Threat Intelligence

Criminals Move Markets to Remain in the Shadows

While malware families and targets continue to evolve, the most important shift might be happening in the background.

Fo cybercriminals, the Internet of Things (IoT) is becoming a bigger draw, ransomware is still a profitable tool, and there are ways around even major legal actions. Those are some of the conclusions in the "McAfee Labs Threats Report: December 2018," released this week.

A number of findings in the report show certain trends continuing long-term patterns. New examples of IoT malware grew 72% in the third quarter, part of a total malware increase of 203% in past four quarters. And while many analysts have seen the growth of cryptominers slow in recent months, cryptomining malware increased by 71%, a figure based largely on the continuing growth in the number of IoT devices themselves.

"Platforms based on Linux are predominantly being hit," the McAfee research team told Dark Reading in an email interview, as they explained the rise in IoT malware. "Whereas previously these were dominated by DDoS-related botnets – the introduction of cryptojacking has led to the increase."

While these numbers are impressive, the most important developments in the malware landscape may be occurring behind the scenes. "Several individual sellers have moved away from large markets and have opened their own specific marketplaces," the McAfee researchers said. Other marketplaces, such as Dream Market, Wall Street Market, and Olympus Market, have become popular replacements for the lost markets (though Olympus Market suddenly disappeared, taking money and trusted relationships with it).

In a continuing response to the legal takedown of major Dark Web markets like Hansa and AlphaBay, and the disappearance of Olympus Market, some criminals have created their own "dark commerce" sites where they do business with their customers, the researchers said. These smaller sites make it more difficult for law enforcement to gain access and conduct surveillance on criminal activity.

Another trend that makes life more challenging for law enforcement is a growing tendency by some criminals to forgo a Web-based market altogether and use communications networks such as Telegram to conduct their business.

The communication is critically important for the criminals due to the continuing growth of criminal affiliate networks, seen in the evolution and increase of affiliate-architected malware such as the GandCrab ransomware package. The affiliate model is also seen in the operation of "RDP shops" that sell remote desktop access to compromised servers so that criminals can install and run their illicit software. "RDP continues to be an Achilles heel for many organizations, judging by the amount of targeted ransomware attacks, such as SamSam, BitPaymer, and GandCrab, that leverage RDP as an entry method," the report states.

Malware's evolution makes McAfee's suggestion that security also continue to evolve an obvious step. "We have to consider the speed in which criminal operators are adapting techniques and leveraging new approaches to achieve their objectives," the research team told Dark Reading. "For example, the introduction of new exploit kits and the continual development of GandCrab suggests that security teams need to remain vigilant on the evolution of such new threats."

Related Content:

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
UdyRegan
50%
50%
UdyRegan,
User Rank: Apprentice
1/14/2019 | 10:29:27 PM
Wait for the network!
Honestly speaking, if I were a cyber criminal, I would be waiting for the IoT with bated breath. It all seems very wonderful - all this secret information in storage being made a all portable and freely communicated over a network. All you have to do is figure out how to get your fingers into that network to extract all that information. Seems easy enough!
MelBrandle
50%
50%
MelBrandle,
User Rank: Apprentice
1/4/2019 | 3:20:35 AM
Criminal works
Even criminals know how to remain relevant in today's highly competitive industry. It is never a safe play to continue pursuing their illegal acts within the same sector in order to avoid being detected. They need to move swiftly in order to remain active but being completely discreet.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Now, we come here to play Paw-ke Man Go!"
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6497
PUBLISHED: 2019-01-20
Hotels_Server through 2018-11-05 has SQL Injection via the controller/fetchpwd.php username parameter.
CVE-2018-18908
PUBLISHED: 2019-01-20
The Sky Go Desktop application 1.0.19-1 through 1.0.23-1 for Windows performs several requests over cleartext HTTP. This makes the data submitted in these requests prone to Man in The Middle (MiTM) attacks, whereby an attacker would be able to obtain the data sent in these requests. Some of the requ...
CVE-2019-6496
PUBLISHED: 2019-01-20
The ThreadX-based firmware on Marvell Avastar Wi-Fi devices allows remote attackers to execute arbitrary code or cause a denial of service (block pool overflow) via malformed Wi-Fi packets during identification of available Wi-Fi networks. Exploitation of the Wi-Fi device can lead to exploitation of...
CVE-2019-3773
PUBLISHED: 2019-01-18
Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
CVE-2019-3774
PUBLISHED: 2019-01-18
Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.