Malware Gangs Partner Up in Double-Punch Security Threat

cybercriminal partnerships

From TrickBot to Ryuk, more malware cybercriminal groups are putting their heads together when attacking businesses.

Cybergangs are joining forces under the guise of affiliate groups and “as-a-service” models, warns Maya Horowitz, the director of threat intelligence research with Check Point Research. She said the trend is driving a new and thriving cybercriminal underground economy.

Several malware gangs have paired up over the past year – such as the FIN6 cybercrime group and the operators of the TrickBot malware. The purpose is help the other fill criminal skill gaps and ultimately be a more potent threat to victims.

“In some cases, it’s just an as-a-service model, so the groups don’t necessarily have to know each other,” Horowitz said. “But in many cases, the cooperation is so tight, that we have to assume that there’s something there behind the scenes, that these groups actually communicate and complete each other’s gaps in the attack chain.”

Horowitz talks about these partnerships and what they mean for victims, during this week’s ThreatpostNOW video interview.

Watch the full video below, or download here. 

Below is a lightly edited transcript of the interview.

Lindsey Welch: Welcome to ThreatpostNOW, Threatpost’s video segment, where we do deep-dive interviews with cybersecurity experts about the top security threats, challenges and trends facing businesses today. I’m joined today by Maya Horowitz, the director of threat intelligence research with Check Point Research. Maya is responsible for leading the intelligence and research efforts while leveraging her team’s analysis into threat prevention products. Since Maya joined Check Point, almost seven years ago, she has successfully discovered and exposed many, many new cyber threat campaigns. So Maya, thank you so much for joining me today.

Maya Horowitz: Great to be here.

LW: This week, CPX 360 kicks off. And I wanted to get your thoughts on some of the biggest threats that we should be on the look out for in the year ahead. I know, we talked, I think it was a year ago actually, in New Orleans about what you were seeing then. And certainly a lot has changed both in the cybersecurity landscape, but also globally with the COVID-19 pandemic, and, and everything else. So Maya in terms of what you’re seeing, what are some of the most active cybercriminal threat groups or APT groups that we should be on the lookout for this year?

Top Malware Families to Watch Out For

MH: So actually, the leading malware or the leading threat group for 2020 was Emotet. And just a couple of weeks ago, it was taken down. We don’t know at which extent yet but, at least for now, this malware is not a threat.

But I guess the question is, who will take the top place in our most wanted malware? And from our statistics, it looks like the answer would probably be one of the following: Either Phorpiex, maybe Dridex, maybe QBot, all very, very broadly used malware botnets. But the question is not only which of them would be most popular, but it’s also about partnerships. So with Emotet, it wasn’t only about the botnet, it was actually the next-stage payloads that that were very severe, because they had partnerships with some of the top ransomware families.

And so I think the question is both about the distribution of the botnet, but also what the next-stage malware will be, and which of them will be able to distribute some of the top ransomware, like, Ryuk and others. So I guess we’ll have to wait and see which of them takes takes the lead.

Ransomware Gangs Make Key Partnerships

LW: Right. And that’s a really good point too about the partnership aspect of it. I know, for instance, we’ve seen TrickBot being used to deploy further ransomware and other types of malware as well. And we’ve seen a lot of really interesting partnerships between different malware variants. And, as you mentioned, Emotet, the recent takedown of Emotet has had a very interesting shape shaping of the malware landscape now and also we’ve seen a couple of other similar takedown efforts and arrest efforts, including with Egregor and other ones. So can you talk a little bit more about the these partnerships and how they continue to really shape the cybersecurity malware landscape?

MH: Yeah, I guess many threat groups learned that they can’t be, say full stack, with the entire tech chain. So each group or each individual has their own added value, so it could be the distribution, right? So it could be you know, I’m the best at sending many emails, right I have the mailing lists and I can send many emails, someone else would have the technique on how to make people click the link or open the malicious document. And another would have the technique on how to actually then install the malware. From there, lateral movement is something else, getting the initial intelligence about the network is something else. And eventually, the part that does the damage is another thing. And we know that in many attack chains, we do have separate people or groups for each of these parts. So with Emotet, this was both the emails and the initial payload or the botnet, but then it would sometimes move on to TrickBot to do the lateral movement, and then say to Ryuk as the ransomware. So in some cases, it’s just as-a-service model, so the groups don’t necessarily have to know each other. But in many cases, the cooperation is so tight, that we have to assume that there’s something there behind the scenes that these groups actually communicate and complete each other’s gaps in the attack chain.

