Two-stage malware attacks first seen this year will spread in 2022, says a report from Sophos that discusses threats organizations will likely see in the new year.
Unlike a targeted attack, which goes straight to employees of a selected organization, two-stage attacks have two parts: A broad-based attack meant to lure in lots of people, then one that delivers malware only when the unlucky people who stumble into the trap meet certain criteria.
Sophos detected one example this year with the malware it calls Gootloader. It starts with a broad-based attack using malicious search engine optimization techniques, luring in potential victims who might be searching for a specific kind of legal or technical document on Google. A threat actor responds by email or text to the query with a link to a malicious document.
Another threat group spreading the BazarLocker malware sends out spam with invoices for large purchases from a retailer, with a contact phone number that goes to a gang member.
What these strategies have in common is they winnow down the responders to chosen victims. The Gootloader gang only places their search engine “answers” in four languages (English, German, French and Korean) and only replies to messages from people in certain countries and with Windows computers. BazarLocker operators do a profile of the people calling about the alleged invoice before guiding those they determine to be appropriate victims to a website that delivers an infected refund document to be filled out.
“SophosLabs believes that this may represent a novel way for malware distributors to thwart malware researchers while giving themselves a greater degree of certainty that their malware is going to a subset of victims that may be more desirable than the general population,” the report says.
“We expect to see a wider adoption of these techniques with some malware families going into 2022 and beyond.”
Other predictions include
–in 2022 and beyond, the ransomware-as-a-service model will continue to dominate the threat landscape for ransomware attacks. This model permits experts in ransomware construction to continue to build and improve their product, while giving experts in “initial access” break-ins the ability to focus on that, the report argues.
Sophos also expects that extortion over the release of data will continue to be a part of the overall threat posed by ransomware well into the future;
–more Cobalt Strike beacons will be seen. Cobalt Strike is a legitimate tool bought by defenders for penetration testing. But leaked copies of the suite’s source code, cracks in its licensing structure, and pirated full versions of Cobalt Strike have found their way into the hands of threat actors.
Cobalt Strike’s Beacon backdoor is the prize, because it can be configured in several ways to execute commands, download and execute additional software, and relay commands to other Beacons installed across a targeted network. Beacons can be customized to emulate a wide variety of threats.
“Hacked Cobalt Strike suites have become the Saturday Night Specials of cybercrime.” says the report. “They are widely available on underground marketplaces and can be easily customized. There’s ample training and sample configurations available on the internet to make getting started with Cobalt Strike relatively trivial for cybercriminals. And recently, malicious actors have used access to Cobalt Strike’s source code to port its Beacon backdoor to Linux
While many malware operators use backdoors associated with the open-source Metasploit framework, Cobalt Strike Beacons have become the favored tool of ransomware affiliates and access brokers who sell compromises to ransomware gangs and are often seen tied to ransomware execution. Sophos has also seen other malware operators, including the cryptocurrency miner LemonDuck, using Cobalt Strike as part of their access and lateral movement.
–malware families move to a malware distribution network model. Since Emotet’s disappearance early in 2021, SophosLabs has followed along as several other malware families have switched their business model to that of a malware distribution network.
One of the families Sophos most often sees is called IcedID, a spam-delivered malware family that — like Emotet — takes advantage of the fact that millions of PCs are infected with the malware, and whose operators appear to lease out use of portions of those infected computers to push other groups’ malware onto the machines.
The long-lived TrickBot malware also served as a malware distribution platform, even after Microsoft and law enforcement collaborated to take down some of its command-and-control infrastructure. While TrickBot still exists, its creators have moved forward with a next-generation botnet they call BazarLoader, which is used to deliver malware payloads on behalf of both its own operators and other groups.
Likewise, a malware now known as Dridex that has been around for almost a decade is a core piece of Evil Corp’s malware distribution framework.
–attacks targeting both valuable Linux servers and commodity consumer electronics to continue unabated in 2022.
Ransomware attackers have not ignored the potentially lucrative targets that have Linux servers, says the report. A ransomware family called RansomEXX appeared in 2021 that attempts to replicate in the Linux space the success of ransomware attacks targeting Windows endpoints.