27
Cybercrime Tactics & Techniques: Q1 2019
Cybercrime Tactics & Techniques: Q1 2019
Key TakeawaysBusinesses are still the prime target
Malware
» Emotet shows no signs of stoppings
» Ransomware is back to business
» Consumer detections of ransomware died down.
» Cryptomining against consumers is essentially extinct
» Adware in Macs and mobile devices were problematic
Exploits
» Exploit authors developed some attention-grabbing techniques
Privacy
» User trust in businesses to protect their data reached a new low
MALWARE
Business Detections Overview Q1 2019
Q4 2018 8,959,024
Q1 2019 9,552,414
8,250,000 8,500,000 8,750,000 9,000,000 9,250,000 9,500,000 9,750,000 10,000,000
Business Quarter Detections
Q4 2018 86,542,535
Q1 2019 52,430,762
0 20,000,000 40,000,000 60,000,000 80,000,000 100,000,000
Consumer Quarter DetectionsConsumer Quarter Detections
Q4 2018 95,501,559
Q1 2019 61,983,176
0 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 70,000,000 80,000,000 90,000,000 100,000,000
Total Quarter DetectionsTotal Quarter Detections
Business Quarter Detections
Business Detections Breakdown 2019
Trojan Generic, 43.74%
Generic Generic, 14.49%
Machine Learning,
7.92%
Adware Generic, 1.46%
Backdoor Generic, 2.07%
Trojan.MalPack.RV, 4.13%
Ransom.Troldesh, 3.24%
Trojan.Yakes, 1.55%
Trojan.Emotet, 6.53%
Adware.Yontoo, 3.70%
Backdoor.Vools, 3.34%
Business Detections Breakdown 2019
Business Detections
Rank Malware Category % of Q1 2019 Total QoQ | Q1 2019 vs Q4 2018 % YoY | Q1 2019 vs Q1 2018 %
1 Trojan 49% 222% 649%
2 Generic 11% -18% 111%
3 Adware 10% 153% 375%
4 MachineLearning/Anomalous 9% 147% NEW
5 Backdoor 5% -80% 485%
6 RiskwareTool 4% 45% 56%
7 Ransom 4% 189% 508%
8 Malware 3% NEW NEW
9 Hijacker 1% -73% -69%
10 Exploit 1% 76% NEW
Business Only Breakdowns by Region
# Asian Pacific # Europe / Middle East / Africa
1 Trojan 1 Trojan
2 Backdoor 2 Generic
3 Adware 3 Adware
4 Ransom 4 RiskwareTool
5 Malware 5 MachineLearning
6 Exploit 6 Backdoor
7 Generic 7 Hijacker
8 RiskwareTool 8 MisplacedCertificate
9 Virus 9 HackTool
10 HackTool 10 Worm
# North America # Latin America
1 Trojan 1 Trojan
2 MachineLearning 2 Generic
3 Generic 3 Adware
4 Adware 4 MachineLearning
5 Ransom 5 RiskwareTool
6 Malware 6 Backdoor
7 RiskwareTool 7 HackTool
8 Backdoor 8 Ransom
9 Spyware 9 Worm
10 Hijacker 10 Spyware
Trojan Malware
Emotet & Trickbot Update
» Emotet: Spike in detections during mid-late January, rising detections till early March
» Trickbot: Low detections throughout Q1, likely still being used as secondary payload
0
10000
20000
30000
40000
50000
60000
70000
80000
12/3 12/10 12/17 12/24 12/31 1/7 1/14 1/21 1/28 2/4 2/11 2/18 2/25 3/4 3/11 3/18
Emotet & Trickbot Detections Q1 2019
Emotet
Trickbot
Emotet & Trickbot Detections Q1 2019
Ransomware
Overview
» Huge spike in ransomware against businesses in Q1
» Continued drop in ransomware for consumers
Troldesh
» Ransomware from 2014
» Campaign involved spreading phishing e-mails with zipped JavaScript
» Possible association with Russia based on Ransom note
62,543
111,895
13,53113520
48891
0
20000
40000
60000
80000
100000
120000
12/31 1/5 1/10 1/15 1/20 1/25 1/30 2/4 2/9 2/14 2/19 2/24 3/1 3/6 3/11 3/16
Troldesh Ransomware Activity Q1 2019
Business Consumer
Troldesh Ransomware Activity Q1 2019
Ransomware Q1 2019 Q4 2018 % Change Q4 Q1 2018 % Change Q1
Business 355876 120578 195% 57308 521%
Consumer 482908 538116 -10% 716905 -33%
Total 838784 658694 27% 774213 8%
Ransomware: Troldesh Lock Screen
Mac Malware
Open-Source Python
» Increase in use of open-source Python code for malware & Adware
» Both malware and adware are using python tool MITMProxy to snoop on network traffic
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.xpnsec.escape</string>
<key>ProgramArguments</key>
<array>
<string>python</string>
<string>-c</string>
<string>import
sys,base64,warnings;warnings.filterwarnings('ignore');exec(bas
e64.b64decode('aWN…pKQ=='));</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
Figure 19. Code snippet of an obfuscated Python code Figure 19. Code snippet of an obfuscated Python code
EXPLOITS
2019 Vulnerabilities … So Far
Flash Zero Day
» Discovered this exploit being used by Underminerexploit kit only days after CVE was released
» Also discovered in Fallout and Spelevo exploit kits
WinRAR Exploit
» Newly discovered exploit for zipping utility against a 19 year old vulnerability
» Can be used to automatically add malicious files to startup folder, so the malware starts on reboot
Chrome Zero Day
» Severe vulnerability found that needs user interaction for updating
» Google is now restricting third-party code injection capabilities
PRIVACY
Malwarebytes Privacy Survey 2019
Respondents care about their security:
» Care about protecting personal info online (96%)
» Take steps in protecting their online data (97%)
» Refraining from sharing sensitive data online (94%)
» Using Security Software (93%)
» Running updates regularly (90%)
» Verified websites before making a purchase (86%)
Respondents do not trust third parties:
» Distrust Social Media (95%)
» Distrust toward Search Engines (34%)
» Confidence in sharing personal data online (87% Disagree)
» Do not share any personal information online (59%)
Between January 14 and February 15, Malwarebytes surveyed individuals across 66 countries—from the UK to the US, from Malaysia to Mexico, from India to Ireland—asking about their online privacy beliefs and cybersecurity practices.