Malware: As-a-Service Models Versus Partnerships

LW: Right, I was gonna ask, when you have those types of attack chain operations, where multiple strains of malware are being used, what are you seeing there in terms of, is it usually one group who is using an as-a-service model, as you mentioned before? What’s the benefits of groups who are working together? How might they kind of split up the ensuing profit? And how does that work really on the back end?

MH: So I can’t really comment on the back end, and how they would split the revenue. And it also varies. In some cases, they would just split, in other cases, they would just pay for the service, doesn’t matter if they actually got the money from the victim eventually or not. And I guess that that’s also part of whether it’s as-a-service or an actual collaboration and joint venue. But by the way, in some cases, it’s just we even see it with some APT groups that for parts of the attack chain, they would use malware-as-a-service. And it could be just to save on the time and resources in order to create this part of the attack, but also could be for the smokescreen, or for or so that researchers won’t be able to understand who the attackers are because they’re using generic tools. So we are seeing all these types of collaborations between different groups, but it’s not only cyber criminals, it’s also APTs.

LW: Right, and regardless, this is not a good thing for the victims, I mean, this is innovation happening across the sphere there on the cybercriminal side of things. So not great for different businesses who are dealing with these attacks, for sure.

MH: Yes, but there is also a bright side, because especially mentioning APTs, if they use the same tools used by cyber criminals, maybe these are sometimes tools that are also easier to detect and to block. 

COVID-19 Pandemic: Cybercriminals Shift Lures to Remote Work

LW: Yeah, that’s a really good point, for sure. Now I did want to mention, the ongoing pandemic, we’ve been living with COVID-19 for a while now, and cybercriminals have certainly kept up with that, unfortunately, been, they’ve been updating their TTPs and lures to really tap into the different themes that we’ve seen with the pandemic, as well as really the emotions just on the side of victims. So how have you seen the cybercriminal space evolve over the past year to leverage the pandemic, as well as kind of this shift that we’ve had to remote work?

mobile phishing attack pharma

MH: So I think it’s mostly about, as you just said, about remote work and remote users, and how to target them or to benefit from the fact that they are that they are not necessarily behind their organization’s security or that there are more ways to connect remotely to a network. So it applies both to the employees but also sometimes to the threat actors. And of course, the fact that everything was happening so fast, necessarily means that at least in some organizations, there were holes in the security.

Remote Desktop Protocol as an Initial Attack Vector

So what we’ve been seeing is more and more vulnerabilities and exploits for different VPN clients. That’s one important thing. But also more and more attacks on RDP, remote desktop protocol. And going back to ransomware, actually, in 2020, most of the ransomware attacks did not even start with emails they started with exploitation of RDP vulnerabilities. So it means the threat actors are indeed, understanding that there’s a new attack, it’s not really a new attack vector, but one that is more robust now and more vulnerable than in the past.

LW: Yeah, and that’s, that’s interesting, because I feel like RDP, that is something that is an attack vector that we’ve seen for a while now. So you know, given that, what are your top security practice recommendations for companies who are continuing to deal with the struggles of remote work, whether it is securing RDP or VPNs, or some of the other attack initial vectors you had mentioned there?

Best Cybersecurity Protection Practices for Enterprises

MH: Well, threat vector threat actors exploit vulnerabilities in both technology and in people. So I split my answer into one for the technology part which is making sure of course to do security patches. And for the human being part, or the human error part, is doing awareness, cyber security threatssecurity awareness to employees is super important, and in many cases neglected. But of course, doing patches and security awareness, we can’t really cover all the attack vectors this way. It’s just impossible. And there are people who are dedicated to security researchers, security companies like Check Point and others. And we make sure to also understand this threat landscape and to cover it in our products. So it’s also very important to also apply appropriate security solutions.

LW: Great, those are definitely important pieces of advice. So Maya, thank you so much for coming on to ThreatpostNOW to talk about some of the biggest stat cybercrime trends you’re seeing.

MH: Thank you Lindsey.

LW: Great. And that to all of our viewers, thank you again for tuning in to ThreatpostNOW. This is Lindsey Welch once again with Maya Horowitz with Check Point, and be sure to catch us on our next episode. Thank you.

Check out more Threatpost in-depth video interviews with information security experts and researchers here.

Suggested articles

How REvil May Have Ripped Off Its Own Affiliates

A newly discovered backdoor and double chats could have enabled REvil ransomware-as-a-service operators to hijack victim cases and snatch affiliates’ cuts of ransom payments.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.