CYBER ATTACK CATEGORIES BY REGION

We combined banking Trojans and botnets, previously classified as two distinct types into a single category. As many banking Trojans received additional functionalities, which makes the differentiation between the two categories less distinct, we introduce the unified category, “multipurpose malware.”

In 2022, Glupteba is one of the most dominant multipurpose malware families in the wild, taking the 3rd place in the chart with involvement in approximately 5% of all corporate networks. This malware features a variety of capabilities including a rootkit, a router attack tool, a credential stealer, a crypto miner and more. However, Glupteba is best known for its unique use of the BitCoin blockchain technology as its C&C infrastructure to receive configuration information. Glupteba’s high activity rate in 2022 is curious since in December 2021, Google carried out a takedown operation to put a halt to its attack activities.
The operation involved both legal and technical steps. First, the company, in collaboration with industry partners, disrupted key C&C infrastructure to halt the communications between the botnet operators and its infected bots. Glupteba’s innovative C&C technology allows it to swiftly find an alternative C&C server by scanning the blockchain – composed of hundreds of thousands of servers daily taking part in BitCoin transactions – in case its current server is shut down. The technological complexity of the botnet’s communication method led Google to incorporate legal steps into the operation. The company took part in a civil lawsuit against the alleged operators of the blockchain-enabled botnet. Despite the large-scale operation, in March 2022 a new massive campaign involving Glupteba and Trickbot was observed by researchers. The campaign targeted MikroTik routers and was designed to form a botnet-as-a-service infrastructure.

Still topping the chart is Formbook, a commodity infostealing malware sold as-a-service on underground forums since 2016 and is designed to collect information via keylogging. In March, a malicious campaign involving Formbook was found to be targeting Ukrainians with spams, luring victims with fake funding approval letters from the government. Shortly afterwards in April, CPR detected a peak in Formbook’s activity.

The Snake Keylogger modular .NET keylogger/infostealer is a first-time entrant in our chart. Snake first surfaced around late 2020, and quickly grew in popularity among cyber criminals. Snake’s main functionalities include recording keystrokes, taking screenshots, harvesting credentials and clipboard content, in addition to supporting exfiltration of the stolen data by both HTTP and SMTP protocols. It is usually spread through emails that contain DOCX or XLSX attachments with malicious macros.
However, in May researchers reported that Snake Keylogger was spreading through PDF files. This could be due in part to Microsoft blocking by default internet macros in Office, compelling cybercriminals to explore new file types such as PDFs.

Finally, we note that the popular Raccoon stealer left the ranks. A report in March stated that a key member of the malware as-a-service operation was possibly affected by the conflict in Eastern Europe, and temporarily suspended all activities. Nevertheless, Raccoon resurfaced in June with the newly developed Raccoon Stealer V2 integrating improvements and new features.

The crypto market saw a drastic decrease of value in H1, losing nearly $2 Trillion, from a record $2.9T market cap in November 2021. Low crypto rates affect mining profitability and with it the motivation for cryptomining. This explains cryptominers’ visibility decreasing from 21% in 2021 to 15% globally in the first half of 2022. However, the hierarchy among the different types remained the same.

XMRig, a legitimate open-source mining tool that is used by attackers for malicious purposes, remains the most common tool for unauthorized mining. LemonDuck, a relatively new cryptomining malware which has no legitimate use, also has extensive malicious functionalities including credential stealing and lateral movement. As Lemonduck is equipped with the ability to drop additional tools for human-operated attacks, its detection should be treated seriously as a precursor for severe attacks.

AlienBot, a banking Trojan for Android sold underground as Malware-as-a-Service (MaaS), has taken over the top of the chart. This Trojan supports keylogging and dynamic overlays for credential theft, as well as SMS harvesting for Two-Factor Authentication (2FA) bypass. In addition, AlienBot could gain remote control capabilities by abusing legitimate TeamViewer modules.

FluBot, another Android banking malware, started to emerge in late 2020 spreading via “Smishing” (SMS Phishing). It uses SMS messages as the attack vector for malware distribution and sends the same SMS to all of the initial victim’s contacts, generating exponential spread. In January, the malware re-emerged in a new campaign leveraging Adobe Flash Players fake updates to steal banking credentials.

FluBot eventually gained a lot of attention, and in June, an international law enforcement operation involving 11 countries led to its infrastructure takedown, rendering the malware inactive.
Lastly, Cerberus, first seen in the wild in June 2019, is a Remote Access Trojan (RAT) with specific banking screen overlay functions for Android devices. Cerberus has been operating as Malware-as-a-Service (MaaS) and its features include SMS control, key-logging, audio recording, location tracking, and more. This well-known malware is so widespread partly due to the availability of its source code, which was leaked in a failed auction in 2020, offering threat actors the possibility to customize their own versions.