Researchers also observed the resurrection of Emotet, increased coinminer activities during growing Bitcoin prices, and an increase in technical support scams, Android subscription scams and spyware.
Avast, a global leader in digital security and privacy released its Q4/2021 threat report today, revealing an immediate exploitation of the Log4j vulnerability by coinminers, RATs, botnets, ransomware, and APTs, in December putting CISO departments under pressure. Furthermore, Avast’s threat researchers observed the revival of the Emotet botnet, and a 40% rise in coinminers, posing risks for consumers and businesses alike. The Q4 findings likewise show an increase in adware, technical support scams on desktop, and subscription scams and spyware on Android devices, targeting consumers. At the same time, Avast saw less ransomware and remote access trojan (RAT) activity.
“Towards the end of the year, the extremely dangerous, ubiquitous, and easy to abuse Log4j vulnerability made CISO departments sweat, and rightly so, as it was weaponized by attackers spreading everything from coinminers to bots to ransomware,” said Jakub Kroustek, Avast Malware Research Director.
“On the other hand, we are happy to report decreases in RAT, information stealer, and ransomware attacks. RAT activity died down thanks to the holidays, with bad actors even going as far as copying the DcRat remote access trojan and renaming it ‘SantaRat’. We saw a slight decrease in information stealer activity, likely due to a significant decrease in infections through password and information stealer Fareit, which dropped by 61% vs. the previous quarter,” noted Jakub Kroustek. “The havoc ransomware caused in the first three quarters of 2021 triggered a coordinated cooperation of nations, government agencies, and security vendors to hunt down ransomware authors and operators, and we believe all of this resulted in a significant decrease in ransomware attacks in Q4/2021. The ransomware risk ratio decreased by an impressive 28% compared to Q3/2021. We hope to see a continuation of this trend in Q1/2022, but we are also prepared for the opposite.”
Cybercriminals attacking businesses via Log4j vulnerability and via RATs abusing Azure and AWS
The vulnerability in Log4j, a Java logging library, proved extremely dangerous for businesses because of the ubiquity of the library and the ease of exploitation. Avast researchers observed coinminers, RATs, bots, ransomware, and APT groups abusing the vulnerability. Various botnets abused the vulnerability, including the infamous Mirai botnet. Most bot attacks were just probes testing the vulnerability, but Avast also noticed numerous attempts to load potentially malicious code. For instance, some RATs were spread using the vulnerability, the most prevalent of which were NanoCore, AsyncRat and Orcus. A low-quality ransomware, called Khonsari, was the first ransomware the researchers saw exploiting the vulnerability.
In addition to exploiting the Log4j vulnerability to spread RATs, cybercriminals exploited the CVE-2021-40449 vulnerability, which was used to elevate permissions of malicious processes by exploiting the Windows kernel driver. Attackers used this vulnerability to download and launch the MistarySnail RAT. Moreover, a very important cause of high NanoCore and AsyncRat detections was caused by a malicious campaign abusing the cloud providers, Microsoft Azure and Amazon Web Service (AWS). In this campaign malware attackers used Azure and AWS as download servers for their malicious payloads to attack businesses.
Moreover, Avast researchers saw the bad actors behind Emotet rewrite several of its parts, reviving their machinery, and taking the botnet market back with the latest Emotet reincarnation.
Adware, Coinminers, and Tech Support Scams Targeting Consumers
Desktop adware and rootkit activity increased in Q4/2021. Avast researchers believe these trends are related to the Cerbu rootkit, which can hijack browser homepages and redirect site URLs according to the rootkit configuration. Cerbu can therefore easily be deployed and configured for adware, annoying victims with unwanted ads and capable of adding a backdoor to victims’ machines.
While the Bitcoin price increased at the end of 2021, the number of coinminers spreading increased by 40%, often via infected web pages and pirated software. CoinHelper was one of the prevalent coinminers very active throughout Q4/2021, mostly targeting users in Russia and the Ukraine. Coinminers stealthily abuse a user’s computing power to mine crypto currencies, which can cause high electricity bills and impact the lifespan of the user’s hardware. Additionally, CoinHelper harvests various information about its victims including their geolocation, antivirus solution they have installed, and hardware they are using. Despite observing multiple crypto currencies configured to be mined, including Ethereum and Bitcoin, Monero stood out to Avast researchers in particular. Monero is designed to be anonymous, however, the wrong usage of addresses and the mechanics of how mining pools work, enabled the researchers to gain deeper insights into the malware authors’ Monero mining operation. They found that the total monetary gain from the CoinHelper coinminer was 339,694.86 USD as of November, 29, 2021. In the month of December, it mined an additional ~15.162 XMR, ~3,446.03 USD. CoinHelper is still actively spreading, with the ability to mine ~0.474 XMR every day.
The Avast threat researchers also observed a spike of tech support scams, tricking the user into believing they have a technical problem, and scamming them into calling a hotline where they will be scammed to pay high support fees or grant remote access to their system.
Premium SMS Subscription Scams and Spyware Stealing Facebook Credentials Spreading on Mobile Devices
The Avast Threat Labs noted two mobile threats in the report: Ultima SMS and Facestealer. Ultima SMS, a premium SMS subscription scam resurfaced in the last few months. In October, Ultima SMS apps were available on the Play Store, mimicking legitimate applications and games, often featuring catchy adverts. Once downloaded, they prompted users to enter their phone number to access the app. Subsequently, users were subscribed to a premium SMS service that can cost up to $10 per week. The actors behind UltimaSMS extensively used social media to advertise their applications and accrued over 10M downloads as a result.
Facestealer, spyware designed to steal Facebook credentials, resurfaced on multiple occasions in Q4/2021. The malware masquerades as photo editors, horoscopes, fitness apps and others. After using the app for a period of time, it prompts the user to sign in to Facebook to continue using the app, without adverts.