Limor Kessem
Limor Kessem

Financial malware is a threat that seems to make headlines almost every month. Studies indicate that cybercrime is the only economic crime to have seen an increase this year, rising sharply, and landing the second rank on the list of the most reported economic crimes globally.

A large part of what's defined as cybercrime is facilitated by specialized banking malware, which is operated by cybergangs in different parts of the world. It is due to that reason that many security research and law enforcement organizations alike closely follow the activity of cybercriminal groups, many times by following their malware.

Every year is plagued by unprecedented malware innovation or attack magnitude, but big malware moments in 2016 definitely merit their own retrospective review for shaping and reshaping cybercrime this past year.

The Migrators

As part of my role following cybercrime trends at IBM Security, one of the predictions I had this year was to see malware increase the intensity of its border-breaking progress and move into new, uncharted territories. We definitely witnessed cyber-gangs move or spread their illicit activity to different parts of the globe this year. Let's take a look some of the key moments:

  • January 2016: the Rovnix gang expanded its cybercrime activity to include attacking Japanese banks.
  • That same month, the gang operating the URLZone Trojan started a Japan-based attack hub.
  • In April 2016, we saw a new hybrid Trojan, Goznym, take on a new life and spread to Poland, the US, and Germany, making it the first ever to operate redirection attacks in three different languages.
  • In August, just around the 2016 Rio Olympics, two new Zeus Trojan variations started actively attacking banks and Boleto payments in Brazil. This migration of sophisticated banking malware to Brazil, a territory where most attacks use very simplistic malcodes, came in the shape of cybercrime factions operating a Zeus Panda, and a Zeus Sphinx botnet.

Throughout the year we saw different malware operations try their hand at attacking in different countries. This remains a cyber-gang capability, and right around August 2016 we saw that the crew operating Dridex had set up attack targets in rather unusual places like Latvia, Lithuania, and the Ukraine, to name a few.

The Renovators

Cybercrime is growing fast and evolving at pace, becoming both more aggressive and technically proficient. No one is more aware of this incessant progress than the information security research community who studies the inner workings of malicious codes, making sense of countering their malevolent devises.

Malware of all types became more sophisticated than ever in 2016, mostly due to the monetary investment its developers saw from cybercrime gangs who have the resources to organize such nefarious projects. Most notable, due to its modularity and sophistication, was innovation in banking malware codes.

  • In January 2016 we saw the Dridex gang plan and execute a new attack scheme, bringing redirection attacks to the UK. The redirection scheme was made popular by the Dyre Trojan, but ever since the gang was dissolved, it appears Dridex and GozNym have been closely following in its footsteps. GozNym was first seen to deploy redirection attacks in April, shortly after it emerged.
  • In June 2016: the Gootkit Trojan, a banking malware most known for its attack in France and Italy, showed some intense mending mid-year, aiming to upgrade it stealth and security evasion mechanisms. The same process was evident with anti-research mechanisms that bolstered the URLZone Trojan's walls.
  • August 2016: Dridex, one of the most dominant banking Trojans this year, also saw some internal renovation designed to keep its business private. Dridex's developers continually enhance its code to be more evasive, and its botnet communications more furtive and resilient.

Of course, these are only a couple of examples, albeit the more complex ones. Cybercrime projects everywhere prove to be as fast evolving as they are sly.

Stay tuned to SC's Cybercrime Hub for Part 2 next week.

Limor Kessem is one of the top cyber intelligence experts at IBM Security. She is a seasoned security advocate, public speaker, and a regular blogger on the cutting-edge IBM Security Intelligence blog. On the social side, Limor tweets security items as @iCyberFighter and is an avid Brazilian Jiu Jitsu fighter.