We’re near the end of a very rocky year. COVID-19 was the tip of a very unique iceberg, full of political turmoil, deathly fires, and the economy almost collapsing. What wasn’t unique were the thousands of cyberattacks around the world that seem to get worse every year. And 2020 wasn’t the exception to the rule.

In recent pieces, we predicted certain patterns for top cybersecurity threats, based on research from all around the world. As we arrive at the last quarter of 2020, we decided to check on those predictions, as a sort of malicious software evaluation.

Get those security measures ready, folks. It’s time for threat intelligence.

Phishing Attacks, RATs, and Malware

If there ever is a race for the most complex and rapidly-growing cyber threat of the year, the clear winner would be phishing. Always looking for the weakest link, phishing has become the avenue of choice for most hackers looking for financial gain or an entry point to larger organizations.

But why? Security researchers agree that the social climate was “a perfect storm” for social engineering attacks, phishing, and enterprise malware. As the COVID-19 pandemic spread, several things happened in the workplace. Workers left their safe office environments to coexist in unprotected, vulnerable networks. In some cases, BYOD (bring-your-own-device) policies were put in place. Remote workers with a lack of cybersecurity training became vulnerable to phishing attacks expertly crafted to resemble office logins, emails, and software.

As for the common user, the outlook wasn’t different. Cybercriminals are using machine learning to learn about user behavior, triggering emotional distress with complex attacks. For example, phishing email or SMS campaigns, related to the COVID-19 pandemic or to the tense political climate in the US. 

The malicious payloads in these attacks are even more complex, too. RATs (Remote Access Trojans), especially in phones, have been growing exponentially. Malicious software that needed a deep understanding of code is now in the hands of anyone who can pay it, based on a MaaS (malware-as-a-service) model. RAT attacks are able to exploit RDPs to gain access to endpoints, opening the gates for the phishing flood.

The last trend in cyber threats is the use of the browser. The family of HTML/Phishing attacks –and their relatives HTML/scrinject and HTML/REDIR– have been affecting thousands of websites and browsers worldwide. Hackers are attacking unprotected web traffic, just as workers are dropping corporate, protected networks to work from home. This is a trend that security researchers are expecting to see in 2021, too.

Ransomware

Easy to deploy and a pain in the back to remove, ransomware attacks are more common than ever. As the DBIR suggested, at least one in four cases of malware were ransomware, and the number was expected to grow. As we enter the last quarter of the year, we know the threat of ransomware is growing in scope and sophistication.

The main reason behind the growth of ransomware is how easy it is for hackers to acquire the tools to perform an attack, buying it on a dark web marketplace. In the same way that threats like Cerberus offer themselves to hackers, ransomware like Sodinokibi or Phobos are making huge amounts of money with little effort. RaaS (ransomware-as-a-service) is relatively cheap for inexperienced hackers and can lead to massive profits in cryptocurrency if successful.

Certain ransomware variants are becoming more aggressive, taking notes from the Petya and GoldenEye books. Variants like CoViper have been found to write the Master Boot Record (MBR) of the machines before encryption, a heavily destructive tactic.

The era of State-Backed Attacks

This year, the news cycle has been full of headlines like “state-backed attack”, “hacked by the [insert nation-state here] government”, “cyber warfare” and “cyberterrorism”. And it’s no joke or bad reporting either. Every organization –private or otherwise– that researches cybersecurity threats, agree: nation-state actors are a serious issue. And it all comes down to the rising threat of backed APTs.

APTs, or Advanced Persistent Threats, are like hurricanes. They don’t hit too often, but when they do, expect a trail of destruction behind them. In this case, hacking groups specialized in deep and complex cyberattacks to big organizations are playing the same game of chess between the world powers. Groups in India, China, Russia, Iran –and one can only guess, the US– are hacking strategic targets more than ever, aligned with political and economic goals of their “backing” countries.

Reports from companies like Microsoft have shed some light on how state-backed cyberattacks have been changing their scope this year. Coordinated groups and APTs are targeting health care institutions and organizations in the US, with the objective to perform espionage on its citizens. On the same page, research groups related to the COVID–19 vaccine all over the world have reported attacks from state-backed hackers.

As you may have guessed, these hackers aren’t performing data breaches for petty cash or a couple of credit card numbers. They aren’t using “noisy” methods, either. State-backed APTs prefer a subtle approach, almost like a parasite, accessing foreign systems in a non-obtrusive way. The goal is to exfiltrate as much sensitive information –confidential, financial, private– as possible without being detected. A successful attack also leaves no way to trace it to the nation-state who backed it in the first place, to maintain “plausible deniability” if accused.

IoT Attacks 

As we said, the changes in the workplace caused by the pandemic have been difficult for organizations. Millions are working from home, and the sensitive data that lived in secure work networks is now vulnerable to malicious actors attacking the unprotected devices in our house. And if your company decided that a BYOD policy was the way to go, it’s very probable that certain endpoints aren’t protected either.

