Linux IoT, Android and MacOS expected in 2017, SophosLabs
Linux IoT, Android and MacOS expected in 2017, SophosLabs

The attacks that took place and malware spotted during last several months of 2016 were a harbinger of things to come in 2017, with more IoT attacks, Mac products being targeted and more Android malware.

SophosLabs 2017 Malware Forecast, released today at RSA 2017, noted that while any type of prognostication is never perfect, it is possible to project a few area that will be of concern.

“But it's a fair bet that Android and MacOS devices will continue to be heavily targeted, given the success attackers have had thus far. We expect exploits against vulnerable IoT technology to continue on an upward trajectory, with attackers emboldened by the success of campaigns like last October's Mirai assault against Dyn,” the report stated.

The report highlighted that cybercriminals are now exploiting various Linux vulnerabilities in order to gain control of IoT devices to launch DDoS attacks.

SophosLabs researgers spotted the Linux/ DDoS-BI, also known as Gayfgt, malware family as being much more active during the tail end of 2106, a time that coincided with the massive Mirai attacks that took place. This malware scans large IP blocks while attempting to bruteforce Secure Shell (SSH). This tactic allows the malicious actors to find vulnerabilities such as default passwords, out-of-date versions of Linux and taking advantage of the general lack of encryption being used with IoT gadgets.

The increased usage of Linux/ DdoS-BI is sure sign of its effectiveness.

“In terms of frequency, cases of Linux/DDoS-BI have steadily increased since October, with brief drop-offs along the way. It is proving to be resilient. For example, more than a hundred cases were observed by late October and was up to around 150 by mid-November. By mid-December it was over 200, and it was up around 466 the week of January 20 before slightly dropping again,” the report stated.

The report also noted that Android malware usage hit a five year high in 2016 with SophosLabs systems processing more than 8.5 million suspicious Android apps with half being malware or potentially unwanted applications like adware.

“When we look at the top 10 malware families targeting Android, Andr/PornClk is the biggest, accounting for more than 20% of the cases reviewed in 2016. Andr/CNSMS, an SMS sender with Chinese origins, was the second largest (13% of cases), followed by Andr/DroidRT, an Android rootkit (10%), and Andr/SmsSend (8%),” the report stated.

As for Mac attacks, SophosLabs noted that while Mac malware is still rare it is far from immune from attacks. Just recently researchers at Synack identified what they believe is the first in-the-wild instance of hackers using malicious macros in Word documents to execute malware on Mac computers, instead of Windows-based machines.

SophosLabs described the Mac malware they have spotted as being technically adept at avoiding detection and is likely intended to exfiltrate data or provide remote access to unauthorized personnel, but this is changing.

The company is keeping a particular eye on OSX/KeRanger-A, which enables a cybercriminal to install ransomware originally designed for use against Windows to work against Macs. The malware can:

  • Trick you into opening a file you are inclined to trust.

  • Install and run the ransomware program.

  • Call home to one of a list of control servers for an encryption key.

  • Scramble files in your home directory and on currently-mounted volumes, adding the extension .encrypted each time.

  • Put a file called README_FOR_DECRYPT.txt in every directory where a file was encrypted.