AdvisorsBot – AdvisorsBot is a sophisticated downloader
first spotted in the wild in May 2018. Once AdvisorsBot
has been downloaded and executed, the malware
uses HTTPS to communicate with the C&C server.
AdvisorsBot has significant anti-analysis features
including using “junk code” to slow down reverse
engineering and Windows API function hashing to make
it harder to identify the malware’s functionality
AgentTesla – AgentTesla is an advanced RAT which
functions as a keylogger and password stealer and has
been active since 2014. AgentTesla can monitor and
collect the victim’s keyboard input, system clipboard,
and can record screenshots and exfiltrate credentials
belonging to a variety of software installed on a victim’s
machine (including Google Chrome, Mozilla Firefox and
Microsoft Outlook email client). AgentTesla is openly sold
as a legitimate RAT with customers paying between
$15-$69 for user licenses.
AmmyyRat – FlawedAmmyy is a remote access Trojan
(RAT) that has been developed from the leaked source
code of the remote administration software called
Ammyy Admin. FlawedAmmyy has been used in both
highly targeted email attacks as well as massive spam
campaigns and implements common backdoor features,
allowing the attackers to manage files, capture the
screen, remote control the machine, establish RDP
SessionsService and much more.
AndroidBauts – AndroidBauts is an adware targeting
Android users that exfiltrates IMEI, IMSI, GPS Location
and other device information and allows the installation
of third party apps and shortcuts on mobile devices.
Anubis – Anubis is a banking Trojan malware designed
for Android mobile phones. Since its initial detection, it
has gained additional functions including Remote Access
Trojan (RAT) functionality, keylogger, audio recording
capabilities and various ransomware features. It has
been detected on hundreds of different applications on
the Google Store
Asacub – Asacub Mobile Banker was first introduced
in 2015 as a spyware. Nowadays Asacub functions as a
banker aiming at the victim’s bank account information,
and also capable of siphoned incoming SMS messages,
browser history, and contacts, as well as execute
commands, intercept messages, turn off the phone or
its screen. Asacub spread via phishing SMS containing
a link which leads to downloading the APK file of the
Trojan to the infected device.
AuthedMine – AuthedMine is a version of the infamous
JavaScript miner Coinhive. Similarly to Coinhive,
AuthedMine is a web-based cryptominer used to
perform online mining of Monero cryptocurrency when
a user visits a web page without the user’s knowledge
or approval the profits with the user. However, unlike
CoinHive, AuthedMine is designed to require the website
user’s explicit consent before running the mining script.
AZORult – AZORult is a Trojan that gathers and
exfiltrates data from the infected system. Once the
malware is installed on a system (typically delivered by
an exploit kit such as RIG), it can send saved passwords,
local files, crypto-wallets, and computer profile
information to a remote C&C server. The Gazorp builder,
available on the Dark Web, allows anyone to host an
AZORult C&C server with moderately low effort.
Bancos – Bancos steals financial information, using
keylogging to record the victim’s credentials as they are
entered on a targeted bank webpage. Bancos can also
supplement or replace a legitimate bank login page with
a fake webpage.
Coinhive – Cryptominer designed to perform online
mining of Monero cryptocurrency when a user visits a
web page without the user’s approval. The implanted JS
uses great computational resources of the end users
machines to mine coins, thus impacting its performance.
CryptoLoot – A JavaScript Cryptominer, designed to
perform online mining of Monero cryptocurrency when
a user visits a web page without the user’s approval. The
implanted JS uses great computational resources of the
end users machines to mine coins, thus impacting its
performance. It is a competitor of Coinhive
DanaBot – DanaBot is a Trickler that targets the
Windows platform. The malware sends out information
to its control server, downloads and decrypts files to
execute on the infected computer. It is reported the
downloaded module can download other malicious files
on the system. Moreover, the malware creates a shortcut
in the user’s startup folder to achieve persistence on the
infected system.
DarkGate – DarkGate is a multifunction malware active
since December 2017 combining ransomware, credential
stealing, RAT and cryptomining abilities. Targeting
mostly windows OS, DarkGate employs a variety of
evasion techniques.
Dorkbot – IRC-based Worm designed to allow remote
code execution by its operator, as well as the download
of additional malware to the infected system, with the
primary motivation being to steal sensitive information
and launch denial-of-service attacks.
Dridex – Dridex is a Trojan that targets the Windows
platform. This malware is reportedly downloaded by
an attachment found in spam emails. This malware
identifies itself with a remote server by sending out
information about the infected system. Furthermore, it
can download and execute arbitrary modules received
from the remote server.
Emotet – Emotet is an advanced, self-propagating and
modular Trojan. Emotet was once employed as a banking
Trojan, and recently was used as a distributer to other
malware or malicious campaigns. It uses multiple
methods for maintaining persistence and evasion
techniques to avoid detection. In addition, it can also
be spread through phishing spam emails containing
malicious attachments or links.
