Professional Documents
Culture Documents
Cybercrime
tactics and
techniques
Q2 2020
Table of contents
Attack on home base...........................4
Distributed malware............................ 5
Avemaria................................................................................. 6
NetwiredRC............................................................................. 8
Lokibot.................................................................................. 10
Azorult....................................................................................12
Danabot..................................................................................14
Other efforts...................................... 16
Card skimmers.......................................................................16
State sponsored attacks........................................................18
The coronavirus pandemic has left the world looking very different at the end of
the quarter than it did at the beginning. For starters, millions of workers are out
of the office and working from their homes. This change in scenery, combined
with safe social distancing efforts that help prevent the spread of COVID-19, has
created a crisis for many, but an opportunity for some.
This special, COVID-19 themed CTNT report for January 2020 to March 2020
looks at the most prominently spread malware families taking advantage of this
crisis, as well as other cybercriminal efforts we observed. We will give you a look
into what the campaigns that spread these threats look like and the capabilities
of the malware, along with information about card skimmers and APT attacks,
wrapping up with some tips on staying safe.
Malware profile
300
200
Detections
• Password stealer 150
• Downloader
100
50
• Keylogger 0
9
9
19
19
19
20
0
9
-1
-1
r-1
l-1
-1
-1
-1
-2
-2
-1
n-
c-
p-
n-
ay
ar
ov
ug
ct
ar
b
b
u
• Remote shell
De
u
Se
Fe
Fe
-J
M
O
-A
M
-J
-A
-J
24
-
-
-
-
24
-
-
24
-
24
24
24
24
24
24
24
24
24
24
24
• Privilege escalation Figure 1. AveMaria detections, February 2019 - March 2020
Recent activity:
AVEMARIA
The AveMaria Remote Access Trojan 1200
109.6%
purchase on the dark web for about
800
600
threat, with a 109.6 percent increase Figure 2. Avemaria percentage change January - March 2020
Spread via:
Malware profile
700
• Downloader 600
500
• Keylogger
Detections
400
• Information stealing
300
200
• System manipulation
100
9
9
19
19
19
20
0
9
-1
-1
r-1
l-1
-1
-1
-1
-2
-2
-1
n-
c-
p-
n-
ay
ar
ov
ug
ct
ar
b
b
u
p
De
u
Se
Fe
Fe
-J
M
O
-A
M
-J
-A
-J
24
-
-
-
-
24
-
-
24
-
24
24
24
24
24
24
24
24
24
24
24
Figure 4. NetWiredRC detections, February 2019 - March 2020
Recent activity:
2000
500
hotel industry in North America. Figure 5. NetWiredRC percentage change January - March 2020
Spread via:
This malware has been observed
primarily through malicious phishing
campaigns, using numerous themes
and ploys to get users to install
the malware. A recent campaign
claimed to be providing COVID-19
information from UNICEF, the
Figure 6. Phishing email impersonating UNICEF,
children’s aid organization. spreading NetWiredRC
Malware profile
350
Capabilities: 300
250
Detections
• Keylogger
200
150
100
• Password stealer 50
0
9
20
20
20
20
0
-1
-1
-1
-2
-2
-2
-2
-2
-2
-2
-2
-2
r-2
-2
n-
n-
n-
n-
ec
ec
ec
ar
ar
ar
ar
ar
pr
b
eb
eb
Ap
Ja
Fe
Fe
-M
-D
-M
-M
-D
-D
-A
-J
-J
-J
-F
-F
5-
5-
2-
9-
1-
8-
12
26
19
22
15
29
12
16
23
22
15
29
Recent activity: Figure 4. LokiBot detections, December 2019 - April 2020
600
200
coronavirus pandemic, we have Figure 8. LokiBot percentage change January - March 2020
Spread via:
Malware profile
1000
• Cryptocurrency theft
Detections
800
600
• Downloader 400
200
Recent activity:
-19
-19
9
-19
19
-19
-19
-19
0
-19
r-1
l-1
-1
-2
-2
-2
n-
ar
ay
ov
ug
ct
ec
ep
ar
an
eb
u
eb
-J
-M
-O
-A
-M
-N
-M
-D
-J
-S
-A
-J
-F
-F
24
24
24
24
24
24
24
24
24
24
24
24
24
24
Figure 10. AZORult detections, February 2019 - March 2020
The AZORult malware remained
a steady threat throughout 2019.
Then, starting in November, we AZORULT
6000
2000
Spread via:
Malware profile
1000
• Password stealer
Detections
800
600
• Downloader 400
200
• Browser manipulation 0
-19
-19
-19
-19
-19
-19
-19
-19
19
0
-19
-1
-2
-2
-2
c-
ov
ar
pr
ay
un
ul
ug
ct
ep
ar
an
eb
eb
e
• Phishing website
-J
-M
-O
-A
-M
-N
-M
-D
-J
-S
-A
-J
-F
-F
24
24
24
24
24
24
24
24
24
24
24
24
24
24
redirection Figure 13. DanaBot detections, February 2019 - March 2020
Recent activity:
DanaBot has been active since
September of 2019, with a dip in
detections between January and
February 2020. This dip resulted in
a rise of 166 percent in detections
between February and March 2020.
DANABOT
5000
4500
4000
3500 166.3%
3000
2500
-21.5%
2000
1500
1000
500
0
Jan-20 Feb-20 Mar-20
DanaBot is being spread in numerous ways, from exploit kit malvertising attacks,
to malicious email campaigns. The Polish CERT organization recently sent a
warning to Polish citizens about a campaign pushing the DanaBot malware
through malicious PowerPoint presentations. In addition, DanaBot is one of the
possible payloads we may see installed by the fake Johns Hopkins coronavirus
map which was first discovered in March.
Figure 15. Fake Johns Hopkins University coronavirus map application used to spread malware like DanaBot
Card skimmers:
800
600
Skimming attacks blocked
400
200
0
20
20
20
-2
-2
-2
n-
n-
b-
ar
eb
ar
a
-M
-M
-J
-J
-F
-F
12
26
09
23
22
Figure 16. Increase in card skimmer URLs blocked, January – March 2020 08
You can find out more about the rise in card skimmers and about some notable
companies whose customers have become victims of this method of attack on the
Malwarebytes Labs blog: “Online credit card skimming increased by 26 percent
in March.”
The threat landscape of the last few months has been very different from the one
we saw at the end of 2019. Attacks in the COVID-19 era are focused on stealing
your information and using remote employees as doorways into more valuable
networks. This means that we need to make sure to spread valuable security
knowledge to protect people while they are working at home base.
2. Using a virtual private network or VPN. This will not keep you protected from malware;
however, it will help to keep your online activities from your browser or connection revealing
personal information or tracing your behavior. This creates an additional measure of layered
protection when you shop online.
4. Avoiding repeated entries of credit card numbers into applications. Use something like
PayPal, Apple Pay, Samsung Pay, or Google Pay, which can offer greater security of your
financial information and reduce the chance that your card information will be spread online.
Malwarebytes is a cybersecurity company that millions worldwide trust. Malwarebytes proactively protects people and businesses against malicious
threats, including ransomware, that traditional antivirus solutions miss. The company’s flagship product uses signature-less technologies to detect and
stop a cyberattack before damage occurs. Learn more at www.malwarebytes.com.
Copyright © 2020, Malwarebytes. All rights reserved. Malwarebytes and the Malwarebytes logo are trademarks of Malwarebytes. Other marks and brands may be claimed as the property of others.
All descriptions and specifications herein are subject to change without notice and are provided without warranty of any kind.