Cyber-Criminals to Ramp Up Malware Sophistication in 2016: Report

Criminals are becoming more organized by employing teams of developers that create more sophisticated malware that produces larger monetary gains, states an IBM report.

Malware Evolution 2

Cyber-criminals increasingly used customized malware, software development expertise and knowledge of the financial system to make 2015 an extremely profitable year—a trend that will continue in 2016, according to IBM’s annual threat report, published on Feb. 22.

Using three families of malware—Dyre, Dridex and Carbanak—cyber-criminals have stolen hundreds of millions of U.S. dollars. Over two years, for example, the Carbanak malware infiltrated as many as 100 financial institutions to steal an estimated $1 billion, a brazen heist that came to light last year.

The trend departs from the traditional image of a cybercriminal: The lone, amateur criminal who typically focused on smaller thefts from consumer accounts, Limor Kessem, security researcher for IBM’s X-Force research group, told eWEEK.

The evolution toward more sophisticated, highly organized cyber-crime that results in higher loses will likely continue in 2016, the IBM report stated.

“From the nature of those organized groups, they bring that research and the planning and the resources that … has helped them push their ability to make so much money at once,” Kessem said. “Even just a couple of years ago, we did not see $1 million, $3.5 million and $5 million transfers.”

The maturing of the criminal ecosystem is one of the major trends noted in information security this year, according to IBM. About 18 percent of attacks detected by IBM used some form of malware, representing the largest category of threats recorded in 2015, according to the report. Distributed denial-of-service attacks accounted for about 15 percent of threats and attacks on misconfigured systems and networks for about 8 percent.

In a separate threat report, Dell SonicWALL stated its products had captured 64 million malware variants attacking customers, up from 37 million the year before.

Four families of malware–Dyre, Neverquest, Bugat, also known as Dridex, and Zeus V2 – made up nearly three-quarters of all malware attacks recorded by IBM in 2015.

On its own, the group behind the Dyre malware accounted for 24 percent of attacks detected by the firm. The group, however, has largely been silent since late November. Some media outlets have reported that members of the group have been arrested by Russian law enforcement, but Russian authorities have not confirmed the arrests.

The behavior of the groups behind Dyre and Dridex show significant similarities, suggesting–at the very least–that they may be using the same playbook, Kessem said.

“Everything that Dyre was doing, Dridex was suddenly doing,” she said. “The same techniques, the same sorts of things. The redirection attacks that Dyre came up with, (for example) all the sudden Dridex was launching them.”

With the sudden disappearance of Dyre in November, other malware has topped the charts. Now, Neverquest, Dridex, Zeus V2, and a fourth program, Gozi, make up three-quarters of all attacks, according to Kessem.

IBM’s report focused on a few other areas of the threat landscape as well. The number of vulnerabilities reported during the year did not change in 2015, while mobile malware started taking off, the company said.

The most targeted industries included computer services, which were the victims in more than 30 percent of attacks followed by retail, 15 percent, and healthcare 9 percent.

Both Dell and IBM noted an increase in mobile malware targeting the financial industry.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...