Top Malware Trends for Q1 of 2017

The first quarter of this year has already flown by, and with it, many events as well: a new president was sworn into office, the biggest comeback in the history of the Super Bowl occurred, and a new champion was declared in the college basketball arena. There was also a lot of activity within the world of cybersecurity, primarily in relation to malware. To summarize this activity, it would be helpful for us to take a look at the top five malware trends.

  1. Star Trek-Themed Ransomware brings us a new ransom payment method — Ransomware variants come in all different shapes and sizes, targeted and specialized to nearly every group of people and every fandom out there, so it is not surprising to see that there is a Star-Trek themed variant trying to dupe trekkies into coughing up money in order to regain access to their compromised files. Something more shocking than this malware, dubbed ‘Kirk-ransomware,’ is the payment method requested by hackers — Monero. Touted to be even more elusive, secure, and anonymous than the usual cryptocurrency payment method of Bitcoin, ever since its inception, cybercriminals have been scheming to use this hard-to-track payment method, and this was the first ransomware to do so. It appears as though the first quarter of the year lead to some competition for underground cryptocurrency, Bitcoin.
  2. Small-to-medium sized businesses are highly targeted — Forty-three percent of cyberattacks in 2016 targeted small-to-medium sized businesses, or SMBs, and, of course, this includes malware. A new study by Datto shows that SMB customers are very highly targeted by criminals not only this year, but into the future as well. Unfortunately, many businesses of this size do not have the resources, financially or otherwise, to prepare for potential ransomware or malware threats. Not only did these types of businesses get heavily targeted in 2016, but they have already been the most heavily targeted business demographic outside of hospitals so far this year.
  3. Card skimming made easier by MajikPOS — Quarter 1 for 2017 brought malware to the brick and mortar via MajikPOS, a new type of malware, capable of stealing credit card information through a modular attack researchers had never encountered before. It is affecting many businesses across the US and Canada, primarily gas stations as it is easy for card skimmers to be put on without Point-of-sale workers seeing criminals install it. It is believed MajikPOS has been responsible for stealing over 23,000 credit card numbers in the US and Canada, most of which end up being sold on the darknet.
  4. Inadequate anti-virus tools leave us vulnerable — Thankfully, it does seem as though throughout the general public, people are taking at least some sort of defense against cyber attacks, and they are doing so through anti-virus software. However, unfortunately, nearly one-third of all malware typesstill sneak into computers because of a failure by the antivirus fails to detect the threat. It is evident this major problem will need to be solved sooner rather than later, seeing as it affects many more individuals and businesses than some other insecurities, although it is doubtful that this will happen any time soon.
  5. WYSIWYE malware emerges — WYSIWYE, or What You See is What You Encrypt, malware allows cybercriminals to virtually hand-pick their target and release a personalized ransomware strain. Because of its advanced customization features, including self-deletion, stealth mode, and encrypting specific files, this malware type is causing major headaches within the cybersecurity industry and beyond.

Protect yourself and your business by staying informed on the current malware and other cybersecurity-related trends by paying attention to cyber-news as well as keeping up with the Axiom Cyber Solutions blog.

Hailey R. Carlson | Axiom Cyber Solutions | 04/12/2017

“Name Brand” Malware: Malware Variants You Should Know

“Name Brand” Malware: Malware Variants You Should Know

Malware, short for ‘malicious software,’ is a type of software meant to harm computers and computer networks. We hear about different types of malware, such as botnet malware and ransomware, and different variants of those types of malware as well; but do we know enough about those malware currently threatening us? Here, we take an in-depth look at three of the most talked about malware of 2016.

Mirai Botnet Malware

Mirai is the Japanese word for the future, fitting, in that this is one of the most advanced types of malware yet. This malware, created in August 2016, turns any Internet of Things (IoT) device running Linux into a remotely controlled bot, or application that performs automated tasks, such as setting an alarm, that can be combined with other bots and used as part of a botnet in large-scale network attacks. Though these bots are meant to make our lives easier, they are often not properly secured and can consequently be used in malicious attacks. The most notable use of Mirai botnet malware in an attack happened in October of this year in a Distributed Denial of Service (DDoS) attack against domain name service (DNS) provider, Dyn.

