Malware once used exclusively for bank fraud is finding a new mission
Attackers who once relied on malware exclusively to initiate financial fraud are finding that it also can be used to pillage intellectual property, researchers have found.
In the last quarter of 2012, McAfee discovered that hackers were increasingly using data-stealing trojans, such as Citadel which historically was used to capture bank account login information, to now mine for information within government agencies, manufacturing firms and other industries that provide critical support to the economy.
On Thursday, the findings were released in the security firm's “McAfee Threats Report: Fourth Quarter 2012.” The study found that the prevalence of password-stealing trojans grew 72 percent last quarter, compared to the prior quarter.
Ryan Sherstobitoff, threat researcher at McAfee, told SCMagazine.com on Thursday that a prime example of this trend was showcased by the Poetry Group, a collective of hackers that has been using the Citadel trojan to target government offices worldwide since October.
In several campaigns, attackers compromised 27 locations in Japan and 43 offices in Poland. As well, there were victims in Denmark, Sweden, Spain, the Netherlands, Estonia, the Czech Republic and Switzerland.
“Primarily, the key themes of quarter four are more of the targeted attacks and economic sectors being targeted outside of just the financial industry,” Sherstobitoff said. “Before, more of the trojans were pointed toward banking, but now those are being repurposed to steal other information.”
Sherstobitoff added that relying on previously used malware helps cut costs for underground groups that have typically dedicate ample time and money toward new malicious code development.
“Why build a piece of custom malware when you can repurpose an existing advanced trojan with all of those data-stealing capabilities?” Sherstobitoff said. “It's basically cutting out their operating costs. They can quickly buy Citadel and get to market sooner, as opposed to building something really specific for their targets. And in the case of the Poetry Group, they were rather successful in targeting their victims.”
Whether hackers would focus more efforts on using trojans to specifically steal data from critical infrastructure companies, like oil, gas, power and water treatment facilities – increasingly mentioned by the government as sectors vulnerable to cyber attacks, and addressed in part by President Obama's recently issued cyber security executive order – Sherstobitoff said it's “certainly possible,” though those sectors are not yet a priority for attackers.
The report also found a resurgence in malware targeting the master boot record (MBR), defined as the first sector of a hard drive. McAfee found nearly 600,000 variants in the fourth quarter, a new record. There has been some well-known malware, such as Shamoon, which was able to overwrite the MBR.
Going forward, McAfee expects to see more attack vectors targeting MBR, as well as the Android platform for mobile users. The firm found that samples of Android-based malware samples jumped 85 percent last quarter.