Malware Landscape Studies
Malware Landscape studies are examples of how data collected and curated at the Cybercrime Information Center Project (CIC) can be augmented with a classification to assess a complex criminal ecosystem.
Malware Landscape 2023: An Annual Study of the Scope and Distribution of Malware
As reported via EIN Presswire
Interisle reports that malware hosting activity in 2022 was most intense in China, India and United States.
Information stealing and ransomware continue to rise, as does misuse of cloud and file sharing services for malware distribution.
HOPKINTON, MA, USA, March 14, 2023/EINPresswire.com/ -- Interisle Consulting Group today announced the publication of their annual Malware Landscape report, which shows that Malware activity continued to increase in 2022 and that Malware hosting was concentrated in China, India, and the United States.
Interisle reviewed over 7 million reports of distinct malware events from January 2022 to December 2022 collected by theCybercrime Information Center, examining malware that attacks both IoT and user-attended devices (“endpoints”). This year Interisle also studied reports of malicious traffic sources: malware that is used to scan web sites for exploitable vulnerabilities, to inject malicious content into web forms, or to conduct denial of service attacks.
The major findings of the study are:
• Malware activity increased in 2022, continuing the trend from the previous year. Information stealing and ransomware were the dominant malware threats in 2022.
• Endpoint malware activity increased 50% over 2021. The Quackbot banking trojan was the most reported endpoint malware.
• IoT malware activity decreased in 2022. Mozi IoT malware reporting sharply declined in early 2022 but showed signs of renewed activity in 4Q 2022.
• 60% of reports identified malware that attacks or probes legitimate web sites. Nearly two-thirds of the reported probes were vulnerability scanners. PHP forum spammers accounted for one-third of attackware reported.
• Malware hosting activity was most intense in China, India, and the United States.
• The use of domain names in malware URLs grew sharply. Interisle found a 121% increase in the use of domain names in 4Q 2022.
• Attackers continued to exploit file sharing services and code repositories to distribute malware.
Interisle partner Lyman Chapin explains that “malicious traffic source reports show that target identification malware is prevalent and persistent. Second stage attacks to acquire resources for DDOS attacks or exploitation often follow.”
The findings strongly suggest that mitigating malware requires cooperation and determined efforts by all parties that comprise the naming, addressing, and hosting ecosystem exploited by cyberattackers. The Interisle study discusses several means by which coordinated efforts among these parties, law enforcement, and private sector “first responders” could result in more effective malware mitigation.
Dave Piscitello, director of the Cybercrime Information Center and Interisle partner, warns that, "Global patience is wearing thin. Our past studies have been cited by the European Union Internet Governance expert group on DNS Abuse and in lawsuits alleging cybersquatting violations and trademark infringement. Our 2023 report discusses several means by which coordinated efforts among these parties, law enforcement, and private sector first responders could result in more effective malware mitigation. But if cooperation doesn’t mature quickly, we expect to see more regulatory and litigatory activity that seeks to effect change.”
The full text of Interisle’s report is available at https://interisle.net/MalwareLandscape2023.html.
A summary of the study can be found at https://www.cybercrimeinfocenter.org/malware-landscape-2023.
Malware Landscape 2022: An Annual Study of the Scope and Distribution of Malware
As reported via Newswire.com…
NEW YORK, June 20, 2022 (Newswire.com) - In its latest study, Interisle Consulting Group evaluates and provides key insights into the scope and distribution of malware attacks. While studies in recent years have outlined the effects of malware and the consequences of malware infections, Interisle's report instead considers the Internet resources that malware attackers employ and where these malicious programs are hosted.
Having emerged as an organized criminal business, malware has grown to become a global public concern. State actors such as North Korea have been reported to use malware attacks to steal billions of dollars, and Russia deployed destructive malware as part of its incursion into Ukraine. While state-supported and state-sanctioned campaigns have helped generate awareness around malware attacks, both as a law enforcement and a geopolitical issue, this lucrative form of cybercrime remains a rampant problem across a multitude of professional sectors.
