We all know about Software-as-a-Service and Storage-as-a-Service. Another term that should be on the radar screen of anyone interested in cyber security is Malware-as-a Service.
While the clichéd image of a hacker is a hoodie-wearing loner in the shadows, the reality is that well-organized criminal groups now operate like big tech companies using professional development processes. Today, criminal malware developers for malware families such as Emotet, Trickbot, and thousands of others are making them available to others for their nefarious schemes. Like legitimate software developers, the criminal groups continually improve their malware with new features, bug fixes and and modules capable of achieving a variety of objectives.
A good comparison would be someone going to purchase a new car. There are base models and then there are tiered levels that are more expensive but offer enhanced features and capabilities. The same concept can be applied to the cyber crime ecosystem when it comes to commodity malware offerings.
For example, the banking Trojan Trickbot recently unveiled new modules that steal credentials to authenticate remote servers using Virtual Networking Computing (VNC), PuTTY and Remote Desktop Protocol (RDP).
With the availability of a vast array of malware, which can be purchased as individual services or an entire cyber attack package, bad actors have taken a disturbing leap in how they monetize their attacks. One area where this is particularly rampant is among cyber attacks on the customers of banks and financial institutions.
Stealing Banking Credentials Is Just Part of the Puzzle
Historically, attackers mostly used banking Trojans to steal passwords, PIN numbers, and other banking credentials from victims. Today, this is often only a first step in a multi-pronged strategy.
To begin with, a cyber criminal might gain access to a network with a phishing email with a weaponized lure document that, when opened, initiates the infection chain for Emotet, a modular and highly customizable malware family. Once that Emotet foothold has been established, we’ve observed a number of criminal activities that follow a similar sequence of post-compromise events to include dropping the Trickbot banking trojan onto compromised devices:
- Step 1: Emotet – steal system credentials, establish persistence, enumerate the network and propagate onto other networked devices/drives/servers. Many criminals will then sell the user credentials and the unauthorized network access in Dark Web forums and marketplaces to others who want to penetrate the network even more deeply. Emotet is also commonly used as a conduit for additional banking trojans such as Trickbot.
- Step 2: Trickbot – steal victim’s banking credentials by injecting into online banking web-sessions. Trickbot also has features enabling it to steal credentials from popular online retail and payment applications such as Amazon, eBay, and Paypal.
To maximize profits, many cyber criminals can even take the above compromise and expand on it substantially by deploying the following:
- Cryptominer – drop a miner onto the victim’s device and generate immediate ROI by using the victim’s system processing capabilities (CPU power) to create and harvest digital currency.
- Ransomware – in the final nail in the proverbial coffin for the victim, the bad guys will lock up the victim’s computer and charge ransom for decryption keys. Even if the victim doesn’t pay the ransom, the attackers have already done a fair amount of damage and have profited substantially each step of the way. Receiving a ransom is just icing on the cake.
Your biggest foe? Complacency
The sophistication of these multi-prong attacks require cyber security teams to be even more vigilant than in the past. It’s critical to understand that data breaches, for all the attention they receive, represent only one piece of the current cyber crime landscape.
Cyber security teams should identify soft spots in their networks and areas that could be valuable to criminals. For example, last year we provided threat intelligence to Symantec’s incident response team during an engagement with a large organization that found a cryptominer installed on its network. It was stunning that the IT personnel were unconcerned. They did not believe criminals using their CPU processing to generate crypto currency represented a viable threat. However, the IT people became very interested when we explained that the presence of a cryptocurrency miner effectively represented a network intrusion and could be indicative of additional malware they were not aware of. Furthermore, the presence of the cryptocurrency miner could provide a much easier path for the attackers to regain access to their network in the future as well as destabilizing potential operations due to increased CPU usage.
In the current cyber crime environment, complacency is one your biggest foes. If cyber security teams identify and effectively remediate a Trickbot infection on their network, they might breathe a sigh of relief that they have addressed the attack and can start determining whose banking credentials may have been compromised. However, given the number of customizable features of current Trickbot malware offerings, they might not realize Trickbot was also used to compromise their RDP servers.
It’s like going to a doctor for a headache and being given some aspirin, while the real problem might be that you need glasses – the headache’s may subside, but eventually your vision may become blurred. Symantec provides threat intelligence on the latest attacks that use malware in combination, so if you see one intrusion on your network you know you'd better pay extra attention to the other, related attacks.
By having a greater understanding of the threats, and the most recent threat intelligence, you can harden your network and develop training exercises to help your employees understand how to ward off these threats. You need to work extra hard to keep your network safe, because you’d better believe the Malware-as-a-Service vendors are working just as hard to keep the their “customers” - the bad guys – ahead of the latest enterprise security advances.
Waterbug may have hijacked a separate espionage group’s infrastructure during one attack against a Middle Eastern target.
We encourage you to share your thoughts on your favorite social platform.