Whether it is used in direct methods of attack or as an enabler for downstream cybercrime, malware remains one of the key threat areas within cybercrime. The malware identified as the current threats across the EU by EU law enforcement can be loosely divided into three categories based on their primary functionality – ransomware, Remote Access Tools (RATs) and info stealers. It is recognised that many malware variants are multifunctional however and do not sit neatly in a single category. For example, Blackshades is primarily a RAT but has the capability to encrypt files for ransom attacks; many banking Trojans have DDoS capability or download other malware onto infected systems.
Ransomware remains a top threat for EU law enforcement. Almost two-thirds of EU Member States are conducting investigations into this form of malware attack. Police ransomware accounts for a significant proportion of reported incidents, however this may be due to an increased probability of victim reporting or it simply being easier for victims to recognise and describe. Industry reporting from 2014 indicates that the ransomware phenomenon is highly concentrated geographically in Europe, North America, Brazil and Oceania1.
CryptoLocker is not only identified as the top malware threat affecting EU citizens in terms of volume of attacks and impact on the victim, but is considered to be one of the fastest growing malware threats. First appearing in September 2013, CryptoLocker is believed to have infected over 250 000 computers and obtained over EUR 24 million in ransom within its first two months2. CryptoLocker is also a notable threat amongst EU financial institutions.
In May 2014, Operation Tovar significantly disrupted the Gameover Zeus botnet, the infrastructure for which was also used to distribute the CryptoLocker malware3. At the time the botnet consisted of up to one million infected machines worldwide. The operation involved cooperation amongst multiple jurisdictions, the private sector and academia. Tools to decrypt encrypted files are now also freely available from Internet security companies4.
Curve-Tor-Bitcoin (CTB) Locker is a more recent iteration of cryptoware using Tor to hide its command and control (C2) infrastructure. CTB Locker offers its victims a selection of language options to be extorted in and provides the option to decrypt a "test" file for free. Although not as widespread as CryptoLocker, CTB Locker was noted as a significant and growing threat by a number of EU Member States. This is supported by industry reporting which indicates that up to 35% of CTB Locker victims reside within Europe5.
Remote Access Tools exist as legitimate tools used to access a third party system, typically for technical support or administrative reasons. These tools can give a user remote access and control over a system, the level of which is usually determined by the system owner. Variants of these tools have been adapted for malicious purposes making use of either standard or enhanced capabilities to carry out activities such as accessing microphones and webcams, installing (or uninstalling) applications (including more malware), keylogging, editing/viewing/moving files, and providing live remote desktop viewing, all without the victims knowledge or permission.
Blackshades first appeared in approximately 2010 and was cheaply available (~€35) on hacking forums. In addition to typical RAT functionality, Blackshades can encrypt and deny access to files (effectively acting as ransomware), has the capability to perform DDoS attacks, and incorporates a "marketplace" to allow users to buy and sell bots amongst other Blackshades users6.
In May 2014, a two-day operation coordinated by Eurojust and Europol's EC3 resulted in almost 100 arrests in 16 countries worldwide. The operation targeted sellers and users of the Blackshades malware including its co-author. Despite this, the malware still appears to be available, although its use is in decline.
DarkComet was developed by a French security specialist known as DarkCoderSC in 2008. The tool is available for free. In 2012 DarkCoderSC withdrew support for the project and ceased development as a result of its misuse7. However it is still in circulation and widely used for criminal purposes.
Data is a key commodity in the digital underground and almost any type of data is of value to someone; whether it can be used for the furtherance of fraud or for immediate financial gain. It is unsurprising then that the majority of malware is designed with the intent of stealing data. Banking Trojans - malware designed to harvest login credentials or manipulate transactions from online banking - remain one of the top malware threats.
First appearing in 2006, Zeus is one of most significant pieces of malware to date. The Zeus source code was publically leaked in May 2011 after its creator abandoned it in late 2010. Since then a number of cybercrime groups have adapted the source code to produce their own variants. As such Zeus still represents a considerable threat today and will likely continue to do so as long as its original code can be updated and enhanced by others.
