Global cybercrime actors generally adhere to the same principal as a handyman: If it’s not broken, don’t fix it. But that’s not so easy when malware works in one area and attackers want to use it to target a new audience or geography.

Moving malware across borders to a new target geographic means more resources for everything, from a relatively easy change to the malware configuration file to the acquisition of new target email lists, new spam delivery mechanisms, an understanding of local banks’ authentication requirements, new local money mules and the development of webinjections to correspond with the transaction flow for each target.

Testing the Waters

After the initial investment and establishment of a connection with local crime factions, the time comes to launch actual infection and attack campaigns. To test the waters, cybercrime gangs deploy small rates of infections in a new geography and check the malware’s operation to ensure success before ramping up to a large deployment. They do that to estimate the potential for success in the new geography, reduce the risk that they will be caught early on and, for astute observers, foreshadow a bigger boom in the malware.

The crew operating TrickBot, which emerged in August 2016, launched the malware during a testing and development period to turn it into a banking Trojan and work out the bugs before its actual deployment in the U.K. and other English-speaking countries. It then promptly moved to Germany.

Growing Attack Sophistication, or Just Growing Attacks?

In some geographies, such as Brazil, for example, local cybercriminals are collaborating with their more advanced counterparts in other parts of the world to learn how to improve their own malware. In some cases, fraudsters are taking old tactics such as phishing and elevating them to new heights. A recent study reported that more than half of companies saw an increased rate of phishing attacks in 2016 compare to the previous year.

Even classic malware such as ransomware is morphing into cyber extortion, as seen in the case of TeamXRat in Brazil. This group of attackers moved from banking malware to ransomware as it infected Brazilian hospitals with a remote desktop protocol (RDP) brute-force attack.

Major Global Cybercrime Players Remain Active

The big names of malware families that topped the charts in 2016 are familiar. Based on data from IBM X-Force and IBM Trusteer, Zeus, Neverquest, Gozi and Dridex were the most active by attack activity across the world in 2016.

Zeus continues to be the malware that keeps on giving. After the source code leaked, it was used as the foundation for new malware variants such as Ramnit in 2011 and Zeus Panda, Zeus Sphinx and Flocki Bot in 2016.

By looking at nearly 300 million protected endpoints across the globe, IBM Trusteer and IBM X-Force monitor the latest threat trends including vulnerabilities, exploits, active attacks, viruses and other malware, spam, phishing and malicious web content. To learn more about trends in global cybercrime, read the latest IBM X-Force research.