Global cybercrime actors generally adhere to the same principal as a handyman: If it’s not broken, don’t fix it. But that’s not so easy when malware works in one area and attackers want to use it to target a new audience or geography.

Moving malware across borders to a new target geographic means more resources for everything, from a relatively easy change to the malware configuration file to the acquisition of new target email lists, new spam delivery mechanisms, an understanding of local banks’ authentication requirements, new local money mules and the development of webinjections to correspond with the transaction flow for each target.

Testing the Waters

After the initial investment and establishment of a connection with local crime factions, the time comes to launch actual infection and attack campaigns. To test the waters, cybercrime gangs deploy small rates of infections in a new geography and check the malware’s operation to ensure success before ramping up to a large deployment. They do that to estimate the potential for success in the new geography, reduce the risk that they will be caught early on and, for astute observers, foreshadow a bigger boom in the malware.

The crew operating TrickBot, which emerged in August 2016, launched the malware during a testing and development period to turn it into a banking Trojan and work out the bugs before its actual deployment in the U.K. and other English-speaking countries. It then promptly moved to Germany.

Growing Attack Sophistication, or Just Growing Attacks?

In some geographies, such as Brazil, for example, local cybercriminals are collaborating with their more advanced counterparts in other parts of the world to learn how to improve their own malware. In some cases, fraudsters are taking old tactics such as phishing and elevating them to new heights. A recent study reported that more than half of companies saw an increased rate of phishing attacks in 2016 compare to the previous year.

Even classic malware such as ransomware is morphing into cyber extortion, as seen in the case of TeamXRat in Brazil. This group of attackers moved from banking malware to ransomware as it infected Brazilian hospitals with a remote desktop protocol (RDP) brute-force attack.

Major Global Cybercrime Players Remain Active

The big names of malware families that topped the charts in 2016 are familiar. Based on data from IBM X-Force and IBM Trusteer, Zeus, Neverquest, Gozi and Dridex were the most active by attack activity across the world in 2016.

Zeus continues to be the malware that keeps on giving. After the source code leaked, it was used as the foundation for new malware variants such as Ramnit in 2011 and Zeus Panda, Zeus Sphinx and Flocki Bot in 2016.

By looking at nearly 300 million protected endpoints across the globe, IBM Trusteer and IBM X-Force monitor the latest threat trends including vulnerabilities, exploits, active attacks, viruses and other malware, spam, phishing and malicious web content. To learn more about trends in global cybercrime, read the latest IBM X-Force research.

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

How to Report Scam Calls and Phishing Attacks

With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…