Threat Management, Threat Management, Malware, Ransomware

Cryptojacking, coin-mining malware, new smaller dark web marketplaces rise in 2018

A continued rise in cryptojacking and growth in coin-miner malware returned to unprecedented levels after a temporary slowdown in the second quarter of 2018 highlight the trends in McAfee Advanced Threat Research’s December report.

Analyzing threats that emerged in the third quarter, the report cited two new exploit kits: Fallout and Underminer. “Fallout almost certainly had a bearing on the spread of GandCrab, the leading ransomware,” commented McAfee chief scientist Raj Samani.

Five years ago after McAfee published the report “Cybercrime Exposed,” which detailed the rise of cybercrime as a service, exploit kits today afford anyone the opportunity to easily and cheaply enter the digital crime business, Samani added.

Disappearing during 3Q was Olympus Market, a dark web marketplace that quickly emerged as a popular hacker destination in the wake of the takedown of the Hansa and AlphaBay markets. McAfee speculated that Olympus’ disappearance might have been spurred by an exit scheme initiated by its administrators to steal money from their own vendors and customers.

Another trend during the quarter observed by McAfee was several individual sellers moving away from large markets and opening specific marketplaces to building trusted relationships with customers.  

Monitoring of underground forums revealed that cybercriminals are eager to weaponize both new and old vulnerabilities. In regard to credit card-stealing malware targeting e-commerce sites, McAfee noticed that large-scale credit card theft has shifted from point-of-sale systems to third-party payment platforms on
large e-commerce sites.

Underground markets that sell remote desktop protocol (RDP) access appear to pop up in geographic areas where credit-card data had been recently stolen. Cybercriminals are also increasingly using RDP to access to hacked machines with logins to computer systems worldwide, ranging from home to medical to even government systems.

Ransomware-as-a-service developers are forming strategic partnerships, noted McAfee, citing the alliance between GandCrab partnering with the relatively new crypter service NTCrypt, which had won a crypter contest, which gave way to the criminal venture.

The size of ransom payment demands increased; GandCrab Version 5 requires the victim to pay $2,400 for the decryption key, whereas past versions required $1,000.

“Coin miner” malware grew more than 4,000 percent in 2018, and the number of coins mined as the result of malware attacks went from 2.5 million in both the first and second quarters this year to nearly 4 million in the third quarter, estimates McAfee.

Here’s some good news: new mobile malware declined by 24 percent in Q3, and
McAfee mobile security customers reported 36 percent fewer infections in the quarter. The bad news is that mobile malware anecdotally still wreak havoc. For example, TimpDoor infected at least 5,000 Android devices, spread via phishing, using text messages to trick victims into downloading and installing a fake voicemessage app that allows cybercriminals to use infected devices as network proxies without users’ knowledge.

During the quarter, McAfee saw an uptick in banking malware with uncommon file types used in spam campaigns that bypassed email protection systems.

“Adversary groups sponsored by the Russian government conducted several operations during Q3,” McAfee believes. The most active during this period were the groups APT28, Dragonfly, and Sandworm, which targeted government, laboratory, energy, and military sectors, the report stated.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.