14 DAY TRIAL // The purpose of the security industry is to put a stop, or at least slow down, cybercriminal activity; but this objective seems difficult to attain, as disrupting the operations of widely distributed banking Trojans causes new, more complex similar threats to emerge.
Although the joint efforts of law enforcement and private security companies to take down botnets in 2014 and early 2015 were not in vain, they caused cybercriminals to adapt and develop new methods of bypassing new security technologies.
The list of targets is more diverse
Large botnets created by ZeuS, Shylock and the more recent Ramnit were disrupted between mid-2014 and early 2015, but threats like Dyre (a.k.a. Dyreza), Bugat v.5 (a.k.a. Dridex) and Vawtrak (a variant of Gozi, also known as Neverquest) increased their number of victims and became more prevalent.
According to a report from Dell SecureWorks Counter Threat Unit (CTU) on Wednesday, the type of targets observed since 2014 has diversified and apart from regular banking websites, the crooks set their sight on corporate finance and payroll services, stock trading, social networking, email services, employment portals, hosting providers, phone companies, and dating portals.
As such, the number of targets has increased, the researchers noting that over 1,400 financial institutions in more than 80 countries were targeted by banking malware.
“More than 90 percent of banking trojans targeted financial institutions located in the U.S., but institutions in the UK, Germany, Italy, Spain, and Australia were also affected,” says Pallav Khandhar, Dell SecureWorks CTU researcher.
Attacks focus on targets in Asia, anonymization services used to hide C&C
However, it looks like attackers have started to shift their focus to targets in Asian countries, where banks implement weaker security because they have not been exposed to malware to the same extent as English speaking countries, due to the language barrier.
A new measure taken by botnet operators to avoid takedowns is to host their command and control (C&C) infrastructure behind anonymization networks such as TOR and I2P (Invisible Internet Project), which encrypt and scramble the connection between the client and the server.
Also on the rise is activity from four malware downloaders, Kegotip, Chanitor, Upatre, and Lerspeng, which are used in the first stage of the infection.
In the case of Upatre, a new variant was spotted by researchers at Cisco, who observed integration of fully encrypted communication with the C&C server, thus making its detection more difficult.