In-depth analysis of a Cerberus trojan variant.
The Avira quarterly malware threat report provides a synopsis of the changing landscape of cyber threats seen around the world each quarter. This first summary report highlights the increases – and decreases – in threats and exploits that made their mark between Q3 2019 and Q4 2019.
Future reports will track both changes in the immediate three month period, and provide detailed commentary on notable changes seen recently.
Q4 2019 saw a 7% increase in cyberattacks worldwide compared to Q3 2019 – equating to a compound growth rate of 30%. Notably the quarterly comparison shows a steep 47 % increase in the number of threats targeting office applications such as Word, Excel, PowerPoint and PDF documents . We also saw a growing number of detections for Adware (22 %), PUA (10 %) and Mobile threats (13 %). Overall Exploits, Script malware, Trojans, Worms and File infectors grew by 5 % compared to Q3 of 2019. Coin Miners showed a slight decline in the final quarter of 2019.
In our quarterly malware report, the malware group Office includes trojanized Word, Excel and Power Point documents containing malicious macro code. PDFs are also a part of this group, and they have either malware script code or phishing embedded.
Emotet first appeared in 2014 as a banking malware that attempted to infect computers and steal sensitive information. This malware mostly spreads by spam and phishing emails with infected attachments and embedded malicious URLs. It has worm-like capabilities to spread to other connected computers. It also collects the victim’s contact list and sends itself to the email addresses within their contact list. Emotet uses the infamous “Eternal Blue” smb exploit to directly takeover unpatched Windows systems – all without requiring any user clicks or logins.
Dridex is one of the most notable forms of online banking malware. It has multiple information theft routines such as form grabbing, clickshot taking, and HTML injections. Dridex also has the ability to ‘inject’ malicious code into certain websites that the affected user is currently viewing. Instead of a login page sending the entered credentials to the organization, it sends the information to the cybercriminals.
The growth in mobile exploits signals an evolution of the mobile threat landscape. While Windows is still by far the most vulnerable system, mobile threats are greatly underestimated. As is common with other systems, mobile vulnerabilities may expose mobile devices to malware attacks and exploits. We see that Android malware families often specialize in pushing advertisement for revenue, while others delve much deeper into the host system.
Applications containing Hiddad, an ad-distributing malware for Android, receive many 5-star ratings from infected users. Unfortunately not for the right reasons. Hiddad is presented as a YouTube downloading app. It usually goes to market on Google Play labeled as Tube mate or Snap Tube. The apps distributing this malware often trick or force the user into providing a 5-star rating (by not closing the pop-up window). This shows why it’s important to read the reviews and not just count the numbers of 5-star ratings.
Triada is the most advanced mobile threat seen to date. It is a modular mobile Trojan that actively uses root privileges to substitute system files. Using this and several other clever methods, it can become almost invisible. Triada is usually not the first contact in the infection chain: other small and lightweight malware apps often reach the system first, opening root access on the device before further infecting it with sideloaded threats, paving the way for Triada’s backdoor and banker capabilities.
You can learn more about new and novel malware in the research section of the Avira Insights blog, or find out how you can improve your own detection rates by using Avira’s anti-malware SDKs or threat intelligence.