocurrency-mining malware tended to be more vulnerable to other types of malware. Some threats, for instance, added cryptocurrency-mining functionalities to their ransomware.
Meanwhile, Gandcrab is still the most detected ransomware family in North America, followed closely by WannaCry (WCry) and Locky. The number of ransomware families markedly decreased, but they diversified in tactics and techniques. Ransomware’s decline could be attributed to better user awareness and law enforcement's efforts in taking down its authors or distributors. With more victims refusing to pay the ransom, the stealth and seemingly easier profit gained from cryptocurrency-mining malware present a more lucrative alternative for cybercriminals.
Old vulnerabilities remain a challenge for many organizations, particularly those that might find it difficult to update mission-critical systems or networks that have to be kept up and running. The most exploited file vulnerabilities in 2018 also illustrated why information stealers like Ursnif and Loki as well as ransomware families such as WannaCry were prevalent. They are listed below in order of detections, from highest to lowest:
Figure 12 shows the applications whose vulnerabilities were most exploited last year. For attackers, a standard browser is sometimes all it takes to find vulnerable sites to exploit. The industries of organizations that were most affected by exploits and malware attacks were banking/finance, healthcare, technology, manufacturing, and media. The banking/financial and healthcare sectors consistently being affected was in line with our detections for information stealers.
Ransomware still reigned in the Latin American region, although cryptocurrency-mining malware gained further traction. WannaCry/WCry, in particular, is the top threat in the region. WannaCry’s destructive capabilities (self-propagation and stealthy use of attack vector) are compounded by cybersecurity issues in the region, which could make it easier for attackers to breach an organization’s online perimeter or steal a user’s personally identifiable information. This is particularly true in Brazil, whose populace heavily relies on online and mobile banking.
WannaCry, the most detected ransomware in the region, affected organizations in government, energy, healthcare, telecommunication, manufacturing, technology, and financial sectors the most. Other notable threats include worm information stealers like Bondat, which significantly affected the education, healthcare, transportation, and banking industries. They spread via removable drives and have self-replicating and command-executing capabilities. Cryptocurrency-mining malware, especially malicious versions of Coinhive, largely affected manufacturing and retail companies. Consistent with our findings in previous quarters, downloaders like Downad (aka Conficker) and trojans like Gamarue (aka Androm, Andromeda, or Bundpil) were still prevalent despite being old threats.
The North and Latin American regions differed in specific forms of malware that affected them the most, but their threat landscapes weren’t far off in terms of the prevalence of malware families (e.g., WannaCry, Emotet, Coinhive) and their adverse impact. The threats’ increased complexity is also notable. In the Latin American region, for instance, we saw attackers constantly honing the tactics and techniques they used against their targets. These included configuring backdoors to make them more difficult to detect, abusing legitimate tools to deliver payloads, and using disk-wiping malware as a diversion to access their targeted system or network.
While many of today’s threats are from years past, their staying power in both regions is a reflection of how they’ve evolved to bypass traditional security defenses. This highlights the need to equip organizations with actionable insights that can help them promptly identify, respond to, and remediate threats. However, many organizations may not have the financial resources to accommodate this. Moreover, investment in security tools doesn’t necessarily translate to effective cybersecurity either. Today’s cybersecurity skills gap can make it more challenging to find the expertise needed to run or manage these tools. Bandwidth is also needed to process and sift through voluminous security incidents and alerts could also overwhelm and lessen the efficiency of the security team, which also doubles as IT staff in many organizations.
Managed detection and response helps by providing the right combination of people, process, and technology. Trend Micro’s managed detection and response (MDR) service provides alert monitoring, alert prioritization, investigation, and threat hunting services. By applying machine learning models to customer endpoint data, network data, and server information, the service will be able to correlate and prioritize advanced threats. Threat researchers investigate prioritized alerts to determine the extent and spread of the attack. They work with customers to provide detailed remediation plans. This service allows customers to investigate security alerts without the need to hire qualified incident response staff.
Backed by 30 years of threat research experience, Trend Micro’s MDR service provides access to experts who are proficient with live response and are familiar with products that can provide meaning to security incidents that happen to organizations and their industries. Trend Micro’s MDR service is backed by specialists who protect an organization’s IT environments through a comprehensive security technology stack. Our experts have the necessary tools and technologies to analyze threats and help organizations maintain a good security posture.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.