1H 2018 Crimeware Trends: A Sampling of Malicious E-Mail Attachments
We’ve long known e-mail to be the primary method of end-point system compromises around the world, and that continues to be the case today. As the folks at F-Secure wrote in a recent blog article, “If you’re going to encounter malware in 2018, chances are it will happen through spam.”
To better understand patterns and changes to campaign volume and detection, we collected a sample of malicious e-mail attachments delivered to our customers during the first half of 2018 (1H 2018) and the detection rates of these samples on VirusTotal. This practice of collection and analysis helps validate our anecdotal observations and suspicions about threat actor behavior patterns, as well as observe campaign beginnings, periods of possible experimentation, and occasionally, ends. Additionally, this collection and analysis cycle assists the Gigamon Applied Threat Research (ATR) team in staying ahead of evolving campaigns for detection and investigation purposes.
The Data
Our dataset consists of samples attached to malicious spam attacks in the first half of 2018. The file type distribution, shown in Figure 1, is primarily documents, straight executables and archives, with a few outliers such as IQY.
For each sample, we identified the family, such as Trickbot or Emotet, and collected anti-virus detection history from VirusTotal. Figure 2 shows the family distribution, with Lokibot being the most prevalent in our data set, followed by a closely competing group of Pony, Emotet and Trickbot.
The total number of incidents that we observed first hand, per week, are shown in Figure 3. Notably, the fewest incidents occurred during the first three weeks of 2018, which is anecdotally observed every year. A potential explanation for this phenomenon is that some actors observe the January 14 Old New Year and work less during the holiday span from Christmas to the Old New Year.
The large surge in the number of LokiBot malspam campaigns — as well as Pony and several keyloggers and remote access Trojans, or RATs — is mostly due to the fact that LokiBot has been co-opted by Nigerian threat actors, as an extension of monetization evolution by Russian-language threat actors.
Mean anti-virus detection history for all samples is plotted in Figure 4. After collecting the detection history for each sample, we manually removed a few broken outlying records where all anti-virus scores spontaneously appeared empty late in the lifetime of an otherwise well detected sample or the total number of reporting anti-virus products was well below normal. Then we fit logarithmic curves to each sample with a sufficient number of measurements and averaged the curves. We chose to individually fit each sample and average the fitted curves instead of averaging the samples and fitting the average because each sample has a different amount of measurements and the measurements were all taken at varying times in the sample lifetime. This avoids over- and under-representing samples based upon how many times they were scanned.
Ideally, we would see high initial detection rates, and for those that are not well detected, sharply increasing detection rates as security vendors adapt to the threat. Visually, up and left is better.
We can see that, on average, 32.6% of anti-virus products detected samples on the first day, with 48.8% detecting samples by the end of the first week. Some attacks are more challenging than others to analyze in isolation. For example, second or later stages in attacks may require code or data, like encryption keys, from earlier stages to run. However, this dataset contains exclusively first stage malware. While not without its own challenges (e.g., legacy or uncommon file formats, uncommon features, obfuscations and evasions, remotely included data), a 32.6% initial detection rate is concerning because the detection rate is so low.
LokiBot
LokiBot has targeted victims since 2015 and is now commodity malware sold on various underground crimeware websites. It is designed to steal login credentials and other private data from infected machines and exfiltrate data HTTP POST to command and control (C2) servers. This private data includes locally stored passwords, login credentials from several web browsers, admin tools such as PuTTY, and a variety of cryptocurrency wallets.
Most of today’s LokiBot samples are modified versions of the original malware, which was developed by an individual who went by the online alias “lokistov,” a.k.a. “Carter” on multiple underground hacking forums. It was original sold for up to US$300, but later some other hackers on the dark web also started selling the same malware for lower prices (as low as US$80). LokiBot has been a primary weapon for Nigerian threat actors who have flocked to these underground forums, and LokiBot has become a very popular tool for them.
Of the four most prevalent families, LokiBot delivers the most diverse set of filetypes in its initial attachments (Figure 6). Despite this, it is detected both initially and during each subsequent campaign by more anti-virus products than the baseline (Figure 5). We find this true for the majority of the most prevalent families, which makes sense under the intuition that the loudest campaigns will be caught, shared and tracked more frequently.
Emotet
Emotet is a banking Trojan that, once executed, can spread to other systems by brute forcing credentials or exploiting unpatched software with exploits like ETERNALBLUE. However, despite its capabilities as a banking trojan, it is often used as a dropper to establish initial access and then download and execute other payloads.
We witnessed almost exclusively the legacy Microsoft Word Document file formats in Emotet emails, with the exception of a few Windows executables (Figure 8). Compared to the other most prevalent families, Emotet delivered the least diverse set of filetypes. More anti-viruses detect Emotet samples than the mean malspam sample, even on the first day of the sample arriving on VirusTotal (Figure 7).
Pony
Pony (a.k.a. FareIT) is another credential and information stealer that can collect credentials from various applications. It was originally related to the Reveton worm, but in recent years different threat actors have modified it to enhance its functionality.
Detected as early as 2011, Pony is not a new threat — it initially started as a simplistic malware downloader but has evolved into its current form over time.
Pony is the most detected family in our dataset (Figure 9). It is the only family for which anti-virus solutions breach 40% detection on the first day in VirusTotal. It is interesting that, while it has less filetype diversity (Figure 10) than LokiBot, and more than Emotet, yet it is still detected by more anti-virus solutions than either.
Trickbot
Trickbot is a banking Trojan, closely related to the banking Trojan known as Dyre or Dyreza, with which it shares much of the underlying code and features. It has undergone periods of experimentation by the threat actors who control it, which has resulted in various deployment and obfuscation techniques, and it is still apparently changing its methodologies.
Trickbot command and control (C2) infrastructure is an encrypted, hierarchical, multi-tiered infrastructure that is dynamic, is still being enumerated and analyzed, and shares some infrastructure with the Emotet C2 infrastructure. It is also possible that the Russian language threat actors behind Trickbot may also have a hand in the development and operation of the Emotet botnet.
Trickbot comes almost exclusively in various common Microsoft Office document formats (Figure 12). It is the least detected of the four most prevalent families. Although detection rates on the first day of submission slightly outperform those of the mean, they begin a trend of underperformance after the first few days on VirusTotal (Figure 11).
Conclusion
From tracking active attempts against customers, we can solidify our suspicions about threat actor behavior patterns with first-hand observation. Tracking detection rates shows which families are most successful at evading detection with new attacks, and how well industry responds to campaigns.
We find that, in general, malspam attachments are only detected by 32.6 percent of anti-virus solutions in VirusTotal on the first day of submission. The most prevalent families are slightly less effective at evading anti-virus, and the anti-virus industry responds to these campaigns more effectively than to the average malspam attack.
However, even in the best-case scenario with Pony, detection rates only outperform the mean by around 10 percentage points, with Pony samples evading most anti-virus solutions the first day samples hit VirusTotal. Of the most prevalent families, we find that Trickbot is the most successful in evading anti-virus solutions long term on VirusTotal, which should encourage further study.
If you’d like to read the complete ebook, download it here.