Business Daily Media

Log4j opening doors for new attacks while ransomware and RAT attacks on decline

  • Written by Jakub Kroustek, Avast Malware Research Director

Researchers also observed the resurrection of Emotet, increased coinminer activities during growing Bitcoin prices, and an increasein technical support scams, Android subscription scams and spyware

Avast, a global leader in digital security and privacy released its Q4/2021 threat report, revealing an immediate exploitation of the Log4j vulnerability by coinminers, RATs, botnets, ransomware, and APTs, in December putting CISO departments under pressure. Furthermore, Avast’s threat researchers observed the revival of the Emotet botnet, and a 40% rise in coinminers, posing risks for consumers and businesses alike. The Q4 findings likewise show an increase in adware, technical support scams on desktop, and subscription scams and spyware on Android devices, targeting consumers. At the same time, Avast saw less ransomware and remote access trojan (RAT) activity. 

“Towards the end of the year, the extremely dangerous, ubiquitous, and easy to abuse Log4j vulnerability made CISO departments sweat, and rightly so, as it was weaponised by attackers spreading everything from coinminers to bots to ransomware,” said Jakub Kroustek, Avast Malware Research Director.

“On the other hand, we are happy to report decreases in RAT, information stealer, and ransomware attacks. RAT activity died down thanks to the holidays, with bad actors even going as far as copying  the DcRat remote access trojan  and it renaming'SantaRat'. We saw a slight decrease in information stealer activity, likely due to a significant decrease in infections through password and information stealer Fareit, which dropped by 61% vs. the previous quarter,” noted Jakub Kroustek. “The havoc ransomware caused in the first three quarters of 2021 triggered a coordinated cooperation of nations, government agencies, and security vendors to hunt down ransomware authors and operators, and we believe all of this resulted in a significant decrease in ransomware attacks in Q4/2021. The ransomware risk ratio decreased by an impressive 28% compared to Q3/2021. We hope to see a continuation of this trend in Q1/2022, but we are also prepared for the opposite.”

Cybercriminals attacking businesses via Log4j vulnerability and via RATs abusing Azure and AWS 

The vulnerability in Log4j, a Java logging library, proved extremely dangerous for businesses because of the ubiquity of the library and the ease of exploitation. Avast researchers observed coinminers, RATs, bots, ransomware, and APT groups abusing the vulnerability. Various botnets abused the vulnerability, including the infamous Mirai botnet. Most bot attacks were just probes testing the vulnerability, but Avast also noticed numerous attempts to load potentially malicious code. For instance, some RATs were spread using the vulnerability, the most prevalent of which were NanoCore, AsyncRat and Orcus. A low-quality ransomware, called Khonsari, was the first ransomware the researchers saw exploiting the vulnerability.

In addition to exploiting the Log4j vulnerability to spread RATs, cybercriminals exploited the CVE-2021-40449 vulnerability, which was used to elevate permissions of malicious processes by exploiting the Windows kernel driver. Attackers used this vulnerability to download and launch the MistarySnail RAT. Moreover, a very important cause of high NanoCore and AsyncRat detections was caused by a malicious campaign abusing the cloud providers, Microsoft Azure and Amazon Web Service (AWS). In this campaign malware attackers used Azure and AWS as download servers for their malicious payloads to attack businesses.

Moreover, Avast researchers saw the bad actors behind Emotet rewrite several of its parts, reviving their machinery, and taking the botnet market back with the latest Emotet reincarnation.

Adware, Coinminers, and Tech Support Scams Targeting Consumers

Desktop adware and rootkit activity increased in Q4/2021. Avast researchers believe these trends are related to the Cerbu rootkit, which can hijack browser homepages and redirect site URLs according to the rootkit configuration. Cerbu can therefore easily be deployed and configured for adware, annoying victims with unwanted ads and capable of adding a backdoor to victims’ machines.

While the Bitcoin price increased at the end of 2021, the number of coinminers spreading increased by 40%, often via infected web pages and pirated software. CoinHelper was one of the prevalent coinminers very active throughout Q4/2021, mostly targeting users in Russia and the Ukraine. Coinminers stealthily abuse a user’s computing power to mine crypto currencies, which can cause high electricity bills and impact the lifespan of the user’s hardware. Additionally, CoinHelper harvests various information about its victims including their geolocation, antivirus solution they have installed, and hardware they are using. Despite observing multiple crypto currencies configured to be mined, including Ethereum and Bitcoin, Monero stood out to Avast researchers in particular. Monero is designed to be anonymous, however, the wrong usage of addresses and the mechanics of how mining pools work, enabled the researchers to gain deeper insights into the malware authors’ Monero mining operation. They found that the total monetary gain from the CoinHelper coinminer was over $485,000 AUD ($339,694.86 USD) as of November, 29, 2021. In the month of December, it mined an additional amount close to $5,000 AUD ($3,446.03 USD ) ~15.162 XMR, ~. CoinHelper is still actively spreading, with the ability to mine ~0.474 XMR every day.

The Avast threat researchers also observed a spike of tech support scams, tricking the user into believing they have a technical problem, and scamming them into calling a hotline where they will be scammed to pay high support fees or grant remote access to their system.

Premium SMS Subscription Scams and Spyware Stealing Facebook Credentials Spreading on Mobile Devices

The Avast Threat Labs noted two mobile threats in the report: Ultima SMS and Facestealer. Ultima SMS, a premium SMS subscription scam resurfaced in the last few months. In October, Ultima SMS apps were available on the Play Store, mimicking legitimate applications and games, often featuring catchy adverts. Once downloaded, they prompted users to enter their phone number to access the app. Subsequently, users were subscribed to a premium SMS service that can cost up to $10 per week. The actors behind UltimaSMS extensively used social media to advertise their applications and accrued over 10M downloads as a result.

Facestealer, spyware designed to steal Facebook credentials, resurfaced on multiple occasions in Q4/2021. The malware masquerades as photo editors, horoscopes, fitness apps and others. After using the app for a period of time, it prompts the user to sign in to Facebook to continue using the app, without adverts.

For more detailed information visit the full report here.

Business Reports

Advantages of Vacation Rental Management Software

The first vacation rental management software systems were launched in the early 1980s. At the time, they were majorly used by hotel owners to manage their properties online. The main functions included hotel reservations and ...

TIP Group grows; appoints new senior executives

Teaminvest Private Group Limited (ASX:TIP) has appointed two new senior executives to further accelerate the company’s growth. Timothy Wong has been appointed Head of TIP Equity (the company’s private equity division) and...

What to Look for in a Point of Sale System

When you're looking for a point of sale system for your business, there are a lot of things to consider. What type of business do you have? How many employees do you have? What features are important to you? In this blog post...

Why Roe v. Wade's demise – unlike gay rights or Ukraine – isn't getting corporate America to speak up

Many Americans reacted with outrage to the Supreme Court's decision to dismantle the constitutional right to abortion.AP Photo/Rick BowmerCorporate America – once known for carefully avoiding public stances on hot button iss...

Donating to help women get abortions is a First Amendment right – protected by Supreme Court precedents

An abortion provider in San Antonio had to turn patients away after the June 24, 2022, Supreme Court ruling. Gina Ferazzi/Los Angeles Times via Getty ImagesSeveral Texas abortion funds – which are charities that help people...

Feeling down and unmotivated at work? Insights show that it’s the space you’re in

It may come as a surprise, but over your lifetime you will spend an average of 90,000 hours on the job, according to data in the study, Happiness at Work1. This will likely equate to a whopping one-third of your life, between ...

Content & Technology Connecting Global Audiences

More Information - Less Opinion