Malwarebytes Research Unveils Upcoming Threats In Q4 2017

The third quarter of 2017 brought with it a number of events that left us in awe and disbelief.  From the embarrassing leak of over 143M confidential records from one of the world’s largest and self-reputed security and fraud mitigation specialists, to the arrest of famed security researcher dubbed ‘hero’ after helping to stop the most widespread ransomware attack of all time – this quarter has just about seen it all.

In our third Cybercrime Tactics & Techniques report (read the second one here), we are going to take a deep look at what threats got our attention the most during the third quarter of the year, and more importantly, what we expect to happen moving through the next quarter.

Looking ahead to the fourth quarter of the year:

• Spam will continue to be a driving force in the delivery of new malware variants.
• Multi-language Tech Support Scams are on the rise globally and driven by geo-targeted malvertising campaigns, this is likely going to get worse.
• We predict a seasonal shift of Indian scammers to focus on IRS scams through the next quarter, to take advantage of the upcoming tax seasons.
• We may see a return of fake virus scanners used by System Optimizer PUPs to push their products, this is similar to the landscape a few years ago, where you could find a “cleaner” around every corner and nearly all of them lied to you
• Exploit Kits using SSL in their infection chain will become more common and create new challenges.
• Variants of existing exploit kits or newcomers are likely to show up as there is still room and market share to take away from RIG EK.
• The increase in malware for Android devices is expected to continue into the last quarter.
• The latest “clicker” malware for mobile devices will morph some with new code and more obfuscation to avoid detection by security vendors and to bypass Google Play protect.
• Emotet has demonstrated the ability to evolve as a highly modular banking trojan.  With the continuing development of this malware family, we will surely see new features soon.

Additional items of interest include:

• Equifax breach compromises the names, social security numbers, addresses, driver’s license IDs and credit card numbers of an estimated 143 million individuals.
• Cerber remained the dominant ransomware for the fourth quarter in a row, but Locky is closing in on that lead.
• Spam continues to be a dominant force in the spread of malware.  Dominant malware families such as Locky, Trickbot, GlobeImposter, PrincessLocker, and Emotet all use spam as a distribution mechanism for new samples.
• Activity from exploit kits is on the decline, although Rig Exploit Kit, Disdain Exploit Kit, and the Terror Exploit kit continue to spread various ransomware campaigns.
• Astrum via AdGholas is one of the most sophisticated malvertising operations we’ve seen to date due to the use of SSL and additional exploits to evade detection.
• Mac users have seen a 240% increase in the number of malware over this this year over last with the addition of new variants of OceanLotus.
• Android users are being targeted by a new ‘clicker’ trojan named Android/Trojan.Clicker.hyj which also possesses spreading capabilities via victims contact list.
• Tech support scammers continue their barrage of attacks against consumer and are now targeting users of FrancPhones.
• Police across the globe have made arrests in connection to various malware incidents and compromised networks relating to attacks against HBO, the Office of Personnel Management, and CIA Director John Brennen.