Gameover Zeus (GOZ) or Peer-to-Peer (P2P) Zeus was one such variant which used a decentralised network of compromised computers to host its command and control infrastructure, thereby making it more resistant to law enforcement intervention.
In June 2015, a joint investigation team (JIT) consisting of investigators and judicial authorities from six European countries, supported by Europol and Eurojust, arrested a Ukrainian cybercrime group who were developing and distributing the Zeus and Spyeye malware and cashing-out the proceeds of their crimes. The group is believed to have had tens of thousands of victims and caused over EUR 2 million in damages.
Citadel is a successful descendant of Zeus. It first appeared in circa 2012 and was initially sold openly on underground forums before being withdrawn from general distribution later that year. Its sale and use is now limited to select groups. Citadel infection rates have never reached the huge numbers Zeus itself has attained. Instead Citadel appears to be used for much more targeted (APT) attacks - campaigns targeting specific businesses or government entities8 9. Citadel has been noted as the first malware to specifically target password management solutions10.
Ice IX is another first generation Zeus variant following the release the Zeus source code, appearing in the same time period as Citadel. Although its use appears to be in decline, several EU Member States have still actively investigated cases of its use.
Spyeye appeared in late 2009 on Russian underground forums. Cheaper than the leading malware kit at the time (Zeus) while mirroring much of its functionality, Spyeye quickly grew in popularity. It is believed that when Zeus developer Slavik ceased Zeus's development, the source code was sold/transferred to Spyeye developer Harderman/Gribodemon, only a short while before the Zeus source code was leaked publically. In January 2014, Russian national Panin pleaded guilty before a US federal court on charges related to the creation and distribution of Spyeye. Despite this several EU Member States are still actively investigating cases related to Spyeye, although its use is apparently in decline.
Dridex first appeared in circa November 2014 and is considered the successor to the Cridex banking malware. However, unlike Cridex, which relied on exploit kit spam for propagation, Dridex has revived the use of malicious macro code in Microsoft Word attachments distributed in spam in order to infect its victims11. Several EU Member States have encountered Dridex and, although instances are low in number, the sensitivity of the harvested data, increasing degree of sophistication and growing number of cases confirm Dridex is an upcoming threat.
Dyre is a new malware kit which appeared in 2014, using a number of ‘Man-in-the-Browser’ attack techniques to steal banking credentials. Dyre targets over 1000 banks and other organisations including electronic payment and digital currency services, with a particular focus on those in English-speaking countries12. Some campaigns use additional social engineering techniques to dupe their victims into revealing banking details13. Dyre is also noted for its ability to evade popular sandbox environments used by researchers to analyse malware14 and by its ability to download additional malware payloads onto an infected system such as the Cryptowall ransomware15.
Tinba, the truncation of ‘tiny banker’ - referring to its small file size (~20kb) - first appeared in 2012. Tinba has been noted as largely targeting non-English language countries such as Croatia, Czech Republic16 and Turkey17. The source code for Tinba was leaked in 2014 allowing its ready-made code to be used by other cybercriminals for free.
First encountered in 2010, Carberp was initially found to be only targeting Russian-speaking countries but was later modified to additionally target Western financial organisations18. The Carberp source code was leaked in June 2013.
Torpig was originally developed in 2005 and was mainly active circa 2009. Torpig is installed on a system's Master Boot Record allowing it to execute before the operating system is launched making it harder for anti-virus software to detect19. Several European countries have active Torpig investigations however numbers are low and decreasing.
Shylock first appeared in 2011 and used advanced ‘Man-in-the-Browser’ attacks to steal financial data and make fraudulent transactions. Shylock is a privately owned (by its creators) financial Trojan and as such its use and distribution is highly constrained. It is not available for purchase on underground markets20. Despite successful disruption activity, several EU Member States still report significant Shylock activity.
In July 2014, a UK-led operation resulted in the seizure of command and control (C2) servers and domains associated with the operation of a Shylock botnet consisting of 30 000 infected computers. The malware campaign had largely targeted customers of UK banks. The operation involved cooperation between several other jurisdictions, private sector companies and CERT-EU, and was coordinated by EC3 at Europol.
Click here to open this table
