There is a growing demand around the world for multifunctional malware that is not designed for specific purposes but is flexible enough to perform almost any task.
This was revealed by Kaspersky Lab researchers in a report on botnet activity in the first half of 2018. The research analysed more than 150 malware families and their modifications circulating through 600 000 botnets around the world.
Botnets are large ‘nets’ of compromised machines that are used by cybercriminals to carry out nefarious activities, including DDoS attacks, spreading malware or sending spam. Kaspersky monitors botnet activity on an ongoing basis to prevent forthcoming attacks or to stop a new type of banking Trojan before it spreads.
It does this by employing technology that emulates a compromised device, trapping the commands received from threat actors that are using the botnets to distribute malware. Researchers gain valuable malware samples and statistics in the process.
The first half of 2018 also saw the number of single-purpose pieces of malware distributed through botnets dropping significantly in comparison to the second half of 2017. In H2 2017, 22.46% of all unique malware strands were banking Trojans. This number dropped to 13.25% in the first half of this year.
Moreover, the number of spamming bots, another type of single-purpose malware distributed through botnets, decreased dramatically, from 18.93% in the second half of 2017 to 12.23% in the first half 2018. DDoS bots, yet another typical single-purpose malware, also dropped, from 2.66% to 1.99%, in the same period.
The only type of single-purpose malicious programs to demonstrate notable growth within botnet networks were miners. Even though their percentage of registered files is not comparable to highly popular multifunctional malware, their share increased two-fold and this fits in the general trend of a malicious mining boom, as noted in previous reports.
Alongside these findings, the company noted distinctive growth in malware that is more versatile, in particular Remote Access Tools (RATs) that give cyber crooks almost unlimited opportunities for exploiting infected machines.
Since H1 2017, the share of RAT files found among the malware distributed by botnets almost doubled, rising from 6.55% to 12.22%, with the Njrat, DarkComet and Nanocore varieties topping the list of the most widespread RATs.
“Due to their relatively simple structure, the three backdoors can be modified even by an amateur threat actor. This allows the malware to be adapted for distribution in a specific region,” the researchers said.
Trojans, which can also be employed for a range of purposes, did not grow as much as RATs, but unlike a lot of single-purpose malware, still increased 32.89% in H2 2017 to 34.25% in H1 2018. In a similar manner to RATs, Trojans can be modified and controlled by multiple command and control servers, for a range of nefarious activities, including cyberespionage or the theft of personal information.
Alexander Eremin, a security expert at Kaspersky Lab, says the reason multipurpose malware is taking the lead when it comes to botnets is clear. “Botnet ownership costs a significant amount of money and, in order to make a profit, criminals must be able to use each and every opportunity to get money out of malware. A botnet built out of multipurpose malware can change its functions relatively quickly and shift from sending spam to DDoS or to the distribution of banking Trojans.”
In addition to switching between different ‘active’ malicious activities, it also opens an opportunity for a passive income, as the owner can simply rent out their botnet to other criminals, he added.