Botnet masters are shifting their preference from spreading specific, single-purpose malware toward multifunctional malware, according to a new report by Kaspersky Lab on botnet activity from January through June.
Such malware allows the masters, or those who control botnets, to have full control over the infected hosts and makes it more profitable for botnet masters with more opportunities to steal users’ sensitive data.
The report is the result of an analysis of more than 150 malware families and their modifications circulating through 60,000 botnets globally.
Alexander Eremin, security expert at Kaspersky Lab, tells Channel Partners that multifunctional malware is taking the lead because “botnet ownership costs a significant amount of money, and in order to make a profit, criminals should be able to use each and every opportunity to get money out of malware.”
“The most surprising fact we discovered was the share of banking malware decreased,” he said. “However, we cannot state that this type of malware has become unpopular with criminals, as banking malware is often distributed via downloaders, which share in analyzed files have increased significantly.”
Remote access tools (RAT) malware provides almost unlimited opportunities for exploiting an infected PC, according to Kaspersky Lab. Since the beginning of 2017, the share of RAT files found among the malware distributed by botnets almost doubled — rising from a little less than 7 percent to more than 12 percent.
Njrat, DarkComet and Nanocore topped the list of the most widespread RATs. Due to their relatively simple structure, the three back doors can be modified by experienced or inexperienced threat actors. This allows the malware to be adapted for distribution in a specific region.
The only type of single-purpose malicious programs to demonstrate impressive growth within botnet networks were miners. Even though their percentage of registered files is not comparable to highly popular multifunctional malware, their share increased twofold and this fits in the general trend of a malicious mining boom, Kaspersky said.
“Significant growth of miners’ share in files, downloaded by bots, shows that criminals try to use infected machines as a source of cryptocurrency,” Eremin said. “Files don’t have an impact on user’s real money, unlike banking malware, but still can lead to an inconvenience in using the infected device. The miner itself can be a legal software as well as legal password recovery tool we noticed being used by botnet masters to recover victim’s credentials. The challenge is to protect the user from such unwanted installations of legal software.”
Trojans did not demonstrate as much growth as RATs, but their share of detected files still increased from nearly 33 percent percent in the second half of 2017 to a little more than 34 percent in the first half of 2018. One trojan family can be modified and controlled by multiple command and control (C&C) servers, each with different purposes, for example, cyberespionage or theft of credentials.
Regarding declines, the share of single-purpose malware distributed through botnets dropped in comparison to the second half of 2017. For example, in the second half 2017, more than 22 percent of all unique malicious files distributed through the botnets monitored by Kaspersky Lab were banking trojans, while in the first half of 2018, the share of bankers dropped by more than 9 percentage points to approximately 13 percent of all malicious files.
The share of spamming bots, another type of single-purpose malicious software distributed through botnets, also …