2017 was a year that saw quite the extremes in regards of malware, particularly ransomware and banking Trojans. Several malware families, however, stand out in the abundance of malicious attacks.
Locky Ransomware
Locky ransomware first emerged in February 2017. Since then, several iterations have been developed and released in the wild. It’s widely accepted that Locky was deployed by the gang behind the notorious Dridex.
Then, Locky Ransomware 2.0 landed in the spring of 2017 via the Nuclear exploit kit. Several months passed before the next version of Locky appeared – the one using the .odin extension.
October 2017 met two of the most damaging iterations of Locky, both released hours apart from one another. Thousands of users had their files locked by Locky’s .thor and .shit iterations. Then, in November, two new updates of the crypto family were released: .aesir, followed by the .zzzzz file extension virus.
All iterations of Locky described here share many similarities and are primarily distributed in spam campaigns or on social networks such as Facebook.
Cerber Ransomware
Cerber emerged in March 2016, almost at the same time with Locky. The first variant added the .CERBER extension to encrypted files. However, victims of this first Cerber edition were kind of lucky as a decrypter was released making it possible for victims to restore their data.
In August 2017, Cerber2 was coded, mostly known as the .cerber2 iteration. Victims said that Cerber2 didn’t target temporary files (.tmp), which enabled the process of recovery of recent .doc and .xls files simply by opening their .tmp counterparts.
Not much time passed before Cerber3 appeared, largely referred as the .cerber3 iteration. Researchers noted that the crypto virus used malware obfuscators to hide its files from real-time protection and firewalls.
In October, the Cerber README.hta file version arrived, followed by several other updates. November also saw an uptick in Cerber campaigns. Cerber 4.1.0, 4.1.1, 4.1.4, 4.1.6, 5.0.1, Cerber Ransomware _README_{RAND}_.hta.
Dharma Ransomware
Dharma is a new ransomware family that is closely associated with Globe and CrySis crypto viruses.
Dharma has been using the [email protected] e-mail for contact with its victims. Dharma encrypts files on targeted systems and then appends the .dharma file extension along with a unique identifier to them. A later version of the ransomware was reported to use the .wallet file extension.
After encryption, Dharma typically extorts the users of the infected machine to make a payment and recover the .dharma files. Users should be extra cautious as Dharma is still making rounds in the wild, along with Locky and Cerber.
TrickBot Banking Trojan
TrickBot is a relatively new banking Trojan suspected to be a close relative of the old and well-known Dyre. According to researchers at Fidelis Cybersecurity, TrickBot, detected in September 2016, shares many similarities with Dyre.
The Dyre operation was discontinued in November 2015 when Russian authorities raided a Moscow film distribution company. It took some more time for Dyre campaigns to discontinue, but the level of spam spreading Dyre started to decrease after the intervention of the Russian authorities.
Alice ATM Malware
Alice is the name of the latest ATM malware family disclosed by researchers at TrendMicro. Alice ATM malware differs from other ATM malware families as it is not controlled via the numeric pad of ATMs and it doesn’t feature infostealer capabilities. The only purpose of this ATM malware campaign is to cash out ATMs.
Alice was discovered in November 2016. During the course of research, the experts collected a list of hashes. The files corresponding to the hashes were taken from VirusTotal for further analysis. It was initially thought that one of the binaries belonged to a new variant of the Padpin ATM malware. One reverse analysis later, and researchers were sure that the binary beloned to a brand new family. Alice.
Acecard Android Banking Trojan
Acecard is definitely one of the worst banking Trojans targeting Android last year. First detected in 2014, Acecard is a perfect example of how malware develops gradually to become devastating to its victims. In the beginning, Acecard was not that complicated at all – a sniffer targeting and collecting personal information. Collected data was typically sent to the corresponding command and control server.
Acecard later proved that its developers not only didn’t give up on their code but they also continued to develop its capabilities making it more disastrous. Acecard shortly became a very effective phishing tool.
RIG Exploit Kit
The exploit kit landscape drastically changed during the course of 2017.
An eminent malvertising incident happened in the autumn of last year on the popular website answers.com.The incident was quite similar to Angler and Neutrino’s ways of exploit but it was in fact RIG EK behind everything. The EK used the domain shadowing technique and the HTTPS open redirector from Rocket Fuel, researchers said.
Malware Don’t Need Coffee (MDNC) observed a mid-August transition of many malicious operations towards the RIG exploit kit. The campaigns were primarily distributing geo-focused banking Trojans, not CryptXXX ransomware as seen in previous cases. During his research, MDNC also came across a (possibly) new exploit kit, known as the Empire Pack EK.
OSX.Pirrit Mac Malware/Adware
The summer of 2017 saw quite the damaging malicious adware targeting Apple machines.
Pirrit Adware (Adware.Pirrit, Adware: Win32/Pirrit) was not new to the malware scene as it was previously detected targeting Windows in 2014. The adware was later re-written for Mac. Security analysis revealed that OSX.Pirrit was more complicated than initially thought. The malware didn’t just flood the victim’s browser with ads but it could also obtain root access to the targeted system. Shortly said, the Mac variant turned out to be worse than the Windows one.
Plus Network Browser Hijacker
Plus Network is the perfect example of a browser hijacker that persists and continually affects victims’ browsers. Its infections continued to grow throughout 2017.
How do users get infected? Plus Network usually hides within third-party install setups. This hijacker might install and hijack the victim’s browser apps without their knowledge or consent. The method is called bundled installations. To prevent bundled downloads from happening, users should check for Custom or Advanced settings to deselect unwanted software.
The Plus Network hijacker could sneak into one’s system via suspicious advertisements, such as pop-ups or banners, or from visiting dubious websites. It’s highly probable for such websites to be partnered with the PlusNetwork hijacker program. All popular browsers can be affected.
Doxware
What does doxware mean? The word comes from the term doxing, or the activity of exposing files that are sensitive to someone. This is essentially the purpose of the doxware, but in 2017 it was detected working in combination with ransomware. Instead of encrypting files, the malware writers focused on the private files of users, threatening to leak them to friends on social media or sell them online, unless a ransom was paid. This tactic was deployed by Epic ransomware and all variants of Jigsaw.
Considering the intensity and high infection rate of malware in 2017, users should not neglect their online security in 2017. Always remember to keep all of your software fully patched and prioritize security updates. Also, keep your operating system protected at all times with the help of a strong anti-malware program.