Malware infections

These are just some of the millions of malware threats that are out in the wild today.

Name Device #Devices Attack vector Malicious acts
Chalubo Internet-facing SSH servers on Linux-based systems. Chacha runs on 32- and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC ? Brute forcing login credentials against an SSH server followed by a layered approach to dropping malware components SYN flood attacks against a single IP address
PowerPool Microsoft Windows OSes from Windows 7 to Windows 10 ? Targeted approach via email attachments. A simple back door is installed that takes a screenshot of the display. If the machine seems to contain for the attackers interesting information, a second back door is installed with privilege escalation, after which open source tools are used for further information gathering.
GandCrab Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10 It infected around 50,000 systems in first three weeks of Q1 alone Distributed via malicious email attachments disguised as receipts. The infection chain begins when a user clicks on the Captcha field for the PDF document which initiates the download of a word document. If macros are enabled to run, GandCrab is downloaded and installed on the victim’s machine via PowerShell. After launch, it scans all available drives, including network and cloud storage, to determine which files will be encrypted (personal photos, documents and music), encrypts the chosen files and appends the .GDCB extension to encrypted files and then shows a ransom demanding payment.
Dead Battery Anxiety Android 60.000 and counting … The initial infection vector for this malware is a pop-up ad that the battery may be having issues and is running down too quickly. The malware determines the brand and model of the device by parsing the user-agent server-side and embeds the info in the script that renders the pop-up. The ad offers to solve the problem by connecting the user with a power saver app or to cancel out of the deal. Whatever choice is made, the user is sent to the Google Play store. If the victim decides to install the power saver app he or she must give the app permissions … The malware controls the phone, a small ad-clicking back door is installed, the ad-clicker steals information, including IMEI, phone numbers, phone type/brand/model, location, etc., and the phone is registered with a command and control server and starts to look for ad-clicking assignments which will generate income for the malware creators.
VPNFilter Routers, network-attached storage devices (made by Linksys, MikroTik, Netgear, TP-Link, and on network-attached storage devices from QNAP). 500,000 home and small-enterprise routers in at least 54 countries. The initial infection vector for this malware is currently unknown. The malware can manipulate the affected routers for attacks, collect research and communications, steal key credentials, monitor SCADA protocols, and install a kill command that leaves the infected devices unusable, triggered individually or en masse.
AdultSwine Android According to Google Play’s data, the apps have been downloaded between 3 and 7 million times. ~60 gaming apps from Google Play, many aimed at children. Once downloaded, the malware displays pornographic ads, which also attempted to scare users into installing fake security applications and buy worthless services.
FalseGuide Android ~2 million in 2017 and another 2 million in 2018. Was disguised as a game guide for ~40 popular games such as Pokemon GO and FIFA Mobile in 2017. Two new malicious apps containing the FalseGuide code were uploaded to the Google Play store at the beginning of April 2018. The app asked for admin privileges and then used the granted rights to register with Firebase Cloud Messaging. It then used the service to send and receive messages containing additional malware and instructions.
CloudAtlas alias Inception Windows PCs and Android, BlackBerry and iOS devices, but limited to jailbroken iPhones and iPads. Victim counts are very low with Kaspersky counting a total of 37 machines, with 15 from Russia and 14 from Kasazkhstan. A (most likely Russian or Kasakh) diplomat may receive a phishing email with a link that says it's a WhatsApp update, and if clicked on a jailbroken iOS, it triggers the download of a Debian installer package, WhatsAppUpdate.deb, also 1.2Mb in size. CloudAtlas is possibly a reanimated version of Red October. The iOS malware collects the device's ICCID, address book, phone number, MAC address, and other information.