A Review of the Malwarebytes Cybercrime Tactics and Techniques: Q3 2018 Report

Malwarebytes just released their Q3 2018 Cybercrime Tactics and Techniques report.  There are a ton of fascinating findings; some are what you might expect and others are surprising.

They combined intel and statistics gathered from July through September 2018 from their Intelligence, Research and Data Science teams with telemetry from both consumer and business products, which are deployed on millions of machines.  The report’s top findings include:

  • Business took a hit, while consumers take a small breath. Businesses experienced more cybercriminal activity this quarter—with detections trending upward by 55 percent, while consumer detections increased by only 4 percent quarter-over-quarter.
  • Trojans take the top, rising 86 percent from last quarter. Trojans were the number one detection for both businesses and consumers, due in part to the active and widespread Emotet campaign.
  • Ransomware returns with renewed gusto. Ransomware is back with the development of 40 new ransomware variants and an 88 percent increase in detections from last quarter.
  • The Exploit Kit is back, with a new twist! Exploit kits saw their busiest quarter in well over a year, with targeted action continuing in Asia and expanding from South Korea into Japan. Two new exploits, Underminder and Fallout breathed life into an otherwise struggling space, fueling continued EK activity for quarters to come. Instead of being used as a sole weapon, EK’s are now adopted as an additional component of web-based attacks.

Overall, the report indicates an increase of five percent or 1.7 million more detections in Q3 than in Q2 with the biggest push this quarter from information-stealing malware—like Emotet and LokiBot.

Our preview of this report created, in our minds, a few more questions that we thought our readers would find interesting – so we asked Adam Kujawa, Director of Malware Intelligence for Malwarebytes to elaborate on a few points.

QUESTION: The report indicates that “businesses saw far more action this quarter than consumers…” Presumably, businesses are better protected, or at least have more sophisticated security, than consumers – so what does this say about our overall war against cybercrime?  Are the bad guys outpacing our technology such that we are losing that war?

Our conclusion that businesses saw more action than consumers is based on what our business customers had detected trying to infect their networks. So yes, they are better protected and we see when these attempts get through because of that.  As far as the “cat and mouse” of bad guy vs. good guy, the war on cybercrime isn’t one that is going to end anytime soon.  Bad guys have the benefit of knowing what we are doing, how we are detecting their attempts to infect people and therefore are able to take that knowledge to craft attacks that evade protection systems, sometimes this is because of a new exploit or misconfigured servers on a network, other times it’s because an employee fell for a social engineering attack.  In fact, the majority of attacks we see against users, both business and consumer, start off as a cleverly worded e-mail.


We are fighting this war primarily with tech vs tech, we detect your malware, you modify it so we don’t, then rinse and repeat.  The cyberwar isn’t going to stop as long as users do things like ignore security suggestions, disable or misconfigure security solutions and zone out during security training.  This is one of the biggest challenges of the security industry in fact, how to educate folks who have no interest in security, threats, etc. but to get them to protect themselves from a phishing attack as easily as they know to look both ways before crossing.

QUESTION: The report says “Over the last year, malicious cryptomining has increased – although a sharp dive at the end of this quarter has resulted in a 26 percent decrease from Q2 2018.”  Can you speculate as to why the “sharp dive” may have occurred?

So miners had their time in the limelight earlier this year, basically from Oct 2017 to Q2 2018 we observed immense amounts of miners being installed on our users systems, on both sides of the fence (business/consumer) however it has been the increased activity in Q3 from business detections that was the most surprising.  These lines, and spikes that don’t seem to follow a pattern are usually indicative of an active campaign spreading the malware heavily.


During the cryptominer domination of the threat landscape earlier this year, the amount of detections of miners stayed relatively the same, if not decreasing slightly from month to month.  This is indicative of basically all the bad guys pushing miners at the same time.  After the value of the currency dropped significantly, it no longer seemed like a good investment to try and extract coin from users who would need to have their systems crunching math problems for the miners for far longer to make it worth the investment.  Considering miners are loud, large and cause significant performance issues on a system, they are usually easily identified and removed.


What we see as far as the spike in Jul-Aug 2018 and drop in Sept 2018, this is indicative of a campaign trying a last ditch effort to make some cash by infecting users with miners by hiring (likely) one of the malicious spam botnet operators to push miners to an immense number of users, since we can see this spike both on the consumer side (which wouldn’t be a big shocker) AND the business side (which is a shocker).


The main factors we believe are involved in the decision to continue pushing miners to users are A. the value of the cryptocurrency being mined, is it worth it? B. The investment already made by the criminal and C. Miners may not be the most dangerous thing in the world, but many of them have backdoors and can install additional malware, so continued spreading of them could be more of a red herring than a true effort to install miners.

QUESTION:  Finally, the report doesn’t address the classical motivators. i.e. Terrorists, Hactivists, Nation States, and Criminals.  Is the report only focused on criminal activity?  It would be interesting to know if you have a view as to how these motivational categories have changed over time.

Our focus with this report is to identify trends and new tactics used by cybercriminals.  We don’t focus on the folks behind the malware as much with this report, as attribution is usually difficult or impossible due to the nature of staying anonymous online, attribution can be political in nature and at the end of the day, attacks by Terrorists, Hacktivists and Nation States are rarely a concern to your regular business and consumer user.  Much larger concerns revolve around the flood of information stealing malware, like banking trojans, new ransomware families that are trying to make a name for themselves and scams that users often fall victim to.


As far as how those groups have changed over time, we have seen less activity from Terrorists and Hacktivists this year, at least that we are aware of, plenty of attacks can happen at any time but if nobody comes out and says “I did this for xyz reason because I am a supporter of xyz” then you may never know why the attack happened or what happened to any data that was stolen. The group that has been the most active over the last few years have been Nation State actors, who create new and sophisticated malware, utilize zero day exploits that haven’t been introduced in the wild yet and are so well resourced that finding their malware is usually a fluke due to a mistake made by the operators of the malware.


State sponsored malware is one of the most dangerous things we see out there, and not because the malware itself is a threat to all users, in fact its almost never a threat to anyone but a group of targets.  The concern is that once identified, analyzed and written about, the tactics used by these types of malware, that are usually far more advanced than what we currently see, are often employed by malware that is focused on all users.  For example, the NSA Exploit ETERNALBLUE which was used in the WannaCry and NotPetya attacks last year have been observed being used by multiple malware families this year, including banking malware, ransomware, even miners (many of the vulnerable systems that could have been hit with WannaCry and failed to patch after the fact were infected with miners by criminals using the same exploit methods.


It is certainly one of the more frustrating things we deal with when trying to protect users, that is the fact that governments who are supposed to protect people, are often responsible for making the threat landscape worse by not sharing information to vendors trying to help people or even the vendors whose products are vulnerable to exploits.  Sure, it’s one thing if the government tries to get intel on a potential target by exploiting a flaw in a piece of software they use, however the same hole will either be revealed when the malware is found OR just eventually is going to be identified by cyber criminals doing their own research, either way a hole has been discovered and rather than patch and protect, many government organizations hoard the information to themselves.

Follow this link to download your own copy of this report.

By: Steven Bowcut, CPP, PSP, Brilliance Security Magazine Editor-in-Chief