Business Daily Media

Business Marketing

.

Log4j opening doors for new attacks while ransomware and RAT attacks on decline

  • Written by Jakub Kroustek, Avast Malware Research Director

Researchers also observed the resurrection of Emotet, increased coinminer activities during growing Bitcoin prices, and an increasein technical support scams, Android subscription scams and spyware

Avast, a global leader in digital security and privacy released its Q4/2021 threat report, revealing an immediate exploitation of the Log4j vulnerability by coinminers, RATs, botnets, ransomware, and APTs, in December putting CISO departments under pressure. Furthermore, Avast’s threat researchers observed the revival of the Emotet botnet, and a 40% rise in coinminers, posing risks for consumers and businesses alike. The Q4 findings likewise show an increase in adware, technical support scams on desktop, and subscription scams and spyware on Android devices, targeting consumers. At the same time, Avast saw less ransomware and remote access trojan (RAT) activity. 

“Towards the end of the year, the extremely dangerous, ubiquitous, and easy to abuse Log4j vulnerability made CISO departments sweat, and rightly so, as it was weaponised by attackers spreading everything from coinminers to bots to ransomware,” said Jakub Kroustek, Avast Malware Research Director.

“On the other hand, we are happy to report decreases in RAT, information stealer, and ransomware attacks. RAT activity died down thanks to the holidays, with bad actors even going as far as copying  the DcRat remote access trojan  and it renaming'SantaRat'. We saw a slight decrease in information stealer activity, likely due to a significant decrease in infections through password and information stealer Fareit, which dropped by 61% vs. the previous quarter,” noted Jakub Kroustek. “The havoc ransomware caused in the first three quarters of 2021 triggered a coordinated cooperation of nations, government agencies, and security vendors to hunt down ransomware authors and operators, and we believe all of this resulted in a significant decrease in ransomware attacks in Q4/2021. The ransomware risk ratio decreased by an impressive 28% compared to Q3/2021. We hope to see a continuation of this trend in Q1/2022, but we are also prepared for the opposite.”

Cybercriminals attacking businesses via Log4j vulnerability and via RATs abusing Azure and AWS 

The vulnerability in Log4j, a Java logging library, proved extremely dangerous for businesses because of the ubiquity of the library and the ease of exploitation. Avast researchers observed coinminers, RATs, bots, ransomware, and APT groups abusing the vulnerability. Various botnets abused the vulnerability, including the infamous Mirai botnet. Most bot attacks were just probes testing the vulnerability, but Avast also noticed numerous attempts to load potentially malicious code. For instance, some RATs were spread using the vulnerability, the most prevalent of which were NanoCore, AsyncRat and Orcus. A low-quality ransomware, called Khonsari, was the first ransomware the researchers saw exploiting the vulnerability.

In addition to exploiting the Log4j vulnerability to spread RATs, cybercriminals exploited the CVE-2021-40449 vulnerability, which was used to elevate permissions of malicious processes by exploiting the Windows kernel driver. Attackers used this vulnerability to download and launch the MistarySnail RAT. Moreover, a very important cause of high NanoCore and AsyncRat detections was caused by a malicious campaign abusing the cloud providers, Microsoft Azure and Amazon Web Service (AWS). In this campaign malware attackers used Azure and AWS as download servers for their malicious payloads to attack businesses.

Moreover, Avast researchers saw the bad actors behind Emotet rewrite several of its parts, reviving their machinery, and taking the botnet market back with the latest Emotet reincarnation.

Adware, Coinminers, and Tech Support Scams Targeting Consumers

Desktop adware and rootkit activity increased in Q4/2021. Avast researchers believe these trends are related to the Cerbu rootkit, which can hijack browser homepages and redirect site URLs according to the rootkit configuration. Cerbu can therefore easily be deployed and configured for adware, annoying victims with unwanted ads and capable of adding a backdoor to victims’ machines.

While the Bitcoin price increased at the end of 2021, the number of coinminers spreading increased by 40%, often via infected web pages and pirated software. CoinHelper was one of the prevalent coinminers very active throughout Q4/2021, mostly targeting users in Russia and the Ukraine. Coinminers stealthily abuse a user’s computing power to mine crypto currencies, which can cause high electricity bills and impact the lifespan of the user’s hardware. Additionally, CoinHelper harvests various information about its victims including their geolocation, antivirus solution they have installed, and hardware they are using. Despite observing multiple crypto currencies configured to be mined, including Ethereum and Bitcoin, Monero stood out to Avast researchers in particular. Monero is designed to be anonymous, however, the wrong usage of addresses and the mechanics of how mining pools work, enabled the researchers to gain deeper insights into the malware authors’ Monero mining operation. They found that the total monetary gain from the CoinHelper coinminer was over $485,000 AUD ($339,694.86 USD) as of November, 29, 2021. In the month of December, it mined an additional amount close to $5,000 AUD ($3,446.03 USD ) ~15.162 XMR, ~. CoinHelper is still actively spreading, with the ability to mine ~0.474 XMR every day.

The Avast threat researchers also observed a spike of tech support scams, tricking the user into believing they have a technical problem, and scamming them into calling a hotline where they will be scammed to pay high support fees or grant remote access to their system.

Premium SMS Subscription Scams and Spyware Stealing Facebook Credentials Spreading on Mobile Devices

The Avast Threat Labs noted two mobile threats in the report: Ultima SMS and Facestealer. Ultima SMS, a premium SMS subscription scam resurfaced in the last few months. In October, Ultima SMS apps were available on the Play Store, mimicking legitimate applications and games, often featuring catchy adverts. Once downloaded, they prompted users to enter their phone number to access the app. Subsequently, users were subscribed to a premium SMS service that can cost up to $10 per week. The actors behind UltimaSMS extensively used social media to advertise their applications and accrued over 10M downloads as a result.

Facestealer, spyware designed to steal Facebook credentials, resurfaced on multiple occasions in Q4/2021. The malware masquerades as photo editors, horoscopes, fitness apps and others. After using the app for a period of time, it prompts the user to sign in to Facebook to continue using the app, without adverts.

For more detailed information visit the full report here.

Popular

Why cybersecurity is a team sport

Basketball can teach us a lot about managing the cybersecurity of an enterprise: it takes teamwork. ESPN’s documentary The Last Dance covered basketball legend Michael Jordan’s last season with the Chicago Bulls. By this stage...

Revolut launches educational courses on cryptocurrency in Australia to advance financial literacy

Revolut, the global financial superapp with more than 20 million customers worldwide, is taking another step forward towards its mission of bringing customers the best financial products and services to manage their money. ...

Turning resolutions into short-term survival and long-term growth tactics

Few Australian industries have been harder hit by the pandemic than hospitality. After two years of lockdowns, social distancing restrictions, staff shortages and supply chain woes, 2022 was supposed to signal the start of a n...