Cybergangs recruiting and rewarding supporters, claims Avast report
Digital security and privacy company Avast has released its Q3/2022 Threat Report summarizing the cyber threat landscape derived from the company’s telemetry data and experts’ insights.
Avast’s data shows an increase in PC adware activity at the end of September this year. Avast also protected 370% more users from Raccoon Stealer, an information stealer, in Q3/2022 than in the previous quarter.
Ransomware attacks increased in some markets such as Canada, Spain, and Germany, but slightly declined at a global level. The chances of mobile users encountering a banking trojan increased by 7% quarter-on-quarter, despite Europol dismantling the Flubot group. Most malicious activities remained stable or declined.
“An interesting trend we observed this quarter was cyber gangs actively crowdsourcing and paying people to support their criminal activities, including the improvement, marketing and distribution of their malware,” says Jakub Kroustek, Avast Malware Research Director.
“In terms of attacks, we noticed an uptick in DealPly adware towards the end of Q3/2022, a massive spike in Raccoon Stealer infection attempts, increased MyKings botnet activity, and a new botnet called Pitraix, written in Go, gaining a bit of traction. Overall, the volume of cyber attacks remained high, despite cybercriminals appearing to relax a bit over the summer months.”
Businesses and Governments Targeted by Hacking and APT Groups
Pro-Russian group, NoName057(16), targeted companies such as banks and news agencies, and governments supporting Ukraine throughout Q3/2022. The group uses a botnet of computers infected with Bobik malware to perform retaliatory DDoS attacks.
According to Avast’s observations, the group has a 40% success rate, and about 20% of the attacks they claim responsibility for cannot be accounted for in their configuration files. In August, the group announced a new project called DDOSIA, and created a new, private Telegram group with more than 700 members.
The DDOSIA project allows anyone on the internet to download a binary through which they can carry out DDoS attacks on sites determined by NoName057(16). In return, they are rewarded cryptocurrencies.
The Gamaredon APT group also targeted Ukraine in Q3/2022, attacking military and government institutions, and foreign embassies. The group introduced new tools to their toolset, including file exfiltration tools, various droppers, and new ways of distributing payloads and IPs of C&C servers.
LuckyMouse, a well-known Chinese-speaking threat group, also targeted several government agencies in the United Arab Emirates, Taiwan, and the Philippines. Avast found backdoors on infected computers, password stealers for Chrome, and open-source tools, like BadPotato, which is used for privilege escalation. The attackers likely infected devices through a compromised server.
DealPly, adware installed by other malware, peaked at the end of September 2022. The adware is a Chrome extension capable of modifying new pages within the browser and can replace newly-opened tabs, read browser history, change bookmarks, and manage apps, extensions, and themes in the browser. These capabilities allow the cybercriminals behind the extension to modify search results and replace them with ads, read passwords and credit card details stored in the browser and read what users enter in forms (as well as what they filled in in the past).
Mobile Malware
Adware remains the dominant mobile threat, with adware like HiddenAds and FakeAdBlockers prevailing. Avast protected the largest number of people from adware in Brazil, India, Argentina, and Mexico.
Despite Europol’s recent disbanding of Flubot, the global risk of falling victim to a banking trojan went up by 7% in Q3/2022 compared to Q2/2022. Banking trojans are mainly spread via SMS phishing but can also spread via dropper malware.
TrojanSMS, or premium SMS scams, continue to target mobile users, with SMSFactory and Darkherring leading in the category, while UltimaSMS and Grifthorse retired. SMSFactory and Darkherring are distributed via pop-ups, malvertising, and fake app stores. In contrast, UltimaSMS and Grifthorse were distributed on the Google Play Store, but have since been removed from the Store.
The Avast Q3/2022 Threat Report can be found on the Decoded blog: https://decoded.avast.io/threatresearch/avast-q3-2022-threat-report/