WIXLIB

So, what does this mean for stopping Cerber infectionsNecurs switched to pushing different malwarein the future? Basically, software that uses machineThe Necurs botnet, which is responsible for a lot of thelearning to identify malicious features present inphishing attacks and malicious spam used to distributepreviously unseen (or zero-hour) malware may missmalware over the years, seems to no longer be pushingidentifying any of the individual parts of this newLocky ransomware. Security researchers noticed in Junevariant of Cerber. Fortunately, many security companiesof last year that when Necurs went down temporarily,(including Malwarebytes) don’t put all their eggs in onenumbers for Locky also dropped.basket and prevent threats at numerous phases of theattack chain. While Cerber may have found a loopholeSince the beginning of the year, researchers have stillin physical binary detection, memory monitoring,observed Necurs spam. However, it seems like they aredistribution prevention, and behavioral heuristics shouldgoing in a different direction and have dropped Locky asstill do the trick.a primary payload.No new Locky versionsWhere did Locky go?As mentioned previously, the biggest revelation ofQ1 2017 as far as malware market share goes is thedisappearance of Locky. Over the course of the firstthree months of 2017, Locky went from nearly a 70percent market share to 12 percent in January, and byMarch it had less than 2 percent.The reason behind why Locky suddenly vanished isanyone’s guess—the security industry overall has notdiscovered a true reason. However, there are a fewtheories.While not necessarily a different theory from the above,the InfoSec world has noticed a lack of new Lockyversions since the beginning of the year, which meanseither the group behind this heinous ransomware hasdecided to move on to different business opportunities,or they were caught by law enforcement (or worse).Either way, we should all be thankful that one of themost dangerous families of ransomware seems to havevanished for the time being. We do still need to worryabout an overpowered and heavily distributed Cerber,though, so don’t let your guard down just yet. Also, justbecause Locky seems to be a thing of the past nowdoesn’t ensure that it won’t be back in a few months.Keep an eye on Spora and SageThe last Windows malware information we want to cover involves two families of ransomware that are beefy in theirdesign but have yet to make a big impact through distribution channels: Spora and Sage.Figure 9. Spora, Sage, and CerberSPORASAGECERBERENCRYPTION ALGORITHMAESElliptic Curves /ChaCha20AESOFFLINE ENCRYPTINGYesYesYesDECRYPTOR AVAILABLENoNoNoTOR PAYMENT SITEYesYesYescomparisonsSage, Spora, and Cerber all have a lotin common as far as their encryptioncapabilities and stand-alone encryptionmodels. However, while Sage seems tobe your run-of-the-mill ransomware,secure in its encryption but otherwiseuninteresting, Spora has decided toset itself apart with superior customerservice for its victims.6Cybercrime tactics and techniques Q1 2017

Windows malware predictionsIt has clearly been a very busy quarter for Windowsmalware, with some families vanishing, others startingto make an impact, and, overall, a complete takeover ofCerber ransomware. So, what are we going to see nextquarter?Cerber is going to continue to be a massive force in theransomware world. Since the creators of Cerber continueto develop and sell the ransomware to affiliates, it wouldlikely take interaction from law enforcement to haltoperations and shut the ransomware down. However,Figure 10. Spora lock screenbarring a huge mistake from one of the group membersthat gives some hint as to their identities, it’s unlikelythis malware will vanish before the end of Q2.The Spora payment site provides a lot of featuresnot frequently seen being used by other ransomwarefamilies: Immunity from future infections Per-file restoration Live customer service chatSage and Spora had a fair amount of distributionattention in February of 2017, with a slight drop inMarch, but we will have to wait and see if that trendcontinues or if we can see one of them going head-tohead with Cerber by the end of Q2.Spora is going to take greater market share. Becauseof its secure design and professional payment site,Spora could very likely bring in a lot of profit from itsoperations, which could in turn be invested into greaterdistribution campaigns. However, catching up withCerber is no easy feat, so we expect Spora to obtaingreater market share over other families but remain farbehind Cerber.Finally, we didn’t really mention Windows malware thatisn’t ransomware in this quarter’s report. However, theKovter Trojan has continued to be the most heavilynon-ransomware malware distributed through regularchannels. We predict a continuation of its operationsthrough Q2, though we are expecting some changes toeither the malware’s purpose, function, or distributionvery soon. Any modifications made to the Kovtercampaign is unlikely going to be beneficial to its victims.Cybercrime tactics and techniques Q1 20177

