TEMPE, Ariz. and PRAGUE, Nov. 2, 2022 — Avast, a global leader in digital security and privacy, today released its Q3/2022 Threat Report summarizing the cyber threat landscape derived from Avast’s telemetry data and experts’ insights. Avast’s data shows an increase in PC adware activity at the end of September this year. Avast also protected 370% more users from Raccoon Stealer, an information stealer, in Q3/2022 than in the previous quarter. Ransomware attacks increased in some markets such as Canada, Spain, and Germany, but slightly declined at a global level. The chances of mobile users encountering a banking trojan increased by 7% quarter-on-quarter, despite Europol dismantling the Flubot group. Most malicious activities remained stable or declined.
“An interesting trend we observed this quarter was cyber gangs actively crowdsourcing and paying people to support their criminal activities, including the improvement, marketing and distribution of their malware,” said Jakub Kroustek, Avast Malware Research Director. In terms of attacks, we noticed an uptick in DealPly adware towards the end of Q3/2022, a massive spike in Raccoon Stealer infection attempts, increased MyKings botnet activity, and a new botnet called Pitraix, written in Go, gaining a bit of traction. Overall, the volume of cyber attacks remained high, despite cybercriminals appearing to relax a bit over the summer months.”
Ransomware Attacks Focusing on Data Exfiltration
The risk to Canadians encountering ransomware this quarter increased by 16% compared to Q2/2022. In Germany and Spain, people were 12% more likely to encounter ransomware. However, at a global level, people faced a slightly lower risk of ransomware attacks quarter-on-quarter.
“Ransomware strains increasingly use complicated methods of partial encryption, for example, only encrypting the beginning or end of a file, or blocks of files, to rapidly encrypt files, to avoid user detection,” explained Kroustek. “Furthermore, ransomware gangs are now exfiltrating data from enterprises, threatening to publish sensitive files, and then deleting or corrupting the files rather than encrypting them. We also observed an interesting series of events involving the LockBit ransomware group. The events include the group offering bug bounties to those who discover vulnerabilities or deliver ideas to the group, rewards for people tattooing their logo onto their bodies, group members retaliating and leaking code, and a back and forth between the gang and a security company called Entrust.”
Businesses and Governments Targeted by Hacking and APT Groups
Pro-Russian group, NoName057(16), targeted companies such as banks and news agencies, and governments supporting Ukraine throughout Q3/2022. The group uses a botnet of computers infected with Bobik malware to perform retaliatory DDoS attacks. According to Avast’s observations, the group has a 40% success rate, and about 20% of the attacks they claim responsibility for cannot be accounted for in their configuration files. In August, the group announced a new project called DDOSIA, and created a new, private Telegram group with more than 700 members. The DDOSIA project allows anyone on the internet to download a binary through which they can carry out DDoS attacks on sites determined by NoName057(16). In return, they are rewarded cryptocurrencies.
The Gamaredon APT group also targeted Ukraine in Q3/2022, attacking military and government institutions, and foreign embassies. The group introduced new tools to their toolset, including file exfiltration tools, various droppers, and new ways of distributing payloads and IPs of C&C servers.
LuckyMouse, a well-known Chinese-speaking threat group, targeted several government agencies in the United Arab Emirates, Taiwan, and the Philippines. Avast found backdoors on infected computers, password stealers for Chrome, and open-source tools, like BadPotato, which is used for privilege escalation. The attackers likely infected devices through a compromised server.
Other groups Avast researchers are tracking are the Donot Team, also known as APT-C-35, and Transparent Tribe, also known as APT36. The Donot Team was most active in Pakistan in Q3/2022. Avast discovered DLL modules from yty’s framework on several infected devices. Transparent Tribe, believed to be a Pakistani group, continued to attack victims in India and Afghanistan, infecting PCs using spear-phishing and Office documents with malicious VBA macros. Avast researchers identified that the executables belong to the CrimsonRAT strain, Transparent Tribe's custom malware used to access infected networks.
Rise in DealPly, Racoon Stealer, and MyKings
DealPly, adware installed by other malware, peaked at the end of September 2022. The adware is a Chrome extension capable of modifying new pages within the browser and can replace newly-opened tabs, read browser history, change bookmarks, and manage apps, extensions, and themes in the browser. These capabilities allow the cybercriminals behind the extension to modify search results and replace them with ads, read passwords and credit card details stored in the browser and read what users enter in forms (as well as what they filled in in the past).
Raccoon Stealer, an information stealer capable of stealing data and downloading and executing additional malware, made a big comeback in Q3/2022. Avast protected 370% more users from the stealer during this quarter.
“Raccoon Stealer spreads when users attempt to download ‘cracked’ versions of software like Adobe Photoshop, Filmora Video Editor, and uTorrent Pro,” explained Kroustek. “People often ignore or turn off antivirus shields when attempting to download files like cracked software versions, putting themselves at risk of downloading malware like Raccoon Stealer. Malware is often capable of downloading additional malicious programs, which is how DealPly is spread, for example. Therefore, users must install antivirus software and leave protections on at all times.”
While botnet activity stabilized in Q3/2022, MyKings botnet activity increased. MyKings is a botnet focused on stealing cryptocurrencies, active since 2016.
Adware remains the dominant mobile threat, with adware like HiddenAds and FakeAdBlockers prevailing. Avast protected the largest number of people from adware in Brazil, India, Argentina, and Mexico.
Despite Europol’s recent disbanding of Flubot, the global risk of falling victim to a banking trojan went up by 7% in Q3/2022 compared to Q2/2022. Banking trojans are mainly spread via SMS phishing but can also spread via dropper malware.
TrojanSMS, or premium SMS scams, continue to target mobile users, with SMSFactory and Darkherring leading in the category, while UltimaSMS and Grifthorse retired. SMSFactory and Darkherring are distributed via pop-ups, malvertising, and fake app stores. In contrast, UltimaSMS and Grifthorse were distributed on the Google Play Store, but not since Google removed them from the Store.
The Avast Q3/2022 Threat Report can be found on the Decoded blog: https://decoded.avast.io/threatresearch/avast-q3-2022-threat-report/.