Whether they are leasing or selling malware, cyber attackers are combining ingenious tricks with the latest technology. In this scenario, the various cyber-criminal groups use different business models. Often, malware may even lurk undetected on a network, in the form of a ‘sleeper’ that is just waiting for an order to attack.
It can begin with a seemingly harmless phone call to a secretary’s office. The caller has just a minor request, explaining that they had a phone call with the boss a few days ago and were supposed to send some documents by post before their next discussion. But because time is running out, they would like to send the documents by email so they can be printed. Unfortunately, the email that will shortly land in the secretary’s email account will contain dangerous malware as well as the promised documents. Responding to a survey, exhibitors at it-sa indicated that they had noticed that their customers were increasingly being exposed to these kinds of phishing attacks, especially during the period of restrictions due to the coronavirus.
Multifunctional attacks and lucrative targets from the dark net
Knowing the mode of operation and business models of cyber criminals can help companies arm themselves against such attacks. For example, documents are stolen specifically so that they can be used as bait during an attack. This gives the documents a particularly high degree of credibility, making them ideal for phishing attacks. Once victims have clicked on a fake link or opened infected data attachments, they are often repeatedly exploited afterwards. Initially the intention is to steal and monetise information, then the infected systems become part of a botnet that is rented for spamming purposes or DDoS attacks. At the same time, the cyber attackers install a cryptominer. And finally (for example if or when the botnet has been rumbled), the computers are infected with ransomware so that a ransom can be collected if possible.
For a long time now, cyber gangsters have not needed to develop the necessary malware themselves. These processes occur based on a division of labour, and there is a flourishing trade on the dark net. Increasingly, such software is only being rented. One example is the banking Trojan Cerberus, which one criminal group was offering for Android for around US$ 2,000 a month.
Lucrative targets are also being bartered on the dark net. Cyber criminals therefore attempt to penetrate companies pre-emptively when an opportunity presents itself. Once inside they install a backdoor. Often, the pest will then lurk in the network for a long time as a ‘sleeper’, until it is activated when a ‘customer’ is found. The following example shows how this works in practice.
Sleeper malware on the web
In ‘supply chain attacks’, cyber criminals do not attack their victims directly but their sub-suppliers and customers. A well-known example is the Winnti Group, which malware analysts assume is in China. It is currently setting its sights on video game companies in Asia; previously its targets had included the protest movement in Hong Kong or Eastern European embassies. So, as well as targeting TeamViewer and Ccleaner, online games were also infected with malware. The cyber criminals often penetrate build systems and source code management servers. If executed, the malware steals huge quantities of information from the victim's PC, including a considerable amount of system information. The backdoor installed at the same time lurks on the network and waits for a specific data packet. The operation does not start until the data packet is running through the network. The data packet consists of a sequence into which only an additional space is inserted into the string “Server: Microsoft-IIS”. However, if the system language on the PC is set to Chinese or Russian, the execution stops immediately. Apparently, the attackers know who not to mess with.