SophosLabs says look out for Linux IoT, Android and MacOS attacks in 2017
SophosLabs says look out for Linux IoT, Android and MacOS attacks in 2017

SophosLabs 2017 Malware Forecast, released at RSA 2017 in San Francisco, noted that prognostication is never perfect, but it is possible to project a few area that cyber-criminals are likely to concentrate on in the coming year.

The attacks that took place and malware spotted during last several months of 2016 were a harbinger of things to come in 2017, with more IoT attacks, Mac products being targeted and more Android malware.

The report highlighted that cyber-criminals are now exploiting various Linux vulnerabilities in order to gain control of IoT devices to launch DDoS attacks.

“But it's a fair bet that Android and MacOS devices will continue to be heavily targeted, given the success attackers have had thus far. We expect exploits against vulnerable IoT technology to continue on an upward trajectory, with attackers emboldened by the success of campaigns like last October's Mirai assault against Dyn,” the report stated.

SophosLabs researchers spotted the Linux/ DDoS-BI, also known as Gayfgt, malware family as being much more active during the tail end of 2106, a time that coincided with the massive Mirai attacks that took place. This malware scans large IP blocks while attempting to bruteforce Secure Shell (SSH). This tactic allows the malicious actors to find vulnerabilities such as default passwords, out-of-date versions of Linux and taking advantage of the general lack of encryption being used with IoT gadgets.

The increased usage of Linux/ DdoS-BI is sure sign of its effectiveness.

“In terms of frequency, cases of Linux/DDoS-BI have steadily increased since October, with brief drop-offs along the way. It is proving to be resilient. For example, more than a hundred cases were observed by late October and was up to around 150 by mid-November. By mid-December it was over 200, and it was up around 466 the week of January 20 before slightly dropping again,” the report stated.

The report also noted that Android malware usage hit a five year high in 2016 with SophosLabs systems processing more than 8.5 million suspicious Android apps with half being malware or potentially unwanted applications like adware.

“When we look at the top 10 malware families targeting Android, Andr/PornClk is the biggest, accounting for more than 20% of the cases reviewed in 2016. Andr/CNSMS, an SMS sender with Chinese origins, was the second largest (13% of cases), followed by Andr/DroidRT, an Android rootkit (10%), and Andr/SmsSend (8%),” the report stated.

As for Mac attacks, SophosLabs noted that while Mac malware is still rare it is far from immune from attacks. Just recently researchers at Synack identified what they believe is the first in-the-wild instance of hackers using malicious macros in Word documents to execute malware on Mac computers, instead of Windows-based machines.

SophosLabs described the Mac malware they have spotted as being technically adept at avoiding detection and is likely intended to exfiltrate data or provide remote access to unauthorized personnel, but this is changing.

The company is keeping a particular eye on OSX/KeRanger-A, which enables a cybercriminal to install ransomware originally designed for use against Windows to work against Macs. The malware can:

  • Trick you into opening a file you are inclined to trust.

  • Install and run the ransomware program.

  • Call home to one of a list of control servers for an encryption key.

  • Scramble files in your home directory and on currently-mounted volumes, adding the extension .encrypted each time.

  • Put a file called README_FOR_DECRYPT.txt in every directory where a file was encrypted.