Mac malwareThe first quarter of 2017 has seen quite a few newMac PUPspieces of Mac malware, nearly equaling the number thatPotentially Unwanted Programs (PUPs) in the Mac Appappeared in all of 2016. Most these threats have beenStore have become a serious problem. As an example,backdoors, varying in capability, delivery method, andsearching for “adware” on the store will result in a list ofsophistication. Even backdoors delivered via Microsoftsupposed adware or malware removal apps, and a veryOffice macros have seen a resurgence on the Mac,large percentage of them are either junk or scams. Weinstalling various backdoor components.have reported many of these to Apple, but most havenot been removed.BackdoorsThese backdoors have varying capabilities, but generallyWe recommend taking care about what you downloadinclude most or all of “the basics”: the ability to runfrom the Mac App Store, especially when it comes toarbitrary shell commands, download and install files,antivirus or anti-adware software, which is difficultexfiltrate files from the infected system, stream datafor most people to verify the effectiveness of. (Fewfrom the webcam, and log keystrokes. Some have morepeople have a ready supply of malware and adware tospecific capabilities, such as capturing password datatest with!) Also avoid any kind of system or memoryfrom the keychain or searching out and exfiltrating“cleaning” apps.backups of iOS devices.FindZipOnly one threat varied from the backdoor trend, and thatwas the second-ever ransomware to appear on the Mac(the first one being KeRanger, which appeared in Marchof 2016). This quarter’s new ransomware, called FindZip,was a rather unsophisticated attempt that didn’t evengive the hacker behind it the capability to decrypt files.Figure 12. Adware results on the Mac App StoreFigure 11. FindZip ransom noteFindZip was found on a piracy site, pretending to be a“crack” for apps like Adobe Premiere Pro or MicrosoftOffice. To date, the bitcoin wallet meant to collectransom for this malware has received no paymentswhatsoever.8Cybercrime tactics and techniques Q1 2017

Phishing has been a problem for iCloud accounts.Mac predictionsCommon phishing emails have included supposedWe anticipate seeing more Mac malware the rest of thisnotices from Apple that an iCloud account has beenyear, most likely leading to a spike in malware largerlocked, requests to confirm an iCloud account, orthan any year since 2012, the most active year in Macinvoices for a purchase from iTunes or the App Store.malware. This year could even surpass 2012 if currentSuch emails contain links that go to look-alike Appletrends continue for the rest of the year.login pages.We also predict seeing an increasing problem with PUPsSome of these email messages and phishing sites arein the Mac App Store, due to Apple’s reluctance to act onquite convincing, so it’s very important to pay closesuch apps. PUP developers have been emboldened byattention and never click the links in these messages. Tothis and seem to be swarming to the store in increasingmanage your Apple ID, go directly to appleid.apple.com,numbers.and to view purchases in iTunes or the App Store, usethe appropriate features within those apps.Targeted malspam has primarily been a Windowsproblem to date, but the reemergence of Microsoft OfficeVault 7Much ado has been made about WikiLeaks’ releaseabout CIA malware for the Mac as part of its Vault 7leak. None of those tools turned out to be able to infectany modern Macs, as they abused vulnerabilities thathad been patched years before, and some only appliedto very old hardware. There was nothing particularlysurprising or concerning in the leak.macro malware capable of affecting Macs may changethis. Many of these malicious documents include codethat is capable of detecting whether it is running on aWindows or Mac system and taking action appropriateto the system to infect it. This means that malspam willno longer be an issue only of concern to Windows users,and Mac users will need to be increasingly wary of emailattachments.Android malwareIf you’ve read end-of-year summaries from otherin between game levels. During the first quarter ofsecurity vendors in the past, you know that predicting2017, we saw an explosion in a new way of advertising:additional Android infections is a common theme.blocking the removal of an overly advertised app. InYear after year, however, these predictions generallycomes Trojan.HiddenAds.lck, currently the biggestdon’t come true. Despite that, we would be remiss ifoffender of this behavior. There have been thousandswe did not talk about two malware families currentlyof these samples littered across the Android landscape,plaguing Android users, especially since they both takeeven being found in the Google Play Store. Many comeadvantage of administrative security features.bundled with seven or more adware libraries.Trojan.HiddenAds.lckBlocking the removal of an app on Android is not a newWhen it comes to advertising, most Android users aretolerant and will accept some form of advertising, butadvertisers and developers can be greedy and will ruinthe mobile experience. A few years back, there werea handful of aggressive advertising offenders. Nowconcept—it was made famous by various ransomwarefamilies—but to have this done by seemingly ordinaryapps is very interesting. Like most Android malware,the malware author uses Android features against theunsuspecting victim, in this case “Device Administrator.”it’s rampant, from full-screen ads to 15-second videosCybercrime tactics and techniques Q1 20179