Cybercrime, especially malware-related cybercrime, has surpassed fraud as the top predicate offense of concern for corporate compliance teams. Small, midsize, and enterprise-level companies have all suffered extreme financial losses and extended periods of business disruption at the hands of cybercriminals leveraging malicious software such as infostealers and ransomware to execute targeted attacks.
By capturing nearly five million malware reports collected by the Cybercrime Information Center over a 365-day period, Interisle has produced a comprehensive report quantifying how malware perpetrators use Internet resources for nefarious purposes. Interisle's unique malware taxonomy allowed its team to accurately measure and study the most prevalent types of malware, determine where said malware was served from or distributed, and discover which resources criminals were using to carry out their attacks.
The report notes that the most frequently reported malware targets IoT (Internet of Things) devices and that the majority of IoT malware appears to be hosted on networks in the Asia-Pacific region. Per Interisle, networks in the United States and China host the most malware that targets user-attended devices.
"Interisle's report is a comprehensive compilation and presentation on the prevalence of malware. Of particular interest is the focus on a relatively small number of domain registrars and Internet hosting companies that account for a large percentage of the malware sites. This report provides both a basis for comparing changes over time and insight for possible action to mitigate or thwart malware attacks," said Steve Crocker, President Edgemoor Research Institute, Internet pioneer and inductee to the Internet Hall of Fame.
Malware attackers have also made effective use of cloud services, including file-sharing services, code repositories, and storage services. Dave Piscitello, Interisle partner, explains, "Most uses of anonymous file-sharing and code repositories are well-intentioned; however, malware attackers use these services to distribute source code, attack code, and files containing compromised credentials or cryptographic keys."
Cooperative efforts can mitigate malware attacks. Service providers, law enforcement officials, and government agencies must work together to combat cybercriminals. To learn more about the worst malware offenders, the most pressing malware concerns, and what measures are needed to reduce and eliminate malware distribution and growth, please visit https://interisle.net/MalwareLandscape2022.html.
A summary of the study can be found at https://www.cybercrimeinfocenter.org/malware-landscape-2022.
Malware Landscape 2021: An Annual Study of the Scope and Distribution of Malware
Interisle Consulting Group obtained 1,686,033 malware reports collected by the Cybercrime Information Center from January 1, 2021 to June 30, 2021 and from these source or malware reports, created 1,255,598 records suitable for analysis. The purpose of their analyses was to understand what malware was most prevalent, where malware was served from or distributed, and what resources criminals used to pursue their attacks.
For the purpose of this study - and generally, any study of malware - Interisle Consulting Group extended and enhanced a taxonomic ranking of malware proposed by the Computer Antivirus Research Organization (CARO). They then “normalized” metadata provided by two malware feeds ingested by the Cybercrime Information Center so that they could measure “like malware” reported across feeds that used different tag conventions. A description of the taxonomic ranking can be found on the Malware Terminology.
Among the major findings in the Interisle study, Interisle reported that:
Malware that exploits Internet of Things (IoT) devices is the fastest growing category of malware. IoT Malware accounted for 56% of the malware reports we collected.
Mozi malware dominates the IoT malware landscape.
Information stealers and ransomware account for 40% of malware that exploited user devices such as tablets, mobile phones, laptops, and PCs.
Malware attackers use fewer domains but to great effect. Phishing attacks and spam campaigns use large numbers of domain names as “bait”. Internet addresses are more frequently identified as serving up malware than domain names but domains associated with file sharing or storage services can host thousands of URLs that serve up malware.
Domains registered in the new Top-level Domains (TLDs) are disproportionately attractive to malware attackers. The new TLDs represent only 6% of the domain name registration market, but they contained 16% of reported malware domains. By contrast, the country code TLDs represent 43% of the market, but contained only 28% of the malware domains.
Domain registrars with high malware domain counts tend also to have high phishing domain counts.
Malware attackers extensively misuse file sharing services, code repositories, and storage services. While most uses of anonymous file sharing and code repositories are well-intentioned, malware attackers have used these services to distribute source code, attack code, and files containing compromised credentials or cryptographic keys.
Download the Executive Summary or the Full Report from Interisle Consulting Group, LLC.
A summary of the report can be found at the page, Summary of Malware Activity January 1, 2021 - June 30, 2021
Image by Richard Patterson