Sometimes it’s the simple things that make life hard. In 2018, over 2/3 of unique malware campaigns Cofense IntelligenceTM observed were simple, inexpensive “stealers” or remote access trojans (RATs). With exceptionally low barrier-to-entry—an email account or website can handle distribution and communication—these malware types make data theft a viable career choice for threat actors without the skills to use more advanced varieties.
Why is this a problem?
Though complex malware like Geodo and TrickBot are harder to defend against, simple still works. If it didn’t, threat actors wouldn’t go back to the well again and again. A properly configured email gateway can block most stealers and RATs, but with so many in circulation it pays to a have a Plan B—a phishing awareness and reporting program focused on active threats (see Cofense PhishMeTM and Cofense ReporterTM) and a phishing-specific incident response solution (see Cofense TriageTM).
This year saw the overwhelming dominance of stealers, with 69% of unique campaigns observed through 2018 delivering either a stealer or a RAT. The reasons for such a huge distribution skew: ubiquity, simplicity, and cost. Stealers are extremely cheap or, in the case of Loki Bot, cracked and distributed for free.
What may come as a surprise is the volume of campaigns. Stealers, RATs, and keyloggers are often sent in extremely low volume campaigns—often campaigns of one, many times per day. Cofense Intelligence regularly observes 30+ unique daily Loki campaigns distributing unique samples of Loki. Each is utterly unique from its peers in everything from the message content to the C2 endpoint used by the binary. Again, Loki is free. It was cracked some time ago, is easy to use, and can be used with compromised domains, all of which explain why so many different actors distribute Loki as their malware of choice. Why such low-volume campaigns? Unsophisticated actors often lack the resources for widespread distribution.
All stealer-type malware is designed to obtain and exfiltrate valuable data from the target machine. Often, this data includes passwords, contact lists, and cryptocurrency wallets. Stealers often also incorporate functionality from other malware phenotypes, such as keyloggers, to bolster their capabilities with features such as keystroke monitoring, screenshot captures, and A/V recording.
Chart 1 details Loki Bot’s wide distribution relative to any other malware family. Indeed, Loki is almost twice as prevalent as second-place Pony.
Chart 1: 2018 Top 5 malware families
Chart 2: 2018 Phenotype breakdown
Chart 2 above details the breakdown of malware by phenotype. Stealers, RATs, and keyloggers make up 85% of the overall campaigns we observed, by unique sample. These simple types of malware benefit from very low barrier-to-entry, requiring little more than an email account or web site to facilitate distribution and communication. Because of this, threat actors’ motivations vary wildly and include financial gain, revenge, and account takeover. More complex malware, such as Geodo and TrickBot, require enormous resources to simply maintain efficacy and relevance—but are still widely distributed and more difficult to defend against.
Chart 3: Phenotypes over time
Chart 3 is a companion to Chart 2, showing phenotype distribution over time and illustrating how stealer malware dominated the entire year. It should be noted that the increase in the numbers of campaigns identified per week are not an indicator that phishing has increased. Rather, it is a product of increased reporting by Cofense Intelligence due to improved collections and enhancements to our analysis process.
To summarize, stealers and keyloggers ruled the 2018 phishing-borne threat landscape, due to their vast diversity and accessibility. Despite their domination, a properly configured email gateway would prevent most of these messages getting to a protected inbox, with policy rejecting unknown senders with binary attachments. Still, these tools still clearly work—otherwise, they wouldn’t have been the ascendant malware this year.
Learn more about how Cofense stops active phishing threats.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.