CIO Influence
CIO Influence News Security

Avast Q3/2022 Threat Report: Cybergangs Recruiting and Rewarding Supporters

Avast Q3/2022 Threat Report: Cybergangs Recruiting and Rewarding Supporters
The report also describes ransomware gangs innovating to ensure better results, businesses and governments targeted with DDoS attacks, and the state of mobile malware.

Avast, a global leader in digital security and privacy, released its Q3/2022 Threat Report summarizing the cyber threat landscape derived from Avast’s telemetry data and experts’ insights. Avast’s data shows an increase in PC adware activity at the end of September this year. Avast also protected 370% more users from Raccoon Stealer, an information stealer, in Q3/2022 than in the previous quarter. Ransomware attacks increased in some markets such as Canada, Spain, and Germany, but slightly declined at a global level. The chances of mobile users encountering a banking trojan increased by 7% quarter-on-quarter, despite Europol dismantling the Flubot group. Most malicious activities remained stable or declined.

Latest ITechnology News: Varonis Launches Its Flagship Data Security Platform as a SaaS

“An interesting trend we observed this quarter was cyber gangs actively crowdsourcing and paying people to support their criminal activities, including the improvement, marketing and distribution of their malware,” said Jakub Kroustek, Avast Malware Research Director. “In terms of attacks, we noticed an uptick in DealPly adware towards the end of Q3/2022, a massive spike in Raccoon Stealer infection attempts, increased MyKings botnet activity, and a new botnet called Pitraix, written in Go, gaining a bit of traction. Overall, the volume of cyber attacks remained high, despite cybercriminals appearing to relax a bit over the summer months.”

Ransomware Attacks Focusing on Data Exfiltration
The risk to Canadians encountering ransomware this quarter increased by 16% compared to Q2/2022. In Germany and Spain, people were 12% more likely to encounter ransomware. However, at a global level, people faced a slightly lower risk of ransomware attacks quarter-on-quarter.

Latest ITechnology News: LastPass Research Finds False Sense of Cybersecurity Running Rampant

“Ransomware strains increasingly use complicated methods of partial encryption, for example, only encrypting the beginning or end of a file, or blocks of files, to rapidly encrypt files, to avoid user detection,” explained Kroustek. “Furthermore, ransomware gangs are now exfiltrating data from enterprises, threatening to publish sensitive files, and then deleting or corrupting the files rather than encrypting them. We also observed an interesting series of events involving the LockBit ransomware group. The events include the group offering bug bounties to those who discover vulnerabilities or deliver ideas to the group, rewards for people tattooing their logo onto their bodies, group members retaliating and leaking code, and a back and forth between the gang and a security company called Entrust.”

Businesses and Governments Targeted by Hacking and APT Groups
Pro-Russian group, NoName057(16), targeted companies such as banks and news agencies, and governments supporting Ukraine throughout Q3/2022. The group uses a botnet of computers infected with Bobik malware to perform retaliatory DDoS attacks. According to Avast’s observations, the group has a 40% success rate, and about 20% of the attacks they claim responsibility for cannot be accounted for in their configuration files. In August, the group announced a new project called DDOSIA, and created a new, private Telegram group with more than 700 members. The DDOSIA project allows anyone on the internet to download a binary through which they can carry out DDoS attacks on sites determined by NoName057(16). In return, they are rewarded cryptocurrencies.

The Gamaredon APT group also targeted Ukraine in Q3/2022, attacking military and government institutions, and foreign embassies. The group introduced new tools to their toolset, including file exfiltration tools, various droppers, and new ways of distributing payloads and IPs of C&C servers.

LuckyMouse, a well-known Chinese-speaking threat group, targeted several government agencies in the United Arab Emirates, Taiwan, and the Philippines. Avast found backdoors on infected computers, password stealers for Chrome, and open-source tools, like BadPotato, which is used for privilege escalation. The attackers likely infected devices through a compromised server.

Other groups Avast researchers are tracking are the Donot Team, also known as APT-C-35, and Transparent Tribe, also known as APT36. The Donot Team was most active in Pakistan in Q3/2022. Avast discovered DLL modules from yty’s framework on several infected devices. Transparent Tribe, believed to be a Pakistani group, continued to attack victims in India and Afghanistan, infecting PCs using spear-phishing and Office documents with malicious VBA macros. Avast researchers identified that the executables belong to the CrimsonRAT strain, Transparent Tribe’s custom malware used to access infected networks.

Rise in DealPly, Racoon Stealer, and MyKings
DealPly, adware installed by other malware, peaked at the end of September 2022. The adware is a Chrome extension capable of modifying new pages within the browser and can replace newly-opened tabs, read browser history, change bookmarks, and manage apps, extensions, and themes in the browser. These capabilities allow the cybercriminals behind the extension to modify search results and replace them with ads, read passwords and credit card details stored in the browser and read what users enter in forms (as well as what they filled in in the past).

Raccoon Stealer, an information stealer capable of stealing data and downloading and executing additional malware, made a big comeback in Q3/2022. Avast protected 370% more users from the stealer during this quarter.

“Raccoon Stealer spreads when users attempt to download ‘cracked’ versions of software like Adobe Photoshop, Filmora Video Editor, and uTorrent Pro,” explained Kroustek. “People often ignore or turn off antivirus shields when attempting to download files like cracked software versions, putting themselves at risk of downloading malware like Raccoon Stealer. Malware is often capable of downloading additional malicious programs, which is how DealPly is spread, for example. Therefore, users must install antivirus software and leave protections on at all times.”

Latest ITechnology News: Whistic Partners With anecdotes to Provide Vendors a One-stop Shop to House Their Security and Compliance Information

[To share your insights with us, please write to sghosh@martechseries.com]

Related posts

SAIC to Acquire Federal Health IT Company Halfaker and Associates

CIO Influence News Desk

New Relic Pioneers Business Observability with Pathpoint

CIO Influence News Desk

Fuze Announces New Patent For End-to-End Data Encryption