Limor Kessem
Limor Kessem

Poisoned macros, exploit kits, fake fax messages, or alarming notices… Cybercriminals all too often find a way to make victims click on their Pandora's Box and infect them with banking Trojans or ransomware. The first quarter of 2016, 65.89% of malware infections were Trojans, which are the most powerful information stealers available to financially motivated criminals nowadays, but there's more.

Malware statistics gathered during 2013-2015 indicate that 431 million new malware variants were added to the pre-existing pool of malware strains[1] within that period. The crimeware arena is replete with malware families, mutants, and new strains that only grow more varied every year.

With a never-ending flurry of new malware families, offspring, and hybrids, how does one zoom out to see the bigger picture? To help you make sense of the mayhem, here are the three and a half top crimeware trends to watch for in 2017.

1. The Banking Trojan Gangs

With a banking Trojan on your endpoint, your PC is no longer yours – it belongs to a fraudster”.

In this department we face powerful stealthy malware that was designed to enable and even automate the process of fraudulent online banking transactions. As a side job, banking Trojans often steal payment card information and access to other accounts the victim holds.

In 2017, the top contenders to watch for are: TrickBot, Dridex, and Gozi-related crews. These gangs are the most likely groups to inflict heavy duty damage on banks and their customers, with a special focus on businesses.

Take Dridex for example. In 2016, this malware's operators engaged in a variety of cybercriminal endeavors that included:

  • Launch and distribution of the Locky ransomware and attacking hospitals with it.

Cybercrime gangs often do business with one another, copy attack methods, and follow predecessors into new territories. We would be wise to keep an eye out for newcomer TrickBot in 2017, which is already known to have ties to a major gang that operated the Dyre Trojan.

2. The Refurbished Zeus Peddlers

On the sidelines of gang-operated banking Trojans there are small-time developers who can never get enough of the old Zeus code, and keep bringing it back to life in re-baked versions of their own.

Although there is a limit to the innovation or sophistication here, Zeus v2 is still a tested and true malcode and it is used by many cybercriminals who purchase it in the underground and then amass new botnets with it. Proliferation of these commercial Zeus remakes made some headlines in 2016 when Zeus Panda and Zeus Sphinx started showing up in Brazil, right on time for the Rio Olympic games, or FlokiBot that emerged in late Q3-2016.

One would think that this is not a trend to watch for, but I argue that it is. Zeus and Zeus-derived banking Trojans have been occupying the very top rank on the global most active malware list since Q2-2016.  That list was previously ruled by organized cybercrime overlords such as Dyre and Dridex, which makes Zeus-based malware an issue we must deal with even if its power is in its numbers.

3. The Bank Heist Bunch

Somewhere in mid-2014, a nefarious cybercrime gang was ready to move its targeted attacks on banks to the active phase. Using the Anunak malware, alongside custom-made tools and wares, the criminals managed to penetrate the systems of over 50 banks and steal millions of dollars from each one. In some cases, the attacks were so dire that the banks were forced to give up their banking license and go out of business.

By early 2015, the gang, which was never captured, managed to take its attacks to the next level. This time they targeted 100 banks in a notorious billion dollar heist known as the Carbanak case. With the gang still on the loose, new cases discovered in 2016 made it clear to the banking sector that the immense greed driving such cybercriminal groups is hungry for more. Enter the SWIFT cases in which banks lost dozens of millions of dollars in a matter of days, and incurred unprecedented Interbank fines. And… in October 2016, the Odinaff Trojan used in new campaigns targeting the SWIFT system unearthed links to the infamous Carbanak gang.

The technical masterminds behind these targeted attacks were never captured, and while they may change their targets geographically, and choose different systems to compromise, chances are we will be seeing other disconcerting heists from Carbanak and similar groups in 2017.

3½. The Malware-less Remote Access Ghosts

In this last trend for 2017, I want to note a phenomenon that does not include a proper banking Trojan in itself, but that has nonetheless been plaguing consumers with malware-less fraud designed to rob their online banking accounts and e-wallets. What I'm referring to here are attacks leveraging legitimate remote control software.

Although the software used in these attacks is inherently legitimate, and not similar to Trojans like Dridex or TrickBot, the attacks that abuse it are just as dangerous, if not more, because they're harder to detect.

The essence of the malware-less ghost attacks, which have been used in the past in espionage, emptying bank accounts, and spreading malware to user machines, is remotely controlling endpoints that have a remote access tool installed on them, without the user's knowledge.

In reported instances, the attacker suddenly logs into the software, checks the victim's time zone, and then plans on the right moment to hit. Nowadays, with many people leaving their endpoint on all day, or while away from it for extended periods of time, the window of opportunity is larger than ever.

Once the attacker is in, they browse to the victim's bank/e-wallet/other accounts, and drain the accounts by buying gift cards, or transferring money to an account they control. The cases where such attacks were successful were disconnected from a breach on the vendor's end, and some victims had 2-factor authentication activated on certain accounts. Interesting.

So, here's why this trend worries me for 2017: it has been flying under the radar since 2015 even though was connected with the worst malware we know to date.

I believe that we have here is malware stealing the victim's credentials, but also getting information about programs installed on the endpoint (or even installing it itself). Then step two is when the attacker activates the remote access tool, using legitimate software particularly because it is much less likely to get detected as a malicious. With the victim's passwords, transactions originating from the genuine device are all that more likely to succeed.

In a second, less sophisticated breed of this attack, there's a social engineering ploy targeting consumers with a tech support scam that installs remote access on their endpoint, and eventually robs their account with/without the additional use of malware.

Make 2017 a Losing Year for Cybercrime

While it is true that every year we see malware innovation and new tricks from cybercriminals, most of the time the potential victim can apply the same security practices to avoid letting them in. Just by expecting and preparing for these top trends in 2017, we can make them fail more often than they succeed and start turning that dial on cybercrime!



[1] Global number of new malware variants added annually from 2013 to 2015