N=~4,000
Malwarebytes Privacy Survey 2019
Respondents don’t cover all bases:
» Skimming or not reading the EULA & consent forms (66%)
» Using same password across multiple sites (29%)
» Not knowing which permissions apps have access to on mobile devices (26%)
Generational Breakdown:
» Feel confident in sharing their personal information online
» Generation Z – 76% disagree or strongly disagree
» Millennials – 83% disagree or strongly disagree
» Generation X – 85% disagree or strongly disagree
» Baby Boomers – 89% disagree or strongly disagree
PREDICTIONS
Predictions
SMB Threats Increase due to Eternal Functionality
» Eternal exploits (EternalBlue / EternalRomance / etc.) being added to more families of malware
» Using these new features, targeting SMBs are a greater ROI for attackers
Ransomware evolution will continue
» Increased ransomware activity against businesses show renewed interest by cyber criminals
» 2018 showed lots of evolution for families like GandCrab, so we will see it again
New Vulnerabilities will be discovered and weaponized
» As we saw with the zero day Flash exploit, weaponization of vulnerabilities are quickly deployed by attackers
» With more focus on vulnerability research by attackers, we are likely going to see more weaponized exploits
ConclusionIncreasingly advanced and dangerous malware families being developed every day
» Behavioral detection technologies are the best way to combat these threats:
» Anti-exploit technology
» Anti-ransomware technology
» Machine Learning
» Be resilient! Plan for response, not just prevention» Segmenting data, networks & credentials based on need and sensitivity of the data
» Rollback functionality
» Endpoint isolation
» Privacy concerns require that organizations prioritize security» Protection of user data is going to be paramount
» Convenience, security and privacy rarely meet all at once, but we can create secure privacy with today’s technologies integrated to allow security professionals to see across the data ecosystem
Create A Cyber Resilient Organization
Over 20 years of hi-tech B2B enterprise product marketing experience
Passion for protecting businesses from cyberattacks
Cybersecurity expertise includes endpoint protection & remediation, email and database security.
Connect with me LinkedIn.com/in/HelenaWinkler
Who Am I?
Helena Winkler
Making sense of the security mess
81%OF CISOS STATE THAT SECURITY HINDERS PRODUCTIVITY
73% OF ORGANIZATIONS ARE NOT CYBER RESILIENT
60% OF SECURITY SOFTWARE IS SHELFWARE
Rethinking your approach to security
Protection + Remediation = Resilience
Multi-layer, machine learning powered threat detection that
secures user productivity without slowing the endpoint
A new approach to endpoint security
AdaptiveCyber Protection
Active Threat Response
Enterprise Endpoint Orchestration
Threat isolation, remediation and investigation that delivers
endpoint resiliency at a fraction of the cost of reimaging
Cloud managed security, extensible to leverage existing
security technologies increasing security ROI
Malwarebytes: The Most Trusted Name in Security
BY THE NUMBERS INNOVATIONBUSINESS CUSTOMERS
3M remediation events per day
500kdownloads
per dayIncluding:» Behavioral identification of
ransomware» Machine Learning techniques» Fileless attack detection
8 PATENTS + 10 PENDING
30+% Growth Y-Y,35% R&D Spend
60,000 Business Customers
Global Research Team
ACCOLADES
Blocking 8.8MThreats Every Day
Gartner positions Malwarebytes in the Visionary quadrant 2018 Magic Quadrant for Endpoint
Protection Platforms
“Strong Performer” in the 2018 Wave report for Endpoint Security Suites
Try Now: malwarebytes.com/business/trial
Learn More: malwarebytes.com/business
See What Others Miss: malwarebytes.com/remediationmap
Let’s Take Your Questions
Thank You!