Figure 15. HiddenAds.lck lock screen codeFigure 13. HiddenAds.lck in actionOften the victim can remove HiddenAds.lck and similarlybehaving apps by restarting the device in Safe ModeWith the rise of the Bring Your Own Device (BYOD)dilemma, Google introduced device administration togive Enterprise app developers added security control.Apps can implement device policies such as passwordsettings, remote wipe, and locking the device. The onebig problem with this is that it is available to all Androidapp developers, and the bad guys have found a way toabuse it. Most Android users are unaware of the powerthis setting has, so they blindly accept any app requestto be added to the list of device administrators.In HiddenAds.lck’s case, it uses the “lock device” policyto prevent itself from being uninstalled. The implantationis rather simple: Request Device Administrator privilege Add logic to wait for an attempt to deactivate theand removing the app from device administrationaccess. Other times, there are more advanced stepsneeded. Not many Android users even realize there is aSafe Mode on Android, but it is there and can help savethe day. Check with your device manufacturer on thebutton sequence to restart into Safe Mode.Ransom.JisutJisut is an Android ransomware that has continued tooutpace other ransomware with new sample output. Theprevious quarter saw a huge increase in Jisut samples,and the first quarter of 2017 did not disappoint, withtens of thousands of new samples being introduced intothe wild.app from Device Administrator Lock deviceFigure 14. HiddenAds.lck lock access codeThis creates a cycle of events where the victim cannotuninstall the offending app, which equals continued adFigure 16. Jisut-infected APKs discovered Octoberrevenue.2016–March 201710Cybercrime tactics and techniques Q1 2017

The Jisut ransomware can act as a stand-alone app orAndroid predictionsjust infect a legitimate app with the Jisut payload orFor this next quarter, we don’t expect to see any newthe ransom logic embedded. Like HiddenAds.lck, Jisutand innovative malware on Android, but we do expectalso uses device administration against the user. Theto see a lot of the same. Jisut will continue to churntactic of this threat is to reset the password or PIN codeout new samples, the distribution model appears to befor the lock screen. If changing these access codes isworking, and they are able to get new infected apps outsuccessful, the malware can threaten the victim with thequickly.encryption of files, demanding a ransom for access.There will likely be another infestation of HiddenAdsAs you can see with these two examples, there is a fineintroduced into the Google Play Store, disguising in-appline between what the developers of grayware and thoseadvertising as the way to go when trying to evade theof ransomware do: they prevent users from removingnotice of Google as well as Android security companies.malicious apps and use the device as a revenue maker.Distribution methodsThe first part of 2017 brought much of the sametrends as far as malware distribution mechanisms go,with exploit kits taking a back seat to malicious spam.However, the quarter did bring a few new developmentsin the form of greater social engineering tactics addedto previously effective methods of infection.Exploit kitsIn Q1 2017, exploit kit activity remained low, with evenfewer antagonists than in the past quarter. In particular,RIG EK has continued to serve the Cerber ransomwarevia compromised websites and malvertising campaigns.The lack of new exploits has led to an increase in socialengineering to infect users, especially if they are runningFigure 17. HoeflerText font scam, spreading Sporaa different browser than Internet Explorer. Trafficdistributors will triage potential victims upstream andchoose to redirect them to an exploit kit (if they arepotentially vulnerable) or to a fake page with the samegoal of delivering malware.It’s interesting to note that stale exploits are becomingless effective to the point that threat actors are optingfor social engineering instead.For instance, the “EITest” campaign targets Chromeusers by tricking them into installing a fake font(“HoeflerText”), which turns out to be the Sporaransomware.Cybercrime tactics and techniques Q1 201711

