january-july 2018 crimeware trends: a sampling of

J A N U A R Y - J U LY 2 0 1 8 C R I M E W A R E T R E N D S :

A Sampling of Malicious E-Mail Attachments

© 2018 Gigamon. All rights reserved. 2

INTRODUCTION We’ve long known e-mail to be the primary method of end-point system compromises around the world, and that continues to be the case today. As the folks at F-Secure wrote in a recent blog article, “If you’re going to encounter malware in 2018, chances are it will happen through spam.”1

To better understand patterns and changes to campaign volume and detection, the Gigamon Applied Threat Research (ATR) team collected a sample of malicious e-mail attachments delivered to our customers during the first half of 2018 (1H 2018) and the detection rates of these samples on VirusTotal.2 This practice of collection and analysis helps validate our anecdotal observations and suspicions about threat-actor behavior patterns, as well as observe campaign beginnings, periods of possible experimentation, and occasionally, ends. Additionally, this collection and analysis cycle assists the Gigamon ATR team in staying ahead of evolving campaigns for detection and investigation purposes.

1Sattler, Jason. “Why Spam Is On the Rise - Again.” F-Secure Blog. July 31, 2018. Accessed October 09, 2018. https://blog.f-secure.com/why-spam-is-on-the-rise-again/.2VirusTotal. Accessed October 17, 2018. https://support.virustotal.com/.


EXECUTIVE SUMMARYMalware is malicious software used to perform malicious activity to gain control or access to a computer, device or network. Attackers develop the software to gain access, steal credentials and files, or cause damage to your system or network.

This e-book will dive into the crimeware activities our team has observed in the wild. Our research includes data from the first half 2018, and includes the crimeware families, prevalence and preferred file types being used by each group.

THE DATA Our dataset consists of samples attached to malicious spam attacks in January to June of 2018. The file type distribution (Figure 1) demonstrates that the malspam attachments are primarily documents, straight executables and archives, with a few outliers such as an internet query file (IQY).

For each sample, we identified the family, such as Trickbot or Emotet, and collected anti-virus detection history from VirusTotal. Figure 2 shows the family distribution, with Lokibot being the most prevalent in our data set, followed by a closely competing group of Pony, Emotet and Trickbot.

Figure 1: Sample distribution by filetype Figure 2: Sample distribution by family


Figure 3: Sample distribution by family

The total number of incidents that we observed first hand, per week, are shown in Figure 3. Notably, the fewest incidents occurred during the first three weeks of 2018, which is anecdotally observed every year. A potential explanation for this phenomenon is that some actors observe the January 14 Old New Year and work less during the holiday span from Christmas to the Old New Year.

The large surge in the number of LokiBot malspam campaigns — as well as Pony and several keyloggers and remote access trojans, or RATs — is mostly due to the fact that LokiBot has been co-opted by Nigerian threat actors, as an extension of monetization evolution by Russian-language threat actors.3

3”SilverTerrier: The Rise of Nigerian Business Email Compromise.” May 8, 2018. Accessed October 09, 2018. https://www.paloaltonetworks.com/resources/whitepapers/unit42-silverterrier-rise-of-nigerian-business-email-compromise.html..


Figure 4: Mean anti-virus detection ratio per days on VirusTotal

Mean anti-virus detection history for all samples is plotted in Figure 4. After collecting the detection history for each sample, we manually removed a few broken outlying records where all anti-virus scores spontaneously appeared empty late in the lifetime of an otherwise well detected sample or the total number of reporting anti-virus products was well below normal. Then we fit logarithmic curves to each sample with a sufficient number of measurements and averaged the curves. We chose to individually fit each sample and average the fitted curves instead of averaging the samples and fitting the average because each sample has a different amount of measurements and the measurements were all taken at varying times in the sample lifetime. This avoids over- and under-representing samples based upon how many times they were scanned.

Ideally, we would see high initial detection rates, and for those that are not well detected, sharply increasing detection rates as security vendors adapt to the threat. Visually, up and left is better.

