ThreatList: Ransomware, EKs and Trojans lead the Way in Q3 Malware Trends

After a two-quarter lull in the action, malware activity resurged in the third quarter of the year, especially on the business front.

When it comes to malware activity, businesses took a big hit in the third quarter, with detection trending upward by a whopping 55 percent, according to new research. Consumers saw an uptick too, but only a modest one: volume was up just 4 percent quarter-over-quarter for this segment.

Overall, there was an increase of five percent or 1.7 million more detections in Q3 than in Q2, according a recent report by Malwarebytes on cybercrime tactics and techniques in 2018.

In terms of trends in malware usage, there was a surge in the use of banking trojans and information-stealers (such as the ongoing scourge of the Emotet and LokiBot code). This meant that the trojan category in general took the No. 1 spot in terms of detections, spiking a notable 86 percent from last quarter.

“The bad guys are going after information again, that’s clear – and we’re wondering if that’s because of the GDPR and other privacy efforts,” Adam Kujawa, director of malware intelligence at Malwarebytes. “It means that there’s less opportunity to find a random server on the internet containing vast amounts of data – companies will have to be more careful with data, so breaches may become more difficult. So they’re trying to get as much as they can now before the clampdown comes.”

The Q3 threat landscape also saw the return of two previously virulent (but lately quiet) types of malicious variants: ransomware and exploit kits.

After ceding ground to cryptominers over the last year and a half or so, ransomware returned with renewed gusto in Q3. The quarter saw the development of 40 new ransomware variants, and an 88 percent increase in detections from last quarter.

The GandCrab ransomware was particularly prevalent, according to Kujawa.

“GandCrab is making a lot of noise,” he told Threatpost. “GandCrab has had two updates recently, which is unusual, and its distribution not even close to what we see with LokiBot. It’s different because it utilizes vulnerabilities to traverse a network and infect it, like a worm. That’s perfect for the business targets, where it would have an easier time spreading because of all of the networking systems that are tied together in that environment. It’s becoming incredibly dangerous.”

Cryptominers however are on the wane, the data shows.

“Cryptominers are still a problem, but this quarter we saw the lowest number of detections that we’ve seen in a year,” said Kujawa. “When the value of Bitcoin soared through the roof, we saw miners show up from every corner – social media, potentially unwanted program (PUP) downloads, spam emails – they were all over the place. Crypto-activity was still pretty strong in the first half of 2018, but now we’re seeing a decline every month.”

Exploit kits meanwhile saw their busiest quarter in well over a year, although the attacks were clustered regionally in Asia; specifically, EK usage spiked in South Korea before moving into Japan, according to the report. Researchers found that instead of being used as a sole weapon, EKs are now being adopted as an additional component of web-based attacks.

“This year we saw four new zero-day exploits for Internet Explorer – and they are already weaponized into EKs,” said Kujawa. “There’s a spike in the use of the Magnitude EK in Asia, coincident with more malvertising activity and more compromised WordPress sites. Currently most EKs are pushing cryptominers right now, but we think that’s going to change. Also, with EK activity being successful in Asia, Western threat groups may get some ideas and ramp up their own efforts.”

Suggested articles