Even if these protections are implemented –such as antivirus software or firewalls– as IT managers we can’t meddle too much on the devices our employees use in their homes. The so-called “internet of things” has become not only the latest fad in technology but a cybersecurity trend as well. IoT usage has skyrocketed since the pandemic started, and as new devices rely on our local wi-fi networks to connect, malicious actors rely on their vulnerabilities to access our computers and networks.

A trend is therefore surfacing: IoT devices being breached for malicious purposes. This year, reports of vulnerabilities in these devices show that almost 98% of all internet IoT traffic is unencrypted, and more than half of all Internet of Things devices available on the market are vulnerable to attacks from medium to high severity. This due to the fact that most devices aren’t patched when vulnerabilities are found.

This opens the door to dangerous practices, such as your devices becoming botnets, or performing DDoS attacks (distributed denial of service). Botnets like Mirai, Dark Nexus, Mukashi or LeetHazer are widespread, and one of your IoT devices may be vulnerable to one of them.

Cryptojacking

Dubbed “the silent cybersecurity threat” by many, Cryptojacking is the most important security trend related to cryptocurrency.

Cryptojacking is the unauthorized use of a machine to mine cryptocurrency. It doesn’t have to be a widely used crypto like Bitcoin, Monero, or Ethereum, although it seems to be closely related to them. Cryptojacking attacks have been experiencing a steady rise since 2019, tied to the rise in the price of Bitcoin during 2020.

A cryptojacking attack is usually massive, subtle, and widely distributed. There even is a chance that you mined crypto for someone else without knowing, using the same browser you’re using to read this post. In spite of that possibility, cryptojacking can be much more complex, and tied to the same devices we talked about in the previous section. In fact, IoT devices can be used for cryptojacking, as long as they’re vulnerable.

An attack of this nature –for example, using XSS– is so ubiquitous that can be performed in almost every modern computer language. Cryptojacking attacks can be performed or adapted to Javascript, Python, Golang, Shell, Ruby, and many more. As long as the device can execute commands and spare a little processing power, it can be attacked. 

It’s also very hard to catch: antivirus software isn’t the best in identifying “malicious processing”, or at least differentiating what cores are being used legitimately, and which ones are mining crypto.

If the rising trend of crypto prices keeps going forward, cryptojacking will keep growing too.

Takeaways

Despite the fact that most trends in cybersecurity were similar to 2019, it’s undeniable that the pandemic changed the scope considerably. Malware attacks, ransomware, and phishing are tied to the changes in our behavior, and as we flock to our homes, malicious actors follow and try to enter themselves.

On the topic of threat intelligence, we must be prepared for everything. Data security and encryption are more important than ever. Multiple factors of authentication for all members of our organization is key. We must try to extend the network security we have in our offices to our employees as well.

And as users, we have a duty to stay informed about cyber threats around the world. A proactive mentality against threats is the way forward. Strong passwords, the installation of security solutions in our devices, and taking precautions with our personally identifiable information are good first steps. Remember: anyone can be a victim of cyberattacks.

2020 is the year of the rat, and we actually aren’t talking about the Chinese horoscope. According to several cybersecurity researchers, 2020 has seen an explosive increase in Remote access Trojans, or “RATs”. 

This threat is not minor: a RAT can take control of your computer in the same way that a remote administrator would normally do, using tools such as TeamViewer or VNC. In this case, it’s a malicious control: a RAT steals your personal information trying to carry out bank or identity fraud.

However, and with the migration of PC users to the mobile world, hackers changed their strategy. Now there is a whole series of malware focused on bank credentials and identity theft, especially designed for Android mobile devices. These RATs have reached a high level of sophistication, and most are offered in the form of “malware as a service”, or MaaS.

Between 2019 and 2020 these attacks have become increasingly common. Names like Anubis, Hydra, Ginp, or Gustuff appear on all mobile malware lists on a recurring basis. However, the one that has dominated the arena this year –for several reasons– is Cerberus: a nightmare-inducing rodent.

Cerberus, the king of all RATs

Cerberus is a highly sophisticated Android malware, in circulation since 2019. It has been actively distributed on dark web forums, in a “malware-as-a-service” (MaaS) format. For a sum between $4,000 and $12,000, cybercriminal groups capable of paying it have had all the malware tools at their disposal. And by tools, we mean an arsenal of destruction.

Yesterday was released Cerberus v2 (banking Trojan)

I received their master C&C

Please, don't try to hack it, don't RT so it wont be shared with many skilled whitehat pentesters.#StayHome and don't help to reveal its developers, clients and victims.

reil424lawk6u65o .onion pic.twitter.com/3iaXv3ABG2

— Lukas Stefanko (@LukasStefanko) April 4, 2020

Cerberus was conceived as a run-of-the-mill banking and phishing malware, and seeing Anubis’s success with cybercriminals, the team decided to integrate RAT capabilities into their toolset. Its victim is the banking apps inside your smartphone, but its functionality is much more complex. Like any Remote Access Trojan worth its salt, Cerberus is capable of deep surveillance within your device, interfering with the encrypted communications the phone has with its apps, and outside.