We can see that, on average, 32.6 percent of anti-virus products detected samples on the first day, with 48.8 percent detecting samples by the end of the first week. Some attacks are more challenging than others to analyze in isolation. For example, second or later stages in attacks may require code or data, like encryption keys, from earlier stages to run. However, this dataset contains exclusively first stage malware. While not without its own challenges (e.g., legacy or uncommon file formats, uncommon features, obfuscations and evasions, remotely included data), a 32.6 percent initial detection rate is concerning because the detection rate is so low.


LokiBot LokiBot has targeted victims since 2015 and is now commodity malware sold on various underground crimeware websites. It is designed to steal login credentials and other private data from infected machines and exfiltrate data HTTP POST to command and control (C2) servers. This private data includes locally stored passwords, login credentials from several web browsers, admin tools such as PuTTY, and a variety of cryptocurrency wallets.

Most of today’s LokiBot samples are modified versions of the original malware, which was developed by an individual who went by the online alias “lokistov,” a.k.a. “Carter” on multiple underground hacking forums. It was original sold for up to US$300, but later some other hackers on the dark web also started selling the same malware for lower prices (as low as US$80). LokiBot has been a primary weapon for Nigerian threat actors who have flocked to these underground forums, and LokiBot has become a very popular tool for them.

Of the four most prevalent families, LokiBot delivers the most diverse set of filetypes in its initial attachments (Figure 6). Despite this, it is detected both initially and during each subsequent campaign by more anti-virus products than the baseline (Figure 5). We find this true for the majority of the most prevalent families, which makes sense under the intuition that the loudest campaigns will be caught, shared and tracked more frequently.

Figure 5: Mean anti-virus detection ratio of Lokibot samples per days on VirusTotal

Figure 6: Filetype distribution per LokiBot sample

What Is It?Banking Trojan

Crimeware Family SummaryFirst seen in 2015, and considered one of the first instances of malware infecting core Android OS device processes

What Does It Do?Steals locally stored passwords and login credentials

Prevalence Witnessed 26.5%

Preferred Filetype(S)• EXE – 32.1%• RTF – 20.2%• RAR – 16.7%


Emotet Emotet is a banking trojan that, once executed, can spread to other systems by brute force using credentials or exploiting unpatched software with exploits like ETERNALBLUE. However, despite its capabilities as a banking trojan, it is often used as a dropper to establish initial access and then download and execute other payloads.

We witnessed almost exclusively the legacy Microsoft Word Document file formats in Emotet emails, with the exception of a few plain Windows executables (Figure 8). Compared to the other most prevalent families, Emotet delivered the least diverse set of filetypes. More anti-viruses detect Emotet samples than the mean malspam sample, even on the first day of the sample arriving on VirusTotal (Figure 7).

Figure 7: Mean anti-virus detection ratio of Emotet samples per days on VirusTotal

Figure 8: Filetype distribution per Emotet sample


Crimeware Family SummaryA member of the Feodo Trojan family of trojan malware, first reported in Germany, Australia and Switzerland in 2014

What Does It Do?It’s used as a dropper to establish initial access and then download and execute other payloads. It can then spread to other systems by brute force with credentials or exploiting unpatched software.


Preferred Filetype(S)Doc – 93.3%


PonyPony (a.k.a. FareIT) is another credential and information stealer that can collect passwords for over 110 different applications including VPN, FTP, email, instant messaging and web browsers. It was originally related to the Reveton worm, but in recent years different threat actors have modified it to enhance its functionality.

Detected as early as 2011, Pony is not a new threat — it initially started as a simplistic malware downloader but has evolved into its current form over time.

Pony is the most detected family in our dataset (Figure 9). It is the only family for which anti-virus solutions breach 40 percent detection on the first day in VirusTotal. It is interesting because it has less filetype diversity (Figure 10) than LokiBot, and more than Emotet, yet it is still detected by more anti-virus solutions than either.