Dyn, the DNS provider for major websites including Twitter, Netflix, Reddit, and Spotify, was attacked by one of the largest DDoS attacks to date, an attack that was fueled by Mirai-infected IoT devices including Internet-enabled DVRs, surveillance cameras, and other Internet-enabled devices. Because of all of the popular websites it affected, this Mirari botnet attack is considered the attack that ‘shook the Internet.’

Mirai easily infects its victims because IoT devices are some of the least protected things out there. The only way as of right now to combat this malware is to secure your IoT devices in various ways.

Locky Ransomware

Scanning the news online with just the search term ‘ransomware,’ delivers a whole host of recent ransomware variants that are threatening our files. One of the variants that is most common among these search results is ‘Locky’ ransomware. This strain of ransomware is titled as such because it renames all of your important files so that they have the extension .locky.

The most common way that Locky infects your computer is via email. What happens is that the victim receives an email containing an attached document (Troj/DocDl-BCF) that is an illegible mess of odd symbols. The document then advises you to enable macros if the ‘encoding is incorrect.’ Seeing that the message on the document file is indiscernible to the reader, he or she will likely enable these macros, resulting in infection. If the macros are enabled, the text encoding is not actually corrected, instead, code inside of the document is run which then saves a file to disk and runs it. The saved file (Troj/Ransom-CGX) serves as a downloader, which fetches the final malware payload from the crooks, which could be anything, but in this case is usually the Locky Ransomware (Troj/Ransom-CGW); Locky then scrambles all files that match a long list of extensions, including videos, images, source code, and Office files.

Once a computer has been infected with Locky Ransomware, the victim’s desktop screensaver is changed to display the ransom payment instructions. These instructions lead the victim to the dark web, where they can pay the ransom. Unfortunately there is not much that can be done other than paying this ransom, which is why it is important to take preventative measures, such as those listed at the end of this article.

Popcorn Time Ransomware

Of all of the current, popular malware out there, ransomware variant, ‘Popcorn Time,’ is among the newest and most evil of them all. This form of ransomware is named after, but not related to, the torrenting site of the same name and it is believed that this malware was created by a team of Computer Science students from Syria.

This variant takes its cue from movies like The Box and the Saw movie series in that it forces its victims to make a detrimental choice: infection of their own files, or their friends’. Once hit with the cyber-attack, the victim has seven days to determine whether her or she will pay the 1 bitcoin ransom, equivalent to about $780 currently, or pass it along to two ‘friends’ instead. If the victim decides to give up his or her comrades’ information, the malware is allegedly deleted from the initial computer entirely and it moves on to ask for payment from its new victims. Once the ransom has been paid by either the initial or secondary victim(s), they will get a decryption code; the victim has four tries to type in the code before his or her computer files are all deleted.

This ‘pass the buck’ payment method is what makes this malware variant so unique. It prompts victims with a moral question that might turn up surprising results when their backs are against the wall.