Gandcrab – GandCrab is a RaaS malware (Ransomwareas-a-Service). First discovered in January 2018, it
operated an “affiliates” program, with those joining
paying 30%-40% of the ransom revenue to GandCrab and
in return getting a full-featured web panel and technical
support. Estimates are that it affected over 1.5 million
Windows users before retiring and halting its activities
in mid-2019. Decryption tools exist for all GandCrab
versions
Guerilla – Guerrilla is an Android Trojan found
embedded in multiple legitimate apps and is capable of
downloading additional malicious payloads. Guerrilla
generates fraudulent ad revenue for the app developers.
Gustuff – Gustuff is an Android banking Trojan
introduced in 2019, and capable of targeting customers
of over 100 leading international banks, users of
cryptocurrency services, and popular ecommerce
websites and marketplaces. In addition, Gustuff can
also phish credentials for various other Android payment
and messaging apps, such as PayPal, Western Union,
eBay, Walmart, Skype and others. Gustuff employs
various evasion techniques including using the Android
Accessibility Service mechanism to bypass security
measures used by banks to protect against older
generations of mobile Trojans
Hawkeye – Hawkeye is an info stealer malware, designed
primarily to steal users’ credentials from infected
Windows platforms and deliver them to a C&C server.
In past years, Hawkeye has gained the ability to take
screenshots, spread via USB and more in addition to its
original functions of email and web browser password
stealing and keylogging. Hawkeye is often sold as a MaaS
(Malware-as-a-Service).
Hiddad – Android malware that repackages legitimate
apps, and then releases them to a third-party store. Its
main function is displaying ads. However, it is also able to
gain access to key security details built into the OS
HiddenMiner – A strain of Android cryptominer that
was spotted in April 2018. The HiddenMiner is delivered
through a fake Google Play update app, exhausting the
devices’ resources in mining Monero.
IcedID– IcedID is a banking Trojan which first emerged
in September 2017, and usually uses other well-known
banking Trojans to empower its spread potential,
including Emotet, Ursnif and TrickBot. IcedID steals
user financial data via both redirection attacks (installs
local proxy to redirect users to fake-clone sites) and web
injection attacks (injects browser process to present fake
content overlaid on top of the original page).
JSEcoin – Web-based cryptominer designed to perform
online mining of Monero cryptocurrency when a
user visits a web page without the user’s approval.
The implanted JavaScript uses great computational
resources of the end users’ machines to mine coins, thus
impacting the performance of the system.
Lezok – Lezok is an Android Trojan capable of
downloading additional malware to victim’s computer
without user’s consent, as well as generating pop-up
advertisements when the user is surfing the Internet.
LockerGoga – LockerGoga ransomware was first seen
in the wild towards the end of January 2018, while
targeting heavy industry companies. It appears that the
threat actors behind the attack invest time and efforts in
choosing the victims and are working to launch the attack
in perfect timing and against critical assets. The attack
usually involves encryption of Active Directory server
and endpoints, in order to leave no alternative other than
paying the ransom. Using a combination of AES-256 and
RSA makes the encryption very solid. However, a poor
code design makes the encryption process very slow
LokiBot – LokiBot is an info stealer with versions for
both Windows and Android OS. It harvests credentials
from a variety of applications, web browsers, email
clients, IT administration tools such as PuTTY and more.
LokiBot has been sold on hacking forums and believed
to have had its source code leaked, allowing for a range
of variants to appear. It was first identified in February
2016. Since late 2017 some Android versions of LokiBot
include ransomware functionality in addition to their
infostealing capabilities.
Lotoor – Lotoor is a hack tool that exploits
vulnerabilities on Android operating systems in order to
gain root privileges on compromised mobile devices.
MageCart – MageCart is a type of attack in which
malicious JavaScript code is injected into e-commerce
websites and third-party suppliers of such systems in
order to steal payment details.
Mirai – Mirai is a famous Internet-of-Things (IoT)
malware that tracks vulnerable IoT devices, such as
web cameras, modems and routers, and turns them
into bots. The botnet is used by its operators to conduct
massive Distributed Denial of Service (DDoS). Mirai
botnet first surfaced on September 2016 and quickly
made headlines due to some large-scale attacks.
Among them were a massive DDoS attack used to
knock the entire country of Liberia offline, and a DDoS
attack against the Internet infrastructure firm Dyn,
which provides a significant portion of the United States
internet’s backbone.
Necurs – Necurs is a one of the largest spam botnets
currently active in the wild, and it is estimated that in
2016 it consisted of some 6 million bots. The botnet
is used to distribute many malware variants, mostly
banking Trojans and ransomware.
