2019: The year in malware

By Jon Munshaw.From ransomware attacks to DNS deception, attackers were just as active as ever in 2019.

This year saw a number of big-name malware families come onto the scene, including Sea Turtle, one of the most high-profile DNS hijacking attempts in recent memory. BlueKeep also stirred up controversy when the RDP vulnerability was first discovered, but researchers are still holding their breath, waiting for the first major exploits to happen.

To recap this busy year, we’ve compiled a list of the major malware, security news and more that Talos covered this year. Look through the timeline below and click through some of our other blog posts to get caught up on the year that was in malware.

February

Attackers use a malicious PowerPoint presentation to target members of the Tibetan government in the hopes of infecting them with ExileRAT.

March

Talos discovers a new point-of-sale malware for sale online called “GlitchPOS” that is easy enough to use that anyone could set up their own credit card-skimming botnet.

April

Talos publishes a list of malicious groups on Facebook using straightforward names that carry out a range of malicious activities, including the sale of credit card data and other malware services.
A campaign known as “Sea Turtle” expands on the growing popularity of DNS hijacking attacks, spoofing legitimate DNS addresses to target public and private entities, including national security organizations, located primarily in the Middle East and North Africa.
Yet another DNS hijacking campaign, “Karkoff,” shows that the actors behind DNSpionage are retooling their procedures to avoid detection and improve the efficacy of their operations.

May

The Qakbot banking trojan evolves to maintain persistence and potentially evade detection.
Talos discovers “BlackWater,” a trojan that our researchers believed with moderated confidence was associated with the MuddyWater APT.
A “wormable” Microsoft vulnerability called “BlueKeep” is discovered, leading researchers to believe the Remote Desktop Protocol bug could lead to a similar attack to WannaCry. Talos released new Snort rules to protect against this vulnerability and outlined how to defend against it using Cisco Firepower.

June

A threat actor merges together multiple open-source projects to install malware on victims’ machines in a campaign Talos called “Frankenstein.”
Talos publishes the details of the new Spelevo exploit kit, showing that exploit kits aren’t going anywhere.

July

A wave of RATs and information-stealers use the well-known “Heaven’s Gate” exploit to achieve infection.
Sea Turtle returns with new DNS hijacking techniques and a growing pool of targets.
A slew of cities around the U.S., most notably Baltimore, suffer ransomware attacks, causing experts to debate whether it’s ever a good idea for a ransomware victim to pay the extortion payment.

September

After going quiet over the summer, Emotet returns with a new group of IOCs, but the same set of protections as always.
The Tortoiseshell APT uses a fake hiring website targeted toward U.S. military veterans to infect victims with a malware downloader.
The ODT file type becomes increasingly popular among attackers, which can allow malware to avoid traditional detection methods.

October

A rare iOS jailbreak called “checkra1n” hits the scene, leading to some attackers attempting to trick users into downloading a tool that they believe will unlock their devices, but actually just installs malware.
Talos uncovers a group of spyware software that exist in a legal and moral gray area, but attackers have been using to carry out malicious actions.

November

The first reports surface of BlueKeep being exploited in the wild, though there is no evidence to suggest it’s part of a broad campaign.

source: blog.talosintelligence.com