Figure 1. Data from the Trend Micro Smart Protection Network™ showed a spike in malware spread beginning 2019, with January 3 having the most number of detections.
Figure 2. Countries with the most number of detections for infections.
The sudden increase in our detection systems revealed thousands of unique SHAs in a matter of days. The IP address (which we traced to have been registered in Russia) is no longer accessible as of writing, but the payloads can still be sourced online. Interestingly, the cybercriminals change the malware included in the .EXE files, and spread different kinds of malware depending on the region and industry targeted.
Figure 5. The script downloads different malware from the IP address. As of writing, this .EXE was analyzed to download GandCrab.
Figure 6. Even when the registered IP address has been blocked, other sites source the file for the malware and send the spam emails.
Opening malicious email or attachments can launch malware downloads, not only to access, collect and steal proprietary and system information, but to possibly enable other functions such as remote administrator controls with malicious intent. To defend against these types of threats:
Avoid clicking on or opening emails, URL links, or attachments from suspicious or unfamiliar senders.
Regularly back up important files. Practice the 3-2-1 system.
Install a multi-layered protection system that can detect and block malicious emails, attachments, URLs and websites.