Analysis of the cyber threats registered between April and June 2021, contained in the latest Cyber Threats Snapshot, produced by Leonardo's Global Security Operation Centre, highlights some macro-trends: the increasingly pervasive use of malware as a service, and the spread of backdoor and Trojans with an impact on the banking sector. Together, this indicates an intense and constant data breach activity.

What is malware as a service and what was new in the quarter?

These are real platforms and software libraries found on the dark web used by cyber criminals to conduct very complex attacks. Typically, those who develop these libraries have two sources of funding: the direct sale of the malware, or a percentage of the proceeds of the malicious activity.

The past quarter was characterised by the discovery of new malware and the identification of new modified versions of already known platforms:

• Snip3, a crypter that performs attacks in stages and can carry other malware;
• Zeppelin (or Burn), a ransomware which encrypts data on infected machines, demands ransom from victims, and can detect the geographic area of the system under attack by terminating the execution when this occurs in specific regions;
• Matanbuchus Loader, delivered via excel files and able to execute files, add or modify scheduled activities, or launch customised commands.

Banking Trojans and Backdoors

There was also a massive use of backdoors, through which Trojans and other types of malware have infiltrated banking systems during the quarter. A backdoor is a component used to bypass system defences allowing malicious codes or software such as Trojans to attempt to steal online bank account credentials. One of these is SolarMarks which, once installed, allows the execution of a series of commands to start downloading additional malware such as banking Trojans.

Some of the banking Trojans detected in the reporting period are:

• RM3, an update of Ursnif, a malware already known but which has changed its tactics, techniques and procedures;
• Bizarro, used on customers of 70 different South American and European banks and its new variant GootKit, capable of stealing data from the browser, conducting man-in-the-browser attacks, or keylogging, which secretly records everything typed on the keyboard.

Data Breach taking advantage of home working

Finally, this three-month period witnessed the publication of data from data breach activities, which mainly targeted large companies that manage very significant amounts of personal data. A data breach was published on a well-known underground forum that contained details from 1,200 websites. The trend towards using data breach techniques has been growing steadily since the outbreak of the COVID-19 pandemic, which has seen a significant number of companies using agile work, thus exposing them to greater cyber risk.

Download the report (Available in Italian only)

For more information, please email: cyberandsecurity@leonardo.com

Follow us on Twitter, LinkedIn and Instagram to be in touch with our initiatives.