Botnet Trend Report -3

Botnet Trend Report -3

July 27, 2020 | Adeline Zhang

Botnets can pose a variety of cyber threats. NSFOCUS Security Labs has been focused on the capture, track, and study of botnet-related threats. In 2019, the Labs further upgraded its capturing and tracking techniques and capabilities and expanded its scope of interest to cover more diverse threats, including cryptojacking, ransomware attacks, data theft by banking Trojans, and adware bundling. Besides, the Labs took up research on mobile platforms, which were quite a mess in terms of security.

When it comes to compromise methods, weak passwords and remote vulnerabilities were still much favored by cybercriminals. In the past year, NSFOCUS Security Labs captured over 13 million SSH bruteforce attacks and over 4.6 million attacks launched via the EternalBlue exploit. At the same time, the number of payload types against IoT platforms rose sharply to 100 from 2018’s 54.

As for persistent threats, DDoS, cryptojacking, ransomware, banking trojan, and adware bundling families set up botnet armies that were active in various campaigns.

In 2019, more than 60% of DDoS attacks were initiated by only a few IoT botnet families represented by Gafgyt and Mirai. Among these attacks, nearly 50% were UDP floods. According to statistics, the US was both the major source and target of DDoS botnet attacks. China, Australia, and European countries were also greatly affected by this type of attacks.

The quantity of ransomware changed with cryptocurrency prices. This type of malware mainly targeted lucrative enterprises. The fact that GandCrab made a killing from ransomware attacks indirectly encouraged more malicious families to join the action, such as the highly industrialized family Sodinokibi, which featured a 24-hour customer support service.

The quantity of cryptojacking malware and the number of cryptojacker types both increased significantly because of a pickup in cryptocurrency prices. This type of malware mainly targeted financial and carrier businesses with high-performance devices.

Banking Trojans wreaked havoc by leveraging spear phishing attacks. Emotet and TrickBot are typical examples of such Trojans. While stealing data, these families delivered ransomware, inflicting both financial and data losses on victims.

Adware bundling software, as an important part of the cybercrime market, still tried to make money by

promoting the installation of other software and displaying pop-ups. Types of software promoted for installation include the so-called “must-have” applications (input tools, compressors, and so on), online game platforms, browsers, and video/live streaming applications. The adware bundling software can silently install other software without users’ knowledge. Software installed this way not only consumes users’ device resources but also exposes users to a high risk of being compromised by malware.

As for mobile threats, third-party marketplaces and illegitimate links became major infection channels of malicious applications. Malware families targeting mobile devices are large in number and varied in
type, including adware, proxies, banking Trojans, cryptojackers, and ransomware. Among these types, adware is distributed by means of repackaging, disguise, and bundling in normal software development
kits (SDKs), while cryptojackers use JavaScript and native modules for cryptocurrency mining and find their way into TV boxes.

The following sections describe in detail these types of threats.

To be continued.