1H 2018 Crimeware Trends: A Sampling of Malicious E-Mail Attachments

We’ve long known e-mail to be the primary method of end-point system compromises around the world, and that continues to be the case today. As the folks at F-Secure wrote in a recent blog article, “If you’re going to encounter malware in 2018, chances are it will happen through spam.”

To better understand patterns and changes to campaign volume and detection, we collected a sample of malicious e-mail attachments delivered to our customers during the first half of 2018 (1H 2018) and the detection rates of these samples on VirusTotal. This practice of collection and analysis helps validate our anecdotal observations and suspicions about threat actor behavior patterns, as well as observe campaign beginnings, periods of possible experimentation, and occasionally, ends. Additionally, this collection and analysis cycle assists the Gigamon Applied Threat Research (ATR) team in staying ahead of evolving campaigns for detection and investigation purposes.

Our dataset consists of samples attached to malicious spam attacks in the first half of 2018. The file type distribution, shown in Figure 1, is primarily documents, straight executables and archives, with a few outliers such as IQY.

For each sample, we identified the family, such as Trickbot or Emotet, and collected anti-virus detection history from VirusTotal. Figure 2 shows the family distribution, with Lokibot being the most prevalent in our data set, followed by a closely competing group of Pony, Emotet and Trickbot.

The total number of incidents that we observed first hand, per week, are shown in Figure 3. Notably, the fewest incidents occurred during the first three weeks of 2018, which is anecdotally observed every year. A potential explanation for this phenomenon is that some actors observe the January 14 Old New Year and work less during the holiday span from Christmas to the Old New Year.

The large surge in the number of LokiBot malspam campaigns — as well as Pony and several keyloggers and remote access Trojans, or RATs — is mostly due to the fact that LokiBot has been co-opted by Nigerian threat actors, as an extension of monetization evolution by Russian-language threat actors.

Mean anti-virus detection history for all samples is plotted in Figure 4. After collecting the detection history for each sample, we manually removed a few broken outlying records where all anti-virus scores spontaneously appeared empty late in the lifetime of an otherwise well detected sample or the total number of reporting anti-virus products was well below normal. Then we fit logarithmic curves to each sample with a sufficient number of measurements and averaged the curves. We chose to individually fit each sample and average the fitted curves instead of averaging the samples and fitting the average because each sample has a different amount of measurements and the measurements were all taken at varying times in the sample lifetime. This avoids over- and under-representing samples based upon how many times they were scanned.

Ideally, we would see high initial detection rates, and for those that are not well detected, sharply increasing detection rates as security vendors adapt to the threat. Visually, up and left is better.

LokiBot has targeted victims since 2015 and is now commodity malware sold on various underground crimeware websites. It is designed to steal login credentials and other private data from infected machines and exfiltrate data HTTP POST to command and control (C2) servers. This private data includes locally stored passwords, login credentials from several web browsers, admin tools such as PuTTY, and a variety of cryptocurrency wallets.

Most of today’s LokiBot samples are modified versions of the original malware, which was developed by an individual who went by the online alias “lokistov,” a.k.a. “Carter” on multiple underground hacking forums. It was original sold for up to US$300, but later some other hackers on the dark web also started selling the same malware for lower prices (as low as US$80). LokiBot has been a primary weapon for Nigerian threat actors who have flocked to these underground forums, and LokiBot has become a very popular tool for them.

Of the four most prevalent families, LokiBot delivers the most diverse set of filetypes in its initial attachments (Figure 6). Despite this, it is detected both initially and during each subsequent campaign by more anti-virus products than the baseline (Figure 5). We find this true for the majority of the most prevalent families, which makes sense under the intuition that the loudest campaigns will be caught, shared and tracked more frequently.

Pony (a.k.a. FareIT) is another credential and information stealer that can collect credentials from various applications. It was originally related to the Reveton worm, but in recent years different threat actors have modified it to enhance its functionality.

Detected as early as 2011, Pony is not a new threat — it initially started as a simplistic malware downloader but has evolved into its current form over time.

Pony is the most detected family in our dataset (Figure 9). It is the only family for which anti-virus solutions breach 40% detection on the first day in VirusTotal. It is interesting that, while it has less filetype diversity (Figure 10) than LokiBot, and more than Emotet, yet it is still detected by more anti-virus solutions than either.

Trickbot is a banking Trojan, closely related to the banking Trojan known as Dyre or Dyreza, with which it shares much of the underlying code and features. It has undergone periods of experimentation by the threat actors who control it, which has resulted in various deployment and obfuscation techniques, and it is still apparently changing its methodologies.

Trickbot command and control (C2) infrastructure is an encrypted, hierarchical, multi-tiered infrastructure that is dynamic, is still being enumerated and analyzed, and shares some infrastructure with the Emotet C2 infrastructure. It is also possible that the Russian language threat actors behind Trickbot may also have a hand in the development and operation of the Emotet botnet.

Trickbot comes almost exclusively in various common Microsoft Office document formats (Figure 12). It is the least detected of the four most prevalent families. Although detection rates on the first day of submission slightly outperform those of the mean, they begin a trend of underperformance after the first few days on VirusTotal (Figure 11).

Conclusion

From tracking active attempts against customers, we can solidify our suspicions about threat actor behavior patterns with first-hand observation. Tracking detection rates shows which families are most successful at evading detection with new attacks, and how well industry responds to campaigns.

We find that, in general, malspam attachments are only detected by 32.6 percent of anti-virus solutions in VirusTotal on the first day of submission. The most prevalent families are slightly less effective at evading anti-virus, and the anti-virus industry responds to these campaigns more effectively than to the average malspam attack.

However, even in the best-case scenario with Pony, detection rates only outperform the mean by around 10 percentage points, with Pony samples evading most anti-virus solutions the first day samples hit VirusTotal. Of the most prevalent families, we find that Trickbot is the most successful in evading anti-virus solutions long term on VirusTotal, which should encourage further study.

If you’d like to read the complete ebook, download it here.