State of malware: 3 key findings in the latest Malwarebytes report

Spyware activity spiked in 2020, and the malware-as-a-service business model got more sophisticated.

malware in a computer system

Image: kaptnali, Getty Images/iStockphoto

The 2021 State of Malware Report from Malwarebytes found that cybercriminals are learning from the past to build smarter software and starting to modularize their products to make distribution easier. Those are some of the findings in the Malwarebytes report released today. The report examined what malware was most active during 2020, as well as trends in attacks on specific devices such as Android phones and Mac laptops.

Malwarebytes identified four cybercrime goals in 2020:

  1. Exploit fear related to the COVID-19 pandemic.
  2. Gather intel via phishing attacks, information stealers, and spyware.
  3. Upgrade existing tools such as Trickbot and brute force attacks.
  4. Attack with more force and frequency than ever.

The report's authors stated that the increase in brute force attacks, the deployment of customized intrusion tools, and new exploits allowed attackers to map out and infect networks faster than they have ever seen.

SEE: Identity theft protection policy (TechRepublic Premium)

Here's a look at three of the most significant findings on the state of malware.

Malware-as-a-service matures

Cybercriminals improved the distribution of malware to be more efficient and precise in 2020; this took the form of modularization, according to the report:

"Malicious actors no longer need to be experts at crafting the whole chain of their attacks. The process can be broken up in chunks and these can be refined and perfected. This leaves malware authors to concentrate on making more effective malware, while malware distributors work to improve their networks, all while still making a profit and running their businesses."

The report's authors described a malware campaign in Germany designed to record keystrokes and video to steal financial information. These "GootKit" infections only showed up in Germany, which suggests that the malware creators offered a product that targeted certain geographies only. 

Another component of this trend is "victim vetting mechanisms," according to the report. Malware groups gather information on a target before launching an attack to make sure the potential victim is a lucrative target.

Malwarebytes predicts that the move toward marketplace cybercrime is only going to make the threat landscape more dangerous with malware that is "more sophisticated than most anything we've seen before." 

Egregor ransomware arrives

Security analysts first saw this new type of malware in September 2020, and it is a result of the lessons cybercrime groups have learned from previous attacks. Egregor uses a double extortion style of attack complete with a "shame website" where stolen data may be published. In addition to encrypting files, the malware also steals data from the victim and threatens to publish it online unless the ransom is paid.

The malware encrypts files with the ChaCha and RSA encryption algorithms. It also can spread laterally, depending on how it is installed on a network. In some instances, the malware sends its ransom notes to printers on infected networks.

The malware is spread through several routes:

  • Microsoft Exchange Exploit (CVE-2020-0688)
  • VBScript Engine Exploit (CVE-2018-8174)
  • Adobe Flash Player Exploit (CVE-2018-4878/CVE-2018-15982)
  • Cobalt Strike, a penetration testing platform

According to the Malwarebytes report, Egregor shuts down processes related to malware analysis, like Process Monitor, as well as applications such as MySQL, Microsoft OneNote, and Outlook. The report's authors suggest that shutting down these applications can protect Egregor from analysis and unlock more files for it to encrypt.

Also, the malware is selective about location. Egregor looks for location information in infected networks and, if the system is in a post-Soviet state, including Armenia, Belarus, Georgia, Kazakhstan, Romania, Russia, or Turkmenistan, it shuts down without causing any damage.

Even though Egregor was active for only the last four months of the year, it was strong enough to provoke a warning from the FBI and attack Ubisoft, Kart, Crytek, and Barnes & Noble.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

Spyware was everywhere

Malwarebytes has two categories for "stalkerware," and those are monitor and spyware. In the first half of 2020, detection of monitor malware went up 780%, and spyware detections went up 1,677%. Detections dropped starting in July and continued falling through the rest of the year. Levels of these two types of malware were still higher at the end of the year in December 2020 than in January 2020.

Some of this activity was due to the coronavirus, as governments turned to tracking cell phone activity to monitor activity and limit outbreaks. Some countries offered the apps on a voluntary basis, but others collected location data without user approval. 

The rollout of these apps provided a real-time test of how much privacy citizens were willing to give up in the name of public health. Over the course of the year, the public discovered, "the measures taken by their own governments sometimes placed them in a difficult vice—give up their data privacy for only a minute chance of being better informed," as the report noted. 

In addition, the Malwarebytes report noted that legislative activity in support of new privacy rules fell as governments coped with the pandemic. Activity in this area dropped significantly compared to the number of bills designed to create more protection for consumer data introduced in the US in 2018 and 2019. 

Also see