Monday, 28 December 2015

McAfee Labs Report Identifies New Mobile Banking, Macro, and Fileless Malware Developments

By Vincent Weafer, Vice President, Intel Security’s McAfee Labs

The cyber threat landscape often combines something old, something new, something blundered, and something ‘you’. The third quarter provides examples of old threats repackaged with social engineering, new fileless malware replacing rootkits, mobile app coding blunders, and the exploit of the weakest link in any ecosystem: you the user.

Today’s release of Intel Security’s McAfee Labs Threats Report: November 2015 complements our usual quarterly assessment of cyber threats with new developments combining each of these elements:

·         McAfee Labs researchers illustrate how poor mobile app coding practices, including the failure to follow back-end service provider guidance, can lead to the exposure of user data in the cloud. This analysis also demonstrates how mobile banking customers have been compromised through such a scenario.

·         The report investigates macro malware using social engineering to gain traction within enterprises – a development fueling the resurgence of macro malware, from a multi-year decline, to a six-year high in the last several months. Macro malware increased from less than 10,000 new attacks in Q3 2015 to almost 45,000 this past quarter, a level we have not seen since 2009.

·         Finally, the report details how new platform capabilities and threat development innovation have created a new breed of fileless malware that trumps traditional threat detection. These fileless attacks appear to be taking the place of rootkit attacks.

If nothing else, the third quarter of 2015 reminded us that while we must always innovate to stay ahead of the threat technology curve, we must never neglect common sense solutions such as best practices for secure app coding, and user education to counter ever-present tactics such as spearphishing.

Back-end mobile app coding practices
A two-month analysis of nearly 300,000 mobile apps led McAfee Labs to the discovery of two mobile banking Trojans responsible for taking advantage of thousands of mobile banking accounts across Eastern Europe. Known to the industry as “Android/OpFake” and “Android/Marry”, the two malware strains were designed to take advantage of poor mobile app coding connecting mobile apps to back-end service providers managing app data.

Mobile apps often rely on back-end services for secure data storage and communications. That said, mobile app developers are responsible for implementing and configuring the integration of their mobile apps with these back-end services. User data could be exposed if app developers fail to follow the back-end providers’ security guidelines – a possibility more likely purely based on the increasing amount of personal and professional business conducted in the mobile cloud.

While the two cybercriminal campaigns using the two mobile banking Trojans have been shut down, McAfee Labs found evidence that they exploited such back-end coding, abused root privileges to silently install malicious code, and enabled an SMS message scheme to steal credit card numbers and execute fraudulent transactions. The two mobile banking Trojans intercepted and exposed the 171,256 SMS messages of 13,842 banking customers, and remotely executed commands on 1,645 impacted mobile devices.

Intel Security asserts that developers must pay greater attention to back-end coding best practices and the secure coding guidance provided by their service providers. We also recommend users only download mobile apps from well-known sources, and following rooting best practices for their devices.

Macro malware rides spearphishing to six-year high
McAfee Labs also registered a fourfold increase in macro detection over the last year, reaching the category’s highest growth rate since 2009. The return to prominence has been enabled by spearphishing campaigns designed to fool enterprise users into opening malware-bearing email attachments. These new macros also exhibit an ability to remain hidden even after they have downloaded their malicious payloads.

Such malicious macros were the bane of users in the 1990s, but declined in number after platform providers such as Microsoft took action to reprogram default settings stopping automatic macro execution.

While earlier macro campaigns focused on users of every description, the new macro malware activity is primarily focused on large organizations accustomed to using macros as easy-to-build programs for repetitive needs. Today, emails are socially engineered to appear legitimate to the context of the organization’s business so that users will thoughtlessly enable the macro to run.

In addition to improving user awareness of spearphishing, Intel Security recommends organizations adjust product macro security settings to “high” and configure email gateways to specifically filter for attachments containing macros.

Fileless malware innovations
McAfee Labs captured 74,471 samples of fileless attacks in the first three quarters of 2015. The three most common fileless malware types load their infection directly into the legitimate memory space of a platform function, hide behind a kernel-level API, or hide within the operating system’s registry.

Most malicious infections leave some type of file on a system, which can be detected, analyzed, and convicted.  Newer attacks, such as Kovter, Powelike, and XswKit, have been designed to take advantage of OS platform services to get into memory without leaving a trace on the disk.

Intel Security recommends safe browsing and email practices, combined with email and web protections to block the attack vectors.

Q3 2015 Threat Statistics

·         Overall threat activity. McAfee Labs’ Global Threat Intelligence (GTI) network detected an average of 327 new threats every minute, or more than 5 every second. The network also detected:
o   More than 7.4 million attempts to entice users into connecting to risky URLs (via emails, browser searches, etc.).
o   More than 3.5 million infected files targeted at our customers’ networks
o   An additional 7.4 million Potentially Unwanted Programs attempting to install or launch.

·         Mobile malware. The total number of mobile malware samples grew 16% from Q2 to Q3. The total number of mobile malware samples grew 81% over the past year. New mobile malware has risen for five consecutive quarters, but infections haven’t kept pace, likely due to improvements in OS defenses.

·         MacOS Malware. Malware authors have increasingly turned their attention to the Mac platform. Four times as much Mac OS malware was registered in Q3 than in Q2. Most of the increase came from a single threat.

·         Ransomware. The number of new ransomware samples grew 18% from Q2 to Q3. The total number of ransomware samples in McAfee Labs’ malware “zoo” grew 155% over the past year.

·         Rootkits decline. New rootkit malware dropped 65%, the category’s lowest rate since 2008. The decline is likely due to diminished returns for attackers. With 64-bit Windows, Microsoft enforces driver signing and includes Patch Guard, which makes kernel hooking significantly more challenging for attackers.

·         Malicious signed binaries. New malicious signed binaries have trended down for 3 quarters.

·         Botnet activity. The Kelihos botnet reclaimed the top rank for spam-sending botnets in Q3. The botnet powering campaigns for counterfeit consumer goods and phony pharmaceuticals had been somewhat dormant for the previous two quarters.

For more information on these focus topics, or more threat landscape statistics for Q3 2015, please visit for the full report.