Data breaches and ransomware attacks on large companies still make the headlines. Find out now in this blog which malware thread trends will occupy us in 2020.
Lazarus MacOS
The Lazarus Group, which has been associated with North Korea, has been targeting very active cryptocurrency exchanges since 2018. A script is used to check whether the target’s operating system is Windows or MacOS, which shows that the group can develop malware for both Windows and Apple environments. In the second case, an executable payload is downloaded. This is a custom-build backdoor exploit that wants to connect to one of the three C2 servers.
Emotet
For 2020, we expect even more professional, targeted phishing emails together with a perfectly coordinated attachment. The so-called procedure for URL-based email attacks will probably also be refined. This continues the trend towards more complex attack chains and diversions. Cyber criminals could thereby hide their activities even better and exploit several attack vectors in parallel. The development of Emotet together with the malware Trickbot is also interesting in this context. In this constellation, we will probably continue to see the modular trickbot malware among other components. The loader component of Trickbot, which today deactivates Windows Defender and other AV processes can obtain corresponding administrative rights.
MessageTAP
A memory-based malware from APT41 was found in mid-2019 on corresponding Linux-based servers by various telecommunication providers who are responsible for delivering SMS messages to the recipients. The malware is a 64-bit data miner. It is loaded onto the target infrastructure using an installation script. If it can be successfully installed there, it checks the existence of the two required configuration files every 30 seconds. One file contains both the sender target list and the recipient target list in the form of IMSI. The other file contains keywords to search for. If these two configuration files could be read successfully, they are loaded into the main memory of the server and deleted on the file system.