How to Avoid These Major Malware Threats

  • Avoid suspicious downloadsMalware infects computers primarily through the user clicking on a malicious link in an email or via a suspicious download. If you do not know the validity of a link, you should not click on it. This is a simple step that can go a long way when it comes to protecting your files.
  • Back up your filesIf you are unfortunate enough to be the victim of a malicious ransomware attack, you can avoid paying the criminals if all of your data is backed up to an external hard drive or some other source. The FBI advises victims of this crime to not pay the ransom, so as to discourage the hackers from doing the same thing again; they instead recommend that victims of the cyber-crime report the incident to the government agency so that they can hopefully track down these people.
  • Secure your IoT devicesWhen it comes to Mirai botnet malware in particular, it is important to secure your Internet-connected devices. Many of these devices come with a default password which you should change in order to make it harder for cyber-criminals to get to your data. Also, when at all possible, turn off remote access to your IoT devices. By leaving a device active while not in use leaves it extremely vulnerable to use in an attack similar to that against Dyn DNS.
  • Don’t enable macros in documents received via emailMicrosoft itself turned off auto-execution of macros by default many years ago as a security measure. Many malware infections rely on persuading you to turn macros back on, so don’t avoid them by not enabling macros.
  • Keep your anti-virus & anti-malware updatedWhile backing up your data and avoiding sneaky sites or links is effective, preventing these malware from getting onto your computer in the first place is a key preventative measure in fighting malware. Keeping your computer’s anti-virus and anti-malware up-to-date is something simple you can do to protect against malware, and most even allow you to set automatic updates, so you rarely need to think about it at all.

Hailey R. Carlson | Axiom Cyber Solutions | 12/14/2016

Suspicious Images on Social Media Are Spreading Malware to Your Computer

Steganography, the practice of concealing a hidden message or other data in an otherwise legitimate- or innocent-looking image, is something that has been around since ancient Grecian times as a way to sneak information passed enemies without them realizing it.  Whereas in those days, the images were hidden in paintings, texts, and sculptures, today, they are ‘hidden’ on the Internet in plain sight all across social media in the form of malicious images.


Users of social media sites such as Facebook and LinkedIn are being infected by hackers who are embedding malicious code into image files that then deliver malware to innocent users’ computers in a new attack vector, jokingly refered to as ‘ImageGate.’ The attackers exploit a misconfiguration in security on the websites to deliberately force their victims to download the image file which begins its infection once the downloaded malicious file has been clicked on.

The company who has been conducting much of the research surrounding these malicious files is Israeli software technology company, Check Point. The company’s research team uncovered a few methods that could be fueling this new attack vector; Oded Vanunu, head of products vulnerability research at Check Point states, “Our primary finding is embedding an .HTA format into an image file (could be a JPEG too), which is relevant to all browsers. . . It can also be executed with a .SVG file that is embedded into Java Script.” A Scalable Vector Graphics, or .SVG, file is a fairly new file type that is very attractive to cyber-criminals. SVG is XML-based, meaning a criminal can embed any type of content they want – like malicious JavaScript code, as mentioned by Vanunu.

If a user does end up clicking on these files, the malicious image will direct them to a website that appears to be YouTube, however, its URL shows that it obviously is not a legitimate YouTube link. Once the page is loaded, the victim is prompted with a vicious Chrome extension pop-up in order to play the video that’s shown on the page. If the extension is installed, the attack is then spread further via Facebook Messenger and it sometimes even installs the Nemucod downloader, which ultimately delivers the Locky variant of ransomware.

Social Networks’ Comments

Facebook and LinkedIn, the primary sites that are affected by the malware- and ransomware-ridden images, have both commented on the issue:

Facebook representatives said:

“We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook, and we are already blocking these ones from our platform. In our investigation, we determined that these were not in fact installing Locky malware—rather, they were associated with Chrome extensions. We have reported the bad browser extensions to the appropriate parties.”

LinkedIn also addressed ImageGate via a company spokesperson who said:

“We investigated this report and believe this method is not especially effective. . .While we have not found any exploitation of our platform using this vulnerability, we are taking additional steps to ensure our members are protected.”

How to Avoid Infection

Though it is apparent that social media sites are adamant that these threats are not a serious issue, many users have claimed ‘ImageGate’ has affected them personally. Regardless of whom you choose to believe, it is important to take any possible precautions you can in order to avoid attack.

