Business Daily Media

Log4j opening doors for new attacks while ransomware and RAT attacks on decline

  • Written by Jakub Kroustek, Avast Malware Research Director

Researchers also observed the resurrection of Emotet, increased coinminer activities during growing Bitcoin prices, and an increasein technical support scams, Android subscription scams and spyware

Avast, a global leader in digital security and privacy released its Q4/2021 threat report, revealing an immediate exploitation of the Log4j vulnerability by coinminers, RATs, botnets, ransomware, and APTs, in December putting CISO departments under pressure. Furthermore, Avast’s threat researchers observed the revival of the Emotet botnet, and a 40% rise in coinminers, posing risks for consumers and businesses alike. The Q4 findings likewise show an increase in adware, technical support scams on desktop, and subscription scams and spyware on Android devices, targeting consumers. At the same time, Avast saw less ransomware and remote access trojan (RAT) activity. 

“Towards the end of the year, the extremely dangerous, ubiquitous, and easy to abuse Log4j vulnerability made CISO departments sweat, and rightly so, as it was weaponised by attackers spreading everything from coinminers to bots to ransomware,” said Jakub Kroustek, Avast Malware Research Director.

“On the other hand, we are happy to report decreases in RAT, information stealer, and ransomware attacks. RAT activity died down thanks to the holidays, with bad actors even going as far as copying  the DcRat remote access trojan  and it renaming'SantaRat'. We saw a slight decrease in information stealer activity, likely due to a significant decrease in infections through password and information stealer Fareit, which dropped by 61% vs. the previous quarter,” noted Jakub Kroustek. “The havoc ransomware caused in the first three quarters of 2021 triggered a coordinated cooperation of nations, government agencies, and security vendors to hunt down ransomware authors and operators, and we believe all of this resulted in a significant decrease in ransomware attacks in Q4/2021. The ransomware risk ratio decreased by an impressive 28% compared to Q3/2021. We hope to see a continuation of this trend in Q1/2022, but we are also prepared for the opposite.”

Cybercriminals attacking businesses via Log4j vulnerability and via RATs abusing Azure and AWS 

The vulnerability in Log4j, a Java logging library, proved extremely dangerous for businesses because of the ubiquity of the library and the ease of exploitation. Avast researchers observed coinminers, RATs, bots, ransomware, and APT groups abusing the vulnerability. Various botnets abused the vulnerability, including the infamous Mirai botnet. Most bot attacks were just probes testing the vulnerability, but Avast also noticed numerous attempts to load potentially malicious code. For instance, some RATs were spread using the vulnerability, the most prevalent of which were NanoCore, AsyncRat and Orcus. A low-quality ransomware, called Khonsari, was the first ransomware the researchers saw exploiting the vulnerability.

In addition to exploiting the Log4j vulnerability to spread RATs, cybercriminals exploited the CVE-2021-40449 vulnerability, which was used to elevate permissions of malicious processes by exploiting the Windows kernel driver. Attackers used this vulnerability to download and launch the MistarySnail RAT. Moreover, a very important cause of high NanoCore and AsyncRat detections was caused by a malicious campaign abusing the cloud providers, Microsoft Azure and Amazon Web Service (AWS). In this campaign malware attackers used Azure and AWS as download servers for their malicious payloads to attack businesses.

Moreover, Avast researchers saw the bad actors behind Emotet rewrite several of its parts, reviving their machinery, and taking the botnet market back with the latest Emotet reincarnation.

Adware, Coinminers, and Tech Support Scams Targeting Consumers

Desktop adware and rootkit activity increased in Q4/2021. Avast researchers believe these trends are related to the Cerbu rootkit, which can hijack browser homepages and redirect site URLs according to the rootkit configuration. Cerbu can therefore easily be deployed and configured for adware, annoying victims with unwanted ads and capable of adding a backdoor to victims’ machines.

While the Bitcoin price increased at the end of 2021, the number of coinminers spreading increased by 40%, often via infected web pages and pirated software. CoinHelper was one of the prevalent coinminers very active throughout Q4/2021, mostly targeting users in Russia and the Ukraine. Coinminers stealthily abuse a user’s computing power to mine crypto currencies, which can cause high electricity bills and impact the lifespan of the user’s hardware. Additionally, CoinHelper harvests various information about its victims including their geolocation, antivirus solution they have installed, and hardware they are using. Despite observing multiple crypto currencies configured to be mined, including Ethereum and Bitcoin, Monero stood out to Avast researchers in particular. Monero is designed to be anonymous, however, the wrong usage of addresses and the mechanics of how mining pools work, enabled the researchers to gain deeper insights into the malware authors’ Monero mining operation. They found that the total monetary gain from the CoinHelper coinminer was over $485,000 AUD ($339,694.86 USD) as of November, 29, 2021. In the month of December, it mined an additional amount close to $5,000 AUD ($3,446.03 USD ) ~15.162 XMR, ~. CoinHelper is still actively spreading, with the ability to mine ~0.474 XMR every day.

The Avast threat researchers also observed a spike of tech support scams, tricking the user into believing they have a technical problem, and scamming them into calling a hotline where they will be scammed to pay high support fees or grant remote access to their system.

Premium SMS Subscription Scams and Spyware Stealing Facebook Credentials Spreading on Mobile Devices

The Avast Threat Labs noted two mobile threats in the report: Ultima SMS and Facestealer. Ultima SMS, a premium SMS subscription scam resurfaced in the last few months. In October, Ultima SMS apps were available on the Play Store, mimicking legitimate applications and games, often featuring catchy adverts. Once downloaded, they prompted users to enter their phone number to access the app. Subsequently, users were subscribed to a premium SMS service that can cost up to $10 per week. The actors behind UltimaSMS extensively used social media to advertise their applications and accrued over 10M downloads as a result.

Facestealer, spyware designed to steal Facebook credentials, resurfaced on multiple occasions in Q4/2021. The malware masquerades as photo editors, horoscopes, fitness apps and others. After using the app for a period of time, it prompts the user to sign in to Facebook to continue using the app, without adverts.

For more detailed information visit the full report here.

Rust: How to die and resurrect yourself

Rust is an open world survival game in which action / adventure and role-playing elements combine DayZ and Minecraft. You play in the middle of ...

Business Training

5 Reasons Why You Should Purchase Land in Berwick Waters

Property in Berwick Waters has become an extremely sought-after commodity over the last few years, and it's not hard to see why. The perfect weath...

Property

What Is A Property Investment Fund?

A property investment fund is a financial vehicle that allows individuals to invest in real estate properties through pooled resources. These fund...

Property

Critical evaluations when investing in land

Real estate investment is one of the biggest and best financial decisions you can make. Thanks to the constant increase in property value, real es...

Property

Accelerating Business Growth: A Comprehensive Review of Strategies and Tactics

If you are a business owner, you know that growth is essential for success. However, achieving business growth is not always a straightforward process...

Business Training

A Guide to Starting A Quality Day Care Business

Welcome to being an entrepreneur! Starting a successful daycare can be both stressful and rewarding. When thinking of starting a daycare, a lot of...

Business Training