Figure 10: Filetype distribution per Pony sample

What Is It?Credential Stealer

Crimeware Family SummaryPony is best known for its involvement in stealing $200,000 in Bitcoin and other virtual currencies between 2013 and 2014

What Does It Do?Credential and information stealer that can collect passwords for over 110 different applications including VPN, FTP, email, instant messaging and web browsers


Preferred Filetype(S)EXE – 55.9%

Figure 9: Mean anti-virus detection ratio of Pony samples per days on VirusTotal


TrickbotTrickbot is a banking Trojan, closely related to the banking Trojan known as Dyre or Dyreza, with which it shares much of the underlying code and features. It has undergone periods of experimentation by the threat actors who control it, which has resulted in various deployment and obfuscation techniques, and it is still changing its methodologies.

Trickbot command and control (C2) infrastructure is an encrypted, hierarchical, multi-tiered infrastructure that is dynamic and is still being enumerated and analyzed. The infrastructure shares some commonalities with the Emotet C2 infrastructure leading to a possibility that the Russian language threat actors behind Trickbot may also have a hand in the development and operation of the Emotet botnet.

Trickbot comes almost exclusively in various common Microsoft Office document formats (Figure 12). It is the least detected of the four most prevalent families. Although detection rates on the first day of submission slightly outperform those of the mean, they begin a trend of underperformance after the first few days on VirusTotal.

Figure 12: Filetype distribution per Trickbot sample


Crimeware Family SummarySince its inception in 2016, TrickBot has continually undergone updates and changes in attempts to stay a step ahead of defenders and internet security providers.

What Does It Do?Trickbot command and control (C2) infrastructure is an encrypted, hierarchical multi-tiered infrastructure that is dynamic, is still being enumerated and analyzed, and ironically shares some infrastructure with the Emotet C2 infrastructure


Preferred Filetype(S)• Doc – 51.7%• RTF – 37.9%

Figure 11: Mean anti-virus detection ratio of Trickbot samples per days on VirusTotal

Worldwide Headquarters 3300 Olcott Street, Santa Clara, CA 95054 USA+1 (408) 831-4000 | www.gigamon.com

© 2018 Gigamon. All rights reserved. Gigamon and the Gigamon logo are trademarks of Gigamon in the United States and/or other countries. Gigamon trademarks can be found at www.gigamon.com/legal-trademarks. All other trademarks are the trademarks of their respective owners. Gigamon reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

1073-01 10/18

MITIGATION ACTIONWhile there is no sure-fire way to protect your corporate environment against all malware, there are steps you can take to mitigate risk in your network.

First, train employees to:• Not open e-mail attachments or follow unsolicited or suspicious links in e-mails • Check e-mail headers for clues that may indicate that the e-mail is not from whom it

purports to be• Run reputable antivirus on end-systems

Additionally, organizations can also:• Deploy network security monitoring to detect connections to known malicious

payload and/or command-and-control hosts (e.g. Intrusion Detection System (IDS) or relevant network security monitoring such as Gigamon Insight)

• Deploy/implement real-time anti-spam mitigation systems that can detect these e-mails and quarantine malicious content

CONCLUSIONFrom tracking active attempts against customers, we can solidify our suspicions about threat actor behavior patterns with first-hand observation. Tracking detection rates shows which families are most successful at evading detection with new attacks, and how well industry responds to campaigns.

We find that, in general, malspam attachments are only detected by 32.6 percent of anti-virus solutions in VirusTotal on the first day of submission. The most prevalent families are slightly less effective at evading anti-virus, and the anti-virus industry responds to these campaigns more effectively than to the average malspam attack.

However, even in the best-case scenario with Pony, detection rates only outperform the mean by around 10 percentage points, with Pony samples evading most anti-virus solutions the first day samples hit VirusTotal. Of the most prevalent families, we find that Trickbot is the most successful in evading anti-virus solutions long term on VirusTotal, which should encourage further study.

Follow Our ResearchTo read more research and understand how we help customers identify threats through advanced detection, visit gigamon.com/atr.

http://www.gigamon.com

https://www.gigamon.com/solutions/gigamon-insight.html

http://www.gigamon.com/atr

january-july 2018 crimeware trends: a sampling of

Documents