In-the-wild exploitsThere haven’t been many changes with the type of exploits being used, despite notable security fixes from bothMicrosoft and Adobe. In mid-March, Microsoft patched an XML Core Service Information Disclosure Vulnerability (CVE2017-0022), which had been used to profile users and evade unintended targets in several large malvertising campaigns.These types of exploits have been greatly abused in the past and will most likely continue to be abused for some time.These vulnerabilities are not rated as severe and tend to get patched on longer cycles. Attackers are also keen on findingbypasses to retain their ability to fingerprint users.Top vulnerabilities exploitedINTERNETINFO -0022Figure 18. Q1 2017 targeted vulnerabilitiesActive exploit kit familiesRIG EK is still the most active exploit kit used in various malware campaigns. Its landing page structure both in URL andbody patterns remains very much the same. Some RIG EK campaigns use a pre-filtering gate, a mechanism to weed outbots and other non-valuable targets. We have seen such gates with other EKs (for example, Neutrino).Figure 19. RIG EK trafficSundown EK took a step back and even disappeared briefly while copycats emerged. (Ironically, Sundown stole codefrom other EKs, so it has really gone full circle now.) It’s hard to know for sure what is next for Sundown other than thefact that it has lost its contender position in Q1 2017.Figure 20. Sundown EK trafficFigure 21. Magnitude EK traffic12Cybercrime tactics and techniques Q1 2017

Neutrino EK (a private exploit kit) is a rare occurrence these days—or at least finding it requires more work. It still makesuse of fingerprinting, not in the Flash exploit like it used to in the past, but rather in several checks up-front (i.e., gate).Figure 22. Neutrino EK trafficWe should also mention the very stealthy Astrum EK, which is very hard to identify but actually strikes on very big targets.We saw traces of it in our telemetry in March via attacks on several major UK outlets.Exploit kit predictionsSocial engineeringAt the moment, we are in a strange situation of RIG EKSocial engineering is still the preferred mechanismmonopoly by default. Contrary to its predecessors, RIGfor spam delivery. Campaigns surrounding shippingEK is not chosen for its advanced exploits and deliverynotifications and purchase notifications have beenmechanisms, but rather because it is not really facingseen from many major companies. Also, the use of faxany direct competition.notifications, scanned images, resumes, and traffictickets continues to be a primary tactic being used.There is room for a new contender to bring in somefresh exploits, but so far, we have seen more efforts toSpam campaigns are routinely being detected usingleverage social engineering than to innovate. Wherepassword-protected documents to thwart automatedthis is going next is anyone’s guess, but even if exploitanalysis. The password necessary to unlock thekits lose importance, the distribution campaigns willmacro file is provided within the body of the email andcontinue to redirect users to scams or trick them intotypically is a seemingly random string of alphanumericinstalling malware.characters. Cerber is routinely seen being delivered withpassword-protected macro files.Malicious spamSpam continues to be a major infection vector formalware delivery. After a long year-end holiday forspammers, we started to see an uptick in campaigns inFebruary. Campaigns by the notorious Necurs botnet,which had primarily been delivering Locky, suddenlystopped operations, coming back shortly after, and hassince been observed delivering “pump and dump” stockcampaigns, refraining from malware campaigns for thetime being.Spammers attempt to deliver malspam using any filetype or compression method available, and dozens oftypes of files have been detected. The primary file e Locky may be in decline, other malware familiessuch as Cerber are quick to take over. Malwaredownloaders of all types have been seen installingFigure 23. Commonly observed malspam attachment type

nearly vanished entirely, while new threats and infection techniques have forced the security community to reconsider collection and analysis efforts. In our second Cybercrime Tactics and Techniques report, we are going to take a deep look at which threats got our attention the most during the first three months of the year.