Evolution of Malware and Threat Actors

The world of malware and cybercrime has evolved a great deal in the last decade. The following blog post tracks this evolution, expanding on intelligence accessible through Threat Compass. The more we understand about the motivations and TTPs of threat actors, the stronger defenses we can build against cybercrime.

A potted history

Many years ago, viruses were written with their central objective for their authors to gain notoriety. This all changed back in 2005-2006 when the first samples of malware began to emerge seeking to turn a profit, such as the Zeus banking trojan. From then on, different versions of Zeus appeared and many other banking trojans were born, even using P2P networks for communication such as GameOver Zeus (GOZ). This would become one of the most important areas of cybercrime for several years.

Soon after, cybercriminals started to use stealers such as Pony Loader to collect stolen credentials (we provide an in-depth analysis of this in our report on the Credential Theft Ecosystem, available to download here). Around 2012, the first samples of ransomware appeared, on the whole simply blocking the screen rather than encrypting files.

The first ransomware with disk encryption was CryptoLocker, authored in 2013 by Slavik, a known cybercriminal also responsible for the botnet GameOver Zeus and still at large. CryptoLocker was an example followed by many less sophisticated cybercriminals, who were buying Trojan kits to make some easy money. The cybercriminals dedicated to banking malware were big groups like Dyre (and later TrickBot), Dridex and Gozi, amongst others. You can gain further network insight into Dyre and Dridex in our separate report here.

Meanwhile, control panels operated by cybercriminals continued to evolve, helping manage infected computers or bots. Some of these more advanced groups began to devote more time to exploring the infected computers. By distinguishing machines belonging to important organizations such as banks, for example, they sought to attempt intrusions and compromises that would lead to increasingly larger booty. Thus, groups such as Anunak/Carbanak, Buhtrap or Cobalt began to emerge, some of whom are still active today.

Increased attack surface

With the cryptocurrency boom, ransomware gradually took a back seat for less advanced cybercriminals, many of whom opt to use cryptominers as a simple way to increase profit. Stealers then also adapted to steal cryptocurrency from wallets. A number of factors contribute to the increase in cryptojacking. Simply put, the increasing number of online devices has expanded the attack surface. From a cybercrime perspective, these crimes can be carried out with relative ease – there are open source miners and miners available for sale on the dark web – as well as a low risk of being arrested.

However, with the decline in the value of cryptocurrencies it is possible that some of these cybercriminals will return to the use of ransomware or other types of blackmail, and others may also opt for the use of regular stealers or phishing.

As with the number of online devices, mobile applications and sometimes browser extensions also increase the attack surface, so they will always be a benefit for cybercriminals. In fact, in recent years we have seen a significant increase in the number of threats attacking mobile devices. We have seen this trend across hundreds of our customers for years, where the growing use of mobile devices for personal and professional communications made mobile devices a target for attackers.

Advanced attacks

Broadly speaking, more advanced cybercriminals continue to distribute their malware today to demand large sums of money from their victims. They continue to deploy ransomware on specific systems, typically using private versions of ransomware to attack large organizations in the hope of making lucrative profits.

Proof of this are the actions of the Dridex Gang, which has been using its BitPaymer ransomware to attack entities such as the Alaskan municipal government and the PGA.

Ransomware attacks must continue to be considered a dangerous and destructive threat to companies in any sector. It must also be noted that the impact goes well beyond the immediate commercial losses, including damage to reputation and liabilities under regulations such as GDPR. Threat intelligence tools can help establish appropriate defense measures before an attack occurs and mitigate its impact when it does happen.

It should also be noted that malware has become not just a profit-turning tool for cybercriminals, but weaponized for espionage or sabotage by nation state actors. Many state-sponsored groups are known to have written malicious code in favor of their national security strategies, including the likes of Stuxnet, Regin (related to the Belgacom compromise) and Duqu.

Defending against malware

The world of malware and cybercrime is a continuous game of cat-and-mouse between attackers and defenders. At the enterprise level, it is vital to know who the adversaries are in order to be able to efficiently defend the infrastructure. Threat intelligence and threat detection services are essential today to reduce digital risk.

Users have more and more information and credentials guarded by third parties, which inevitably means that these third parties have to ensure their security. However, the user can also mitigate the possible commitment of his credentials with a good password management policy: changing them frequently, using robust passwords (more than 10 characters, a mixture of lowercase letters, capital letters, numbers and symbols), avoiding the use of the same password in different services, etc. We detail these in a separate blog category here.

Indeed, at the user level, good practice is key: keeping equipment and programs updated; installing reliable antivirus software; managing passwords properly; making frequent backups of our data; above all using using common sense when operating on the Internet.

Similarly, companies that guard our data must follow some good practices when storing this information. Passwords should always be encrypted and companies should be making use of compromised credentials monitoring services if necessary. GDPR protect users and holds companies responsible for the good management and security of their data, imposing high fines if not.

Collaboration is key

The world of malware has evolved enormously over the last decade. Cybercriminals have created an ecosystem where they can buy and sell malware and malware-related services, as well as share, collaborate and develop source codes. The cybersecurity industry must also continue to evolve, collaborate and share information between different parties. Efficient collaboration is key in the battle against cybercrime.

Enterprises should never blindly trust a security measure, because there will always be attackers who try to get around them. That said, detection systems for these types of malware threats are getting better and better. This relies on improved sandboxes, reversal and analysis techniques such as those employed by Blueliv.

Our free proprietary sandbox is available to members of the free Threat Exchange Network, which underlines the importance of the exchange of information in the cybersecurity industry. As vendors continue to improve detection and prevention measures, the protection of digital assets will continue to be strengthened by the rapid exchange of information between defenders.


This blog post was authored by Jose Miguel Esparza, Head of Threat Intelligence.

Read our free cyber security and cyber threat reports

Read now
Demo Free Trial MSSP