Basically, Cerberus can intercept and steal your phone’s unlock pattern or PIN, as well as Google Authenticator numbers, and any SMS necessary to perform a two-step verification. Likewise, this malware can interpose itself between you and your bank’s app through an overlay, the most common method for carrying out a phishing attack. In short, Cerberus can enter your computer, extract all the necessary data to perform a bank fraud, and wait for the best moment to take the money from your account. All without you doing anything.

Cerberus and its complex functionality

Regarding what Cerberus can do, it is necessary to point out two possibilities within its functionality. We already mentioned that Cerberus is a RAT, but to achieve such control of the phone, it is necessary to have control of a vulnerability. In this case, it is the Android Accessibility Service.

This service, which normally assists users with disabilities in certain applications, is abused by Cerberus to give itself more permissions without user interaction. Having control of the Accessibility Services, the malware proceeds to ensure its persistence in different ways, either by disabling Play Protect or by removing itself from the applications in use.

On the other hand, Cerberus is capable of generating an instance of TeamViewer on mobile, and through the aforementioned Accessibility permissions, authorizing said session while the equipment is in use, all without user interaction. 

From that point, and as soon as the C2 server has the computer’s data, the rest of the functionalities are available to the attackers remotely. Abusing both the Accessibility Service and the TeamViewer session, Cerberus is capable of a lot. Its possibilities include:

• A keylogger
• Listing, retrieval, sending and forwarding of SMS
• Forwarding or transferring calls
• Installation and deletion of apps
• Locking and unlocking the screen (without user interaction)
• Collection of device data
• List of device applications 
• Device file collection and extraction
• Phishing attacks via preloaded overlays
• Various protection capabilities, such as emulation detection

The rocky history of Cerberus

As we mentioned, Cerberus has been on the market for a long time, to the detriment of users and banks alike. However, there are two reasons why it is now a growing concern: on one hand, the rapid evolution of its functionalities and on the other, the release of its source code.

Cerberus was born in 2019 as an espionage suite. While its design made it capable of bank fraud, at the time the malware lacked the level of sophistication required to steal two-step authentication (2FA) data from apps like Google Authenticator. However, a ThreatFabric report analyzed the second version of the malware in early 2020. Cerberus v2 was still in development by the same Eurasian team that brought it to life, with increasingly powerful functionality.

Months later, An Avast team made a disturbing finding. An app for the Spanish market, called “Calculadora de Moneda” (“Currency Calculator”), contained malicious code related to Cerberus in its APK. The app was hosted on the Google Play Store, which supposedly contains software from legitimate and safe sources.

However, after weeks in hibernation, a connection to the attackers’ C2 servers activated code on the app that downloaded another APK containing Cerberus, and the smartphones were infected with the malware.

As the days passed, the Cerberus team became fragmented. In July, the developers decided to leave the project in the hands of anyone who could pay for it. The operators decided to auction everything: the servers, the malicious APK’s source code, and the admin panel codes in addition to the modules. With a profit of aproximately $10,000 per customer, the creators of Cerberus promised potential buyers to recover the expense in no time.

However, the lack of interest –or buyers willing to pay that sum– put the sale at risk. The worst happened a couple of weeks later. Cybersecurity researcher Dmitry Galov revealed that the auction had failed and that Cerberus operators released the source code of the malware. This opened the door to the worst-case scenario: developers taking Cerberus and transforming it into something nasty.

Alien, the new player

It took less than two weeks for another MaaS to take the crown. Alien, considered by experts as a full-blown ‘fork’ of Cerberus, entered the market aggressively after the fall of its predecessor.

The ThreatFabric report on Alien is concerning. Although Alien comes from a different version than the one released, it retains many of the functions that make this type of malware dangerous. First of all, it’s a very streamlined RAT with tons of features. It is also capable of running its own TeamViewer instance, and of displaying fake logins for more than 226 applications. These include not only banking apps, but social media, email, and even popular cryptocurrency wallets.

Alien is distributed in the same way as Cerberus in its early days: through malware forums on the dark web. Its price has not yet been published, but it is believed that it would be similar to Cerberus given the similarity in functionality.

Conclusions

The smartphone malware landscape is becoming more complex as 2020 progresses. Malicious actors are taking advantage of user-authorized vulnerabilities to access our phones, and then exploit all avenues for financial gain. This practice has generated a very profitable market, one that all Android users can fall victim to.

Recommendations for a threat this organized are straightforward. First and foremost, review any application installed on our Android devices, especially the requested permissions. Also, and even if it is used by many applications in a completely legitimate way, it’s necessary to pay attention if a suspicious application needs access to Google’s Accessibility Services.

Along the same lines, there is a need to educate users about the risks of this type of malware, whether personal or work-related. It should not be forgotten: although there are strong economic motivations, malware such as Cerberus is still a powerful spying tool. The coexistence of private data on our mobiles may well be an attack vector for our organizations.