Malware Newsmakers of 2015

by Security Research & AnalysisThreat Analysis

New and old malware are showing increasing sophistication

With as many as one million new malware threats being released each day, it comes as no surprise that many of these viruses are advanced and targeted. CYREN examined the various malware threats that appeared during 2015 and discovered some interesting trends, some new creations, and a few fashion makeovers. Two examples:

Gunpowder

Appearing in June 2015, Gunpowder (also seen as Gunpoder) is Android malware distributed via SMS messages through the phone’s contact list, under the message “a fun game ^_^.” Defined as an “information stealer,” its primary purpose is to steal sensitive data from the victim’s phone. Researchers have found this malware in 13 countries and estimate that 49 unique samples of the virus exist. Notably, the malware is programmed to search the Android device to determine if the victim is located in China. If so, the malware does not activate.

Malware Newsmakers 2015 - 1

The malware arrives hidden in old Nintendo games for Android along with aggressive adware, involving multiple advertising libraries, to obfuscate it and confuse antivirus detection. Unfortunately because of the advertising components, this malware is still often mistakenly identified as adware.

Upon opening the game for the first time, the user is asked to agree to terms that include accepting ‘pushed’ advertising and collecting information from the device.
The malware author uses an open software Nintendo emulator for Android called Nesoid (Nintendo NES emulator for Android phones) to run the games, and to program additional features, including inserting an offer in which the victim is asked for a payment to use the cheat feature in the game. 

Upon installation, the malware obtains information about the user’s device, International  Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI), browser history, and browser bookmarks, among other things.

Unfortunately, because the malware does include actual games and the malicious code is obfuscated by advertising libraries, many victims and antivirus detection organizations have no idea that malware is actually collecting sensitive data.

Alina

After the 2014 “Backoff” point-of-sale (POS) malware debacle that infected at least 1,000 major retailers, including Home Depot, Target, and UPS, businesses were hoping that new forms of point-of-sale malware would disappear, at least for a while. Unfortunately, this was not to be the case, as 2015 introduced us to new and more creative forms of POS malware, including variations of “Alina,” originally discovered in 2012. (Security professionals believe that the source code for Alina was sold on the black market, spurring the creation of other POS malware including Sparks, JackPos, and the infamous Backoff.)

Like most POS malware, Alina targets credit card swipe systems by infecting them with a virus that gathers all the credit card data and sends it to a server, where the data is compiled. The data is then sold on the black market by cybercriminals, resulting in card fraud and identity theft. The current version of “Alina” is much like the original, but now also includes new features such as screen capture and keylogging. 

Alina uses a memory scraping technique to gather and steal the credit card data. Although most POS systems running Windows OS encrypt credit card data once it processes a payment, the data is briefly available unencrypted in the system’s memory, enabling malware, like Alina, to capture it by generating search algorithms using regular expressions based on well-documented payment card format standards.

In April, several new variants of Alina surfaced in the US, Canada, and South America, including FighterPoS. Reports suggest that in the span of just one month, tens of thousands of pieces of credit card data were stolen. The value to the cybercriminal of this new version of Alina should not be underestimated, as security researchers have seen the software being sold underground for as much as $5,000 USD.

In June 2015, security professionals discovered another version of Alina, called MalumPoS. Although it uses the same memory scraping techniques, this malware specifically targets POS software developed by MICROS (owned by Oracle), widely used by hotels, restaurants, and retailers
in the US.

While typically POS machines are infected through direct intrusion, such as manual installation via a USB drive or brute-force hacking, in the second half of 2015, CYREN observed other versions of Alina distributed via spam emails with Word and Excel document file attachments.

Prediction for 2016

Ransomware threats will increasingly target mid-tier enterprises. The potential returns from locking a device
holding corporate data are much greater than with a consumer device.

Further information about malware in 2015 can be found in CYREN's 2016 Cyberthreat Report

Go back