List: Revelations by Zscaler, FireEye, Talos, McAfee and Blue Coat.
The global malware picture is troubling.
According to a report by AppRiver, the levels of spam and malware email traffic recorded during Q1 2016 have already surpassed the total levels documented during the whole of 2015.
This totalled 2.3 billion malicious email messages, with 1.7 billion in March.
A key theme in Proofpoint’s Quarterly Threat Report, reflected in some of the vulnerabilities below, is that Android was by far the most targeted operating system. In fact, 98 percent of all malicious mobile apps examined in Q1 2016 targeted Android devices, despite the discovery of an iOS Trojan.
The report, which analyses over one billion email messages, hundreds of millions of social media posts, and more than 150 million malware samples, also found that ransomware was becoming increasingly popular as a malware, with 24 percent of email attacks based on attached document files in Q1 featuring the new Locky ransomware.
With a constant stream of new malwares being discovered, it can be hard to keep up with the specific strains out there. CBR has rounded up the last week’s discoveries by cyber security companies such as Zscaler and FireEye.
1. Zscaler: Android Infostealer
Android Infostealer was first found by Zscaler inside third-party Android app stores in China, which are notorious for serving up malware disguised as legitimate apps.
However, Zscaler found new instances of it in April, disguised as an update to the browser Google Chrome.
Several rogue URLs were offering a download file titled Update_chrome.apk. When the user installs the APK, it prompts for administrative access.
Worryingly, the malware payload is capable of checking for installed security applications and terminating them. Zscaler saw hard coded checks for antivirus applications like Kaspersky, ESET, Avast and Dr. Web as seen below.
It can harvest call logs, SMS data, browser history and banking information and send it to a remote command and control server. This can be used for fraud or for unknown purposes.
The only way to get rid of Infostealer is a factory reset.
2. FireEye: RuMMS
FireEye discovered this fairly new malware, the earliest sample of which dates back to 18 January 2016.
This new family is infecting smartphones through SMS phishing, with over 300 samples found in the wild so far.
The short messages have the malicious URL embedded; if the recipient clicks it then their phone will be infected.
Once the app is installed, it will request device administrator privilege. It will then remove its own icons to hide itself from users, then continue running in the background.
Its activities include sending short messages to query financial account balances and forwarding incoming calls.
The malware is distributed through a series of websites hosted by a service provider in Russia.
FireEye found that there had been 2729 infections of RuMMS samples from January 2016 to early April 2016, peaking in March with more than 1,100 infections.
FireEye recommended people deploy a mobile threat prevention platform – unsurprisingly, its own – which it said would be able to detect and block such messages.
3. Blue Coat: net.prospectus
Andrew Brandt, security researcher at Blue Coat, wrote about the new ransomware on the company blog.
According to Blue Coat, this is the first time that Towelroot has been used in an exploit kit.
Most worryingly, it is believed to be the first time an exploit kit has been able to successfully install malicious apps on a mobile device silently and without user interaction. The device never displayed the normal ‘applications permissions’ dialogue box that is usually shown when an Android app is installed.
The malware is ransomware, but it has slightly unusual behaviour. Rather than threatening to encrypt the victim’s data, it holds the device in a locked state where it cannot be used for anything except for delivering payment to the criminals: two $100 Apple iTunes gift card codes.
To get rid of the ransomware, Blue Coat says that users should back up their data and restore device settings to factory mode.
4. McAfee: Dynamer
Since Windows Vista, Windows PCs have included an Easter Egg that allows users to create a specially named folder to act as a shortcut to settings and special folders on Windows. These might include control panels, My Computer, or the printers folder.
McAfee found that this Easter Egg was being exploited by attackers.
Dynamer was found to be infecting computers, adding a new entry to the local Windows Registry which contained a slightly modified GodMode path that automatically redirected users to the RemoteApp and Desktop Connections item on the control panel.
According to Microsoft, Trojans like Dynamer can “steal personal information, download more malware, or give a malicious hacker access to your PC.”
It was impossible to delete the malware by normal means, although McAfee provided a command to do so.
5. Cisco Talos: Qbot
The Talos Security Intelligence and Research Group (Talos), a team of threat researchers which creates threat intelligence for Cisco products, revealed that Qbot is experiencing a large surge in both development and deployment.
Qbot targets sensitive information like banking credentials. For this it steals data like stored cookies or credentials, and injects code into web browsers to manipulate live browsing sessions.
The malware has been around since 2008 at the latest, according to Talos. However, there have been some key changes.
The primary means of infection is as a payload in browser exploit kits. Since website administrators often use FTP to access servers, Qbot tries to steal FTP credentials and add the servers to its malware hosting infrastructure.
Talos recommends Advanced Malware Protection to prevent the execution of the malware used by these threat actors.