Global cybercrime actors generally adhere to the same principal as a handyman: If it’s not broken, don’t fix it. But that’s not so easy when malware works in one area and attackers want to use it to target a new audience or geography.

Moving malware across borders to a new target geographic means more resources for everything, from a relatively easy change to the malware configuration file to the acquisition of new target email lists, new spam delivery mechanisms, an understanding of local banks’ authentication requirements, new local money mules and the development of webinjections to correspond with the transaction flow for each target.

Testing the Waters

After the initial investment and establishment of a connection with local crime factions, the time comes to launch actual infection and attack campaigns. To test the waters, cybercrime gangs deploy small rates of infections in a new geography and check the malware’s operation to ensure success before ramping up to a large deployment. They do that to estimate the potential for success in the new geography, reduce the risk that they will be caught early on and, for astute observers, foreshadow a bigger boom in the malware.

The crew operating TrickBot, which emerged in August 2016, launched the malware during a testing and development period to turn it into a banking Trojan and work out the bugs before its actual deployment in the U.K. and other English-speaking countries. It then promptly moved to Germany.

Growing Attack Sophistication, or Just Growing Attacks?

In some geographies, such as Brazil, for example, local cybercriminals are collaborating with their more advanced counterparts in other parts of the world to learn how to improve their own malware. In some cases, fraudsters are taking old tactics such as phishing and elevating them to new heights. A recent study reported that more than half of companies saw an increased rate of phishing attacks in 2016 compare to the previous year.

Even classic malware such as ransomware is morphing into cyber extortion, as seen in the case of TeamXRat in Brazil. This group of attackers moved from banking malware to ransomware as it infected Brazilian hospitals with a remote desktop protocol (RDP) brute-force attack.

Major Global Cybercrime Players Remain Active

The big names of malware families that topped the charts in 2016 are familiar. Based on data from IBM X-Force and IBM Trusteer, Zeus, Neverquest, Gozi and Dridex were the most active by attack activity across the world in 2016.

Zeus continues to be the malware that keeps on giving. After the source code leaked, it was used as the foundation for new malware variants such as Ramnit in 2011 and Zeus Panda, Zeus Sphinx and Flocki Bot in 2016.

By looking at nearly 300 million protected endpoints across the globe, IBM Trusteer and IBM X-Force monitor the latest threat trends including vulnerabilities, exploits, active attacks, viruses and other malware, spam, phishing and malicious web content. To learn more about trends in global cybercrime, read the latest IBM X-Force research.

More from Malware

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today