Global cybercrime actors generally adhere to the same principal as a handyman: If it’s not broken, don’t fix it. But that’s not so easy when malware works in one area and attackers want to use it to target a new audience or geography.

Moving malware across borders to a new target geographic means more resources for everything, from a relatively easy change to the malware configuration file to the acquisition of new target email lists, new spam delivery mechanisms, an understanding of local banks’ authentication requirements, new local money mules and the development of webinjections to correspond with the transaction flow for each target.

Testing the Waters

After the initial investment and establishment of a connection with local crime factions, the time comes to launch actual infection and attack campaigns. To test the waters, cybercrime gangs deploy small rates of infections in a new geography and check the malware’s operation to ensure success before ramping up to a large deployment. They do that to estimate the potential for success in the new geography, reduce the risk that they will be caught early on and, for astute observers, foreshadow a bigger boom in the malware.

The crew operating TrickBot, which emerged in August 2016, launched the malware during a testing and development period to turn it into a banking Trojan and work out the bugs before its actual deployment in the U.K. and other English-speaking countries. It then promptly moved to Germany.

Growing Attack Sophistication, or Just Growing Attacks?

In some geographies, such as Brazil, for example, local cybercriminals are collaborating with their more advanced counterparts in other parts of the world to learn how to improve their own malware. In some cases, fraudsters are taking old tactics such as phishing and elevating them to new heights. A recent study reported that more than half of companies saw an increased rate of phishing attacks in 2016 compare to the previous year.

Even classic malware such as ransomware is morphing into cyber extortion, as seen in the case of TeamXRat in Brazil. This group of attackers moved from banking malware to ransomware as it infected Brazilian hospitals with a remote desktop protocol (RDP) brute-force attack.

Major Global Cybercrime Players Remain Active

The big names of malware families that topped the charts in 2016 are familiar. Based on data from IBM X-Force and IBM Trusteer, Zeus, Neverquest, Gozi and Dridex were the most active by attack activity across the world in 2016.

Zeus continues to be the malware that keeps on giving. After the source code leaked, it was used as the foundation for new malware variants such as Ramnit in 2011 and Zeus Panda, Zeus Sphinx and Flocki Bot in 2016.

By looking at nearly 300 million protected endpoints across the globe, IBM Trusteer and IBM X-Force monitor the latest threat trends including vulnerabilities, exploits, active attacks, viruses and other malware, spam, phishing and malicious web content. To learn more about trends in global cybercrime, read the latest IBM X-Force research.

More from Malware

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

ITG10 likely targeting South Korean entities of interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

Ransomware renaissance 2023: The definitive guide to stay safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today