Threat Intelligence

Criminals Move Markets to Remain in the Shadows

While malware families and targets continue to evolve, the most important shift might be happening in the background.

Fo cybercriminals, the Internet of Things (IoT) is becoming a bigger draw, ransomware is still a profitable tool, and there are ways around even major legal actions. Those are some of the conclusions in the "McAfee Labs Threats Report: December 2018," released this week.

A number of findings in the report show certain trends continuing long-term patterns. New examples of IoT malware grew 72% in the third quarter, part of a total malware increase of 203% in past four quarters. And while many analysts have seen the growth of cryptominers slow in recent months, cryptomining malware increased by 71%, a figure based largely on the continuing growth in the number of IoT devices themselves.

"Platforms based on Linux are predominantly being hit," the McAfee research team told Dark Reading in an email interview, as they explained the rise in IoT malware. "Whereas previously these were dominated by DDoS-related botnets – the introduction of cryptojacking has led to the increase."

While these numbers are impressive, the most important developments in the malware landscape may be occurring behind the scenes. "Several individual sellers have moved away from large markets and have opened their own specific marketplaces," the McAfee researchers said. Other marketplaces, such as Dream Market, Wall Street Market, and Olympus Market, have become popular replacements for the lost markets (though Olympus Market suddenly disappeared, taking money and trusted relationships with it).

In a continuing response to the legal takedown of major Dark Web markets like Hansa and AlphaBay, and the disappearance of Olympus Market, some criminals have created their own "dark commerce" sites where they do business with their customers, the researchers said. These smaller sites make it more difficult for law enforcement to gain access and conduct surveillance on criminal activity.

Another trend that makes life more challenging for law enforcement is a growing tendency by some criminals to forgo a Web-based market altogether and use communications networks such as Telegram to conduct their business.

The communication is critically important for the criminals due to the continuing growth of criminal affiliate networks, seen in the evolution and increase of affiliate-architected malware such as the GandCrab ransomware package. The affiliate model is also seen in the operation of "RDP shops" that sell remote desktop access to compromised servers so that criminals can install and run their illicit software. "RDP continues to be an Achilles heel for many organizations, judging by the amount of targeted ransomware attacks, such as SamSam, BitPaymer, and GandCrab, that leverage RDP as an entry method," the report states.

Malware's evolution makes McAfee's suggestion that security also continue to evolve an obvious step. "We have to consider the speed in which criminal operators are adapting techniques and leveraging new approaches to achieve their objectives," the research team told Dark Reading. "For example, the introduction of new exploit kits and the continual development of GandCrab suggests that security teams need to remain vigilant on the evolution of such new threats."

Related Content:

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
UdyRegan
50%
50%
UdyRegan,
User Rank: Apprentice
1/14/2019 | 10:29:27 PM
Wait for the network!
Honestly speaking, if I were a cyber criminal, I would be waiting for the IoT with bated breath. It all seems very wonderful - all this secret information in storage being made a all portable and freely communicated over a network. All you have to do is figure out how to get your fingers into that network to extract all that information. Seems easy enough!
MelBrandle
50%
50%
MelBrandle,
User Rank: Apprentice
1/4/2019 | 3:20:35 AM
Criminal works
Even criminals know how to remain relevant in today's highly competitive industry. It is never a safe play to continue pursuing their illegal acts within the same sector in order to avoid being detected. They need to move swiftly in order to remain active but being completely discreet.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9923
PUBLISHED: 2019-03-22
pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.
CVE-2019-9924
PUBLISHED: 2019-03-22
rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.
CVE-2019-9925
PUBLISHED: 2019-03-22
S-CMS PHP v1.0 has XSS in 4.edu.php via the S_id parameter.
CVE-2019-9927
PUBLISHED: 2019-03-22
Caret before 2019-02-22 allows Remote Code Execution.
CVE-2019-9936
PUBLISHED: 2019-03-22
In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c.