  1. To avoid infection, social media users should avoid opening files that are downloaded as a result of clicking on an image, or that contain unusual file extensions such as .SVG, .SJ or .HTA. Some of these files are downloaded in the background, so users do not see them initially; this is why it is important to be cautious of these file extensions when clicking on any file that is on your computer, as it may have been lying dormant in the background without your knowledge or consent. The threat that ImageGate poses can only come to fruition if the user clicks on the malicious files, so avoid clicking on those at all costs.
  2. Be wary of messages you receive that are just an ‘image’ – especially if it is in a manner in which the sender would not usually behave. Many of the malicious images people claim to have Locky ransomware embedded in them have been sent through Facebook Messenger, not just images on users’ homepages.
  3. Stay up-to-date on your security measures when it comes to social media. Change your password often and take advantage of many sites’ two-factor authentication feature in order to better protect your accounts with minimal effort required on your end.
  4. Do not click on any suspicious-looking pop-up extensions such as the Chrome extension used to spread Locky ransomware. If something doesn’t look right about the image or the pop-up, there probably is something wrong with it. Trust your gut and avoid these malicious links.

Hailey R. Carlson | Axiom Cyber Solutions | 12/8/2016

Malware: It’s Everywhere

Articles about malware infiltrating everything from our ATMs, iOS apps, and baby monitors have been the focus of many tech news outlets as of late. Listed below are some of the more troubling attack vectors that have been exploited in recent weeks.

This past month, ATMs in Mexico were discovered to have malware that enabled hackers to withdraw all the cash from a victim’s account. That malware has yet to make its way to the U.S., however researchers believe that it is only a matter of time as industry officials have stated that it is possible for the same malware code to be used in U.S based ATM machines if they are not adequately protected.

Apple suffered their worst malware attack yet. 50 malware infected apps found their way into the App Store earlier this week, affecting their customer’s iPhones and iPads. While Apple hasn’t confirmed whether this iOS malware has stolen any customer data, they have since removed the infected apps from their store.

Baby monitors and Web-enabled cameras manufactured in China have been recently shown to be loaded with rootkit exploits from the factory and remain vulnerable to web-based malware attacks through their graphical UIs discovered last year.

In a related trend, some of the top baby monitoring and security mobile apps have been shown to be susceptible to the same UI exploits.

With the incoming wave of IoT and mesh enabled devices, we expect an increase in the number of attack vectors and subsequent exploits as developers learn to secure these protocols against more enterprising black hat engineers.

More than 317 million malware signatures (both computer-viruses and other malicious software) were created last year according to Symantec’s 2015 Security Threat Report. That means nearly one million new threats were released each day.

In 2015, “Malware is going to become the tool of choice rather than others because it’s easy to build,” said Paul Christman, VP of Public Sector Software at Dell.

“The level of sophistication for malware is going to become higher and higher and higher. It’s going to become easier to construct malware out of recyclable parts that are generally available via the Internet. From that perspective, the barrier to entry for malware is going to be lower.”

While the more complicated malware attacks are just now emerging publicly, many have been in development for more than half a decade, according to Joe Stewart, the director of malware research at Dell SecureWorks.

The most important thing to note about malware is that users must be knowledgeable, and know how to navigate the landscape of fake ads and buttons, to keep safe. Following basic cyber security tips such as keeping your software up to date, using unique passwords, and thinking before clicking on suspicious links can prevent a majority of malware attacks.

As simple as these steps sound, it’s been proven time and time again to be one of the most difficult things to do. Getting your employees for example, to follow safe cyber practices, can be easier said than done. What could be deemed an innocent visit on Facebook or a favorite news site, could give hackers a launching pad to penetrate a business’ system. It’s safe to say that most people will use their work computer for personal use at one point or another.

Joseph Demarest, assistant director of the FBI’s cyber division says, “The malware used in the Sony hack would have slipped past 90% of defenses today. By taking steps to learn about cyber security, many businesses can take it upon themselves to be proactive and do what they can to protect themselves.”

Axiom engineers agree. Perimeter and physical security are just as important as end-point protection. Often the best line of defense is a combination of continuing education, good software, and constant vigilance.

If you or your organization needs help, feel free to contact us for information on SME and corporate education seminars as well as Axiom’s continuously adapting line of security appliances, Sentinel. #FightBackWithAxiom