Through the analysis of over 3.9 million posts on underground hacker and malware forums, a new report illustrates the most common malware and threats being discussed.
Over a period of one year between May 2018 and May 2019, Recorded Future's Insikt Group monitored and compiled underground forum discussions to generate a data set showing the most commonly discussed malware and malware categories.
According to the data compiled by the Insikt Group, Ransomware was the most discussed malware category, followed by Crypters, and Trojans.
Out of all of the ransomware topics and sales posts, the now defunct GandCrab was the most discussed individual ransomware family. The rest of the discussion included well known ransomware families such as Ryuk, WannaCry, CryptoLocker, and Petya, with many of them no longer being distributed.
Recorded Future also noticed that approximately 50% of the ransomware mentions were for for lower-level generic ransomware being sold or discussed. In BleepingComputer's experience, these ransomware infections are typically HiddenTear variants, Jigsaw Ransomware variants, or other noname ransomware infections built using C#.
"Approximately 50% of the mentions on underground forums in the past year were discussions and sales posts on generic, lower-level ransomware that do not have names or branding."
While ransomware dominated the discussion, the report notes that GandCrab was the only ransomware family to make it into the top 10 discussed malware.
"Additionally, while “ransomware” was the top malware category mentioned on underground forums in the last year, it is worth noting that only one of the top 10 specific malware strains mentioned, GandCrab, is a ransomware strain."
Of the top 10 malware strains discussed, five of them were for Remote Access Trojans, or RATS, such as njRAT, SpyNote, DarkComet, Imminent Monitor, and WARZONE RAT. The rest were two information stealers named Predator the Thief and AZORult, the RDP brute forcer called NLBrute, and a forum spamming tool called XRumer.
Discussions showed that attackers are still using malware and attack methods that have been around for years and that should be easily blocked. These tools and methods, though, continue to be discussed as they are still generating victims for the attackers.
"The top 10 graphs also included malware that had been around for over three years, like Gh0st RAT, in addition to malware that is usually detectable with antivirus software or thwarted with good password hygiene. For example, RDPBrute (and its variants) will brute-force usernames and passwords on IPs with open RDP ports to gain initial access on a machine. This tool could be easily thwarted with difficult passwords,or by turning off RDP entirely. However, forum members continue to use this tool (and others) regardless, suggesting that they have been able to successfully infect victim hosts with the above malware. "
For example, the Gh0st RAT has been available for over three years and should be easily detected, yet it is in the top 3 most discussed malware by Chinese speaking users in hacker forums.
Furthermore, tools to perform Remote Desktop Services brute force password attacks are also commonly discussed even though it is widely suggested that organizations place RDP computers behind a VPN or at least change the port it listens on.
This continued discussion and use of well known malware and attack methods indicates that organizations and consumers can do better in how they perform proper security practices and procedures.