The Malware Awards

The malware awards: the most devastating attacks that everyone talked about in 2017

To be protected from online threats the best you can do is to get to know the enemy. Here is our review of the most sophisticated malware in 2017.

As much as we hope the next security update will protect us from malware, the reality is that more varied and sophisticated schemes are being created as we speak. We have decided to look the enemy in the eye and learn from them and, since we are at it, award some of the best as we see it. Here are our five 2017 Malware Awards:

1. WannaCry – The Flash Gordon Award

This malware, also known as WannaCrypt, has been one of the most devastating ransomware attacks in history. It began its activity on May 12th, affecting those Microsoft computers that didn’t deploy the latest (April 2017) security update. WannaCry exploited a vulnerability in Microsoft’s Server Message Block (SMB) protocol. It managed to block banks, law enforcement agencies, and other infrastructure and asked for a ransom from the impacted parties. This generated additional losses in service disruption as well as a loss of customer trust. It only lasted a few days – until Microsoft devices were updated with the security patch – but in those few days, the malware had time to reach ~300,000 computers and leave ~200,000 victims across 74 countries. We have never seen that speed since the 80s film; this is why we grant them the Flash Gordon Award. In December, some affected countries – the UK, U.S., and Australia – formally blamed North Korea for the attack.

2. Silence Trojan – The Voyeur Award

This banking Trojan first appeared in October of 2017. Their creators infected at least ten major banks and waited until the right moment to steal millions of dollars at once from ATMs across Russia, Armenia, Malaysia, and more. The Silence Trojan spreads via phishing emails sent from a previously infected bank computer to another bank staff member. The email shows a colleague’s email address as the sender, making it look like any other legitimate communication. The email includes an attachment that has a .chm extension; a Microsoft Help file that can run technologies such as JavaScript. The uniqueness of Silence – and the reason to grant them the Voyeur Award – is that it allows screen recording and data uploading. Silence can basically create a screenshot-by-screenshot video of the victim’s online activity. The bad actors watch the behavior and collect all the personal data for a long period until they are ready to execute the second part of the attack: take the money from the customer’s account, and run.

3. Spora – The Customer Service Award

First seen in January 2017, this malware is widely known for its solid encryption and its ability to work offline. But, most of all, it’s known for its well-built payment site – yes, this has also impressed victims in the Twittersphere. Spora, like many other malware brands, effects devices by luring users into downloading infected attachments. However, unlike other ransomware families, Spora only targets specific files (.doc, .pdf., .psd, .jpeg to name a few). Spora provides the victim with their Victim Identifier Number to access the payment website. The victims can access all the options from which they can choose, as if they were buying a T-shirt online:

Spora Payment Website

Spora payment website image from securesense.ca. They even offer a two-file restoration service for free! For this, we had to give them the Customer Service Award.

4. Mirai – The ‘Take that!’ Award

Mirai is a network of botnets made with infected devices that run in Linux. These devices are controlled by the bad actor and used for large-scale network attacks. Its first appearance was in August 2016 by MalwareMustDie. By targeting online consumer devices such as IP cameras and home routers, Mirai became one of the largest disruptive denial of service (DDoS) attacks – it reached a network of 300,000 infected devices across 164 countries during a span of a year and a half. The creators of Mirai released their source code to the public and this multiplied the number of Mirai attacks. The biggest one happened in October 2016 and disrupted Twitter, Netflix, and Reddit. Although the major Mirai attacks happened in 2016, we give them the 2017 ‘Take That!’ Award because the two creators of Mirai were caught and, just last December, pleaded guilty – Krebs on Security, who led to their detention, has all the details. Paras Jha, 20 years old, and Josiah White, 21 years old, both from the U.S., where the minds behind this attack and also the owners of ProTraf Solutions, a company specialized in combatting large-scale DDoS attacks. Ahem.

5. Nemucod – The Walter White Award

This is not technically a malware but a – very sophisticated – downloader that helps download and execute malware like Locky. Nemucod was first found in 2015 in the form of a phishing email that pretended to have a shipping invoice. When the victim downloads the document and opens the attachment, the code runs and downloads further malware on the affected machine. In 2017, researchers at Palo Alto Networks published their findings after months studying it: “Nemucod malware is mostly deployed using weaponized documents where the malicious VBA [Visual Basic for Applications] macro code is responsible for constructing and executing a malicious encoded JScript file that carries out further activities including registering victims with the bad actors before downloading payloads, which in this case included a credential-stealing Trojan executable component,” They insert native Microsoft JScript code through the .js attachments. Why do we grant them the Walter White Award? Because of the custom Product Description in the Nemucod’s 2017 version:

Image from researchcenter.paloaltonetworks.com The sentence is a reference to a scene from a Breaking Bad episode (season one, episode seven). Some observers say this may indicate that the creator (or creators) of this code is someone who used to be on the right side of the law and has now gone to the dark side. What do we learn from this? 1. End users have to be suspicious of any unexpected attachment – and of any expected attachment that comes from a suspicious site. 2. Companies and end users need to run updates to have devices with the latest security updates and patches. Related to this post: Fraud predictions for 2018 – Start planning your new year security resolutions. — Want to learn more about biometric authentication? Download our co-sponsored Aite Group report, Biometrics: The Time Has Come. Want to read more posts like this? See our full blog here.