Panda – Panda is a Zeus variant that was first observed
in the wild at the beginning of 2016, and is distributed
via Exploit Kits. Since its initial appearance, Panda has
targeted financial services in Europe and North America.
Before the Olympic Games of 2016, it also ran a special
campaign against Brazilian banks.
Piom – Piom is an Adware which monitors the
user’s browsing behaviour and delivers unwanted
Qbot – Qbot is a backdoor belonging to the Qakbot
family. It is capable of dropping and downloading other
malware. It also establishes a connection with a remote
HTTP server without user consent and may steal
important user information.
Ramnit – Ramnit is a banking Trojan which incorporates
lateral movement capabilities. Ramnit steals web
session information, giving worm operators the ability
to steal account credentials for all services used by the
victim, including bank accounts, corporate, and social
networks accounts.
Retadup – Retadup is a Trojan that targets Windows
platform. It is reported that this malware is used for
targeted attacks and some variants of the malware
comes with Keylogger, screen capture and password
stealing capabilities. The malware is used to mine
cryptocurrency on the infected system. It communicates
with its remote control server and accept commands to
execute on the infected system.
Ryuk – A ransomware used in targeted and well-planned
attacks against several organizations worldwide. The
ransomware’s technical capabilities are relatively low,
and include a basic dropper and a straightforward
encryption scheme. Nevertheless, the ransomware
was able to cause severe damage to the attacked
organizations, and led them to pay extremely high
ransom payments of up to 320,000 USD in Bitcoin. Unlike
common ransomware, systematically distributed via
massive spam campaigns and exploit kits, Ryuk is used
exclusively for tailored attacks. Its encryption scheme
is intentionally built for small-scale operations, such
that only crucial assets and resources are infected in
each targeted network with its infection and distribution
carried out manually by the attackers. The malware
encrypts files stored on PCs, storage servers and
data centers.
Satan – Satan is a Ransomware-as-a-Service (RaaS)
which first emerged in January 2017. Its developers offer
a user-friendly web portal with customization options,
allowing anyone who buys it to create custom versions
of Satan ransomware and distribute it to victims. New
versions of Satan were observed using the EternalBlue
exploit to spread across compromised environments,
as well as performing lateral movement using other
exploits.
Sodinokibi – Sodinokibi is a Ransomware-as-a-Service
which operates an “affiliates” program which was first
spotted in the wild in 2019. Sodinokibi encrypts data in
the user’s directory and deletes shadow copy backups
in order to make data recovery more difficult. Moreover,
Sodinokibi affiliates use various tactics to spread it
through spam and server exploits, as well as hacking
into managed service providers (MSP) backends, and
through malvertising campaigns redirected to the RIG
exploit kit.
TheTruthSpy – An Android spyware that first emerged
in May 2017. TheTruthSpy is capable of monitoring
WhatsApp messages, Facebook chats, and internet
browsing history.
Tinba – Tinba is a banking Trojan which targets mainly
European banking customers and uses the BlackHole
exploit kit. Tinba steals the victim’s credentials using
web-injects, which are activated as the user tries to
connect to their account.
Triada – Modular Backdoor for Android which grants
super-user privileges to download a malware. Triada has
also been seen spoofing URLs loaded in the browser.
TrickBot – TrickBot is a Dyre variant that emerged in
October 2016. Since its first appearance, it has been
targeting banks, mostly in Australia and the U.K., and
lately it has also started appearing in India, Singapore
and Malesia.
Ursnif – Ursnif is a Trojan that targets the Windows
platform. It is usually spread through exploit kits –
Angler and RIG, each at its time. It has the capability to
steal information related to Verifone Point-of-Sale (POS)
payment software. It contacts a remote server to
upload collected information and receive instructions.
Moreover, it downloads files on the infected system and
executes them.
Virut – Virut is one of the major botnets and malware
distributors in the Internet. It is used in DDoS attacks,
spam distribution, data theft and fraud. The malware is
spread through executables originating from infected
devices such as USB sticks as well as compromised
websites and attempts to infect any file accessed with
the extensions .exe or .scr. Virut alters the local host
files and opens a backdoor by joining an IRC channel
controlled by a remote attacker.
WannaMine – WannaMine is a sophisticated Monero
cryptomining worm that spreads by exploiting the
EternalBlue exploit. WannaMine implements a
spreading mechanism and persistence techniques by
leveraging Windows Management Instrumentation (WMI)
permanent event subscriptions.
XMRig – XMRig is open-source CPU mining
software used for the mining process of the Monero
cryptocurrency, and first seen in the wild on May 2017.
Zeus – Zeus is a widely distributed Windows Trojan
which is mostly used to steal banking information.
When a machine is compromised, the malware sends
information such as the account credentials to the
attackers using a chain of C&C servers.
Comments
Post a Comment