Low-cost malware becoming weapons of choice for criminals
Pro
FakeUpdates is the most commonly used malware worldwide, according to Check Point Research’s recent Global Threat Index survey. About 6% of all organisations worldwide fell victim to such an attack.
FakeUpdates (also known as SocGholish) is a downloader malware first discovered in 2018. The malware spreads via so-called drive-by downloads on compromised or malicious websites and attempts to trick users into installing a fake browser update. FakeUpdates is linked to the Russian hacking group Evil Corp and is used to install additional malware on the system after the initial infection.
Researchers this month discovered a sophisticated multi-stage malware campaign involving AgentTesla, Remcos and Xloader (an evolution of FormBook). The attack begins with phishing e-mails that look like order confirmations and prompt victims to open a malicious 7-Zip archive. This archive contains a JScript Encoded (.JSE) file that executes a Base64-encoded PowerShell script. That script then launches a second executable in .NET or AutoIt. The final malware is injected into legitimate Windows processes such as RegAsm.exe or RegSvcs.exe, which greatly complicates detection.
These findings illustrate a striking trend in the cyber landscape, namely the way simple, low-cost malware – such as AgentTesla and Remcos – is now being deployed within complex, multi-layered attack campaigns. Whereas these tools were once used primarily for straightforward financial attacks, they are now cleverly combined with techniques typical of statewide actors, such as encrypted scripts, abuse of legitimate Windows processes and carefully constructed phishing attacks. This blurs the line between criminal and geopolitically motivated cyberattacks, and makes detection and attribution more difficult.
Also gaining ground is Akira, first reported in early 2023. It targets Windows and Linux systems and uses symmetric encryption (CryptGenRandom and Chacha 2008). Resembling leaked Conti v2 ransomware it spreads via infected attachments or VPN exploits. After infection, files are encrypted and given the extension “.akira” with accompanying ransom bill.
The report makes also note the rise to prominance of new ransomware groups. SatanLock, active since April, has already published 67 victims. Qilin (Agenda) works with affiliates to encrypt and exfiltrate data and was first detected in July 2022. The group targets large enterprises, especially in healthcare and education, and penetrates systems via phishing e-mails with malicious links.
Emerce
