Some of the key takeaways from February’s Latest Intelligence, and the threat landscape in general, include the highest increase in malware variants since October 2016, more Symantec research into the Shamoon attackers, and some unconventional tactics used by Android.Lockdroid.E variants.
The number of new malware variants seen in February increased to 94.1 million, the highest level seen since October 2016. A possible cause for this uptick is an increase in activity from the Kovter (Trojan.Kotver) family of threats.
The rate of email malware also increased in February to one in 635 emails, up from one in 722 the previous month. However overall email malware rates for January and February are much lower than previous months, a likely effect from a lull in activity from the Necurs botnet (Backdoor.Necurs) which has been quiet since late last year.
The month of February also saw Symantec publish more research into the attackers behind the destructive disk-wiping malware Shamoon (W32.Disttrack.B). Symantec revealed that recent attacks involving Shamoon were launched by attackers conducting a much wider campaign in the Middle East. While the attackers targeted multiple organizations in the region, only certain targets were infected with Shamoon. Symantec’s investigation into this group continues.
Another Symantec blog discussed how the Pandex spambot (Trojan.Pandex) is now delivering the Sage 2.0 ransomware (Ransom.Cry). Researchers Eduardo Altares, Patrick Nguyen, and Xinlei Cai found that Sage 2.0 shared similar routines with Cerber ransomware (Ransom.Cerber). Although no definitive link between the two malware families has been found, Sage 2.0 now also offers multiple-language support in its ransom note and uses the same process list as Cerber version 4.
The two most active exploit kits in February were RIG (25 percent of all exploit kit activity) and SunDown (14.5 percent). However, while RIG saw a decrease in activity compared to January, down 3.9 percentage points, and SunDown saw an increase of 6.4 percentage points. These changes in activity for the two kits aligns with other observations from outside sources.
The rest of the top five exploit kits for February remain mostly the same as January, with Magnitude taking the number three spot (4.6 percent, down from 6.1) and Angler taking fourth place (0.6 percent, down from 0.9). The only change in rankings for February was fifth place going to Neutrino (0.5 percent, down from 0.8), which knocked Blackhole out of the top five.
Figure 2. February’s top five exploit kits by activity
The number of web attacks blocked per day in February dropped slightly to 394,000, down from 419,000 in January.
Although there were no new Android malware families discovered last month, the number of variants per family reached 60. This is highlighted by a trio of blogs released by Symantec researchers in February. Two of the blogs, authored by Dinesh Venkatesan, discuss variants of the Android.Lockdroid.E family. Dinesh found one Lockdroid variant that uses speech recognition APIs and requires victims to speak an unlock code instead of the traditional method of typing it in.
Additional research by Dinesh found yet another Lockdroid.E variant that displays a 2D barcode that users must scan to log in to a messaging app to pay the ransom. The final blog, by Shaun Aimoto, discusses three malicious applications (variants of Android.Fakeapp) on Google Play that collect ad revenue by clicking on ads while running in the background. The malicious apps use three deceptive techniques that are relatively common on their own, but Shaun’s discovery is the first time they have been observed being used together.
The global spam rate saw a slight reduction of 0.1 percent in February, down from 53.8 to 53.7 percent. It was a tight race for the top spot in terms of sectors with the highest spam rates in February with just 0.01 percentage points between the Construction sector (59.28 percent) and the Mining sector (59.27 percent).
There was some good news last month in the fight against spam with the arrest and indictment of one of the world’s top 10 worst spammers.
Phishing decreased last month to just one in 8,246 emails, down from one in 3,271 in January. The phishing rate also declined across all industries in February.
While phishing rates declined last month, we also saw a new tactic being used by smartphone thieves who are now attempting to phish their victim's login credentials in order to unlock stolen phones. Stolen high-end smartphones can earn criminals a lot of money, but only if they can gain access to them. This latest trick shows the lengths thieves are willing to go to get into a device.
This is just a snapshot of the news for the month. Check out the Latest Intelligence for a bigger picture of the threat landscape with more charts, tables, and analysis.