Cybercriminals develop malware to perform the following malicious activities:

  • DDoS attacks
  • Cryptocurrency mining
  • Steal sensitive information and files
  • Host malware payloads for future operations
  • Take control remotely and run other modules

Safety

  • User can protect and stay safe against this malware attack by applying security patches to their software, and routers.
  • Implement strong, unguessable passwords

Use-after-free vulnerabilities

The memory corruption bugs that occur when an application tries to reference memory previously assigned to it but has been freed or deleted in the meantime. Thus causing the program to crash or leads to other unintended consequences.

QSnatch malware

In the last week of October 2019, the National Cyber Security Centre of Finland (NCSC-FI) spot QSnatch malware.
Hackers worldwide infected thousands of network-attached storage (NAS) devices from Taiwanese vendor QNAP with the QSnatch malware. In Germany alone, over 7,000 infections reported by the German Computer Emergency Response Team (CERT-Bund). The malware's code analysis revealed its following capabilities:

  • Extracts and steals usernames and passwords for all NAS users
  • Modify OS timed jobs and scripts (cronjob, init scripts)
  • Prevent future firmware updates by overwriting update-source URLs
  • Prevents the native QNAP Malware Remover App from running

How to remove QSnatch?

  • perform a full factory reset of the NAS device
  • Install a February 2019 QNAP NAS firmware update
  • Install QNAP Malware Remover application via the App Center functionality
  • Remove unknown or unused or hidden applications from the device.

Demo BlueKeep exploit

Security researchers spotted the demo BlueKeep exploit nickname given to CVE-2019-0708, released by the Metasploit team in September 2019. Although it was released to help system administrators test vulnerable systems. But malicious actors used it to break into unpatched Windows systems with a vulnerability in the Microsoft RDP (Remote Desktop Protocol) service and install a cryptocurrency miner — however, the exploit not used as a self-spreading worm. It impacts Windows 7, Windows Server 2008 R2, and Windows Server 2008. Microsoft released its patch in mid-May 2019.

Raccoon malware-as-a-service

Appeared in April 2019 often distributed via exploit kits, phishing, and compromised software downloads.
The business is nowadays generating considerable revenues, as it is becoming more accessible to cyber-criminals. It has infected hundreds of thousands of Windows users around the world including North America, Europe, and Asia.
An easy-to-use information-stealing trojan malware is a significant threat to web users –  It has stolen credit card information, passwords and cryptocurrency from hundreds of thousands of victims. Using it, attackers can steal large amounts of data from individuals or businesses, which they can either sell on the dark web or exploit to conduct further attacks. The underground community bids for this stolen data which includes identity theft, financial theft, and entry vector to penetrate an organization.
Taking advantage of vulnerabilities in standard software, Raccoon employs the Fallout exploit kit, using it to spawn a PowerShell instance from Internet Explorer and download the malware while the victim is browsing the web. It gets delivered in compromised versions of legitimate software downloaded from third-party websites. Once a machine is infected, the malware communicates with a command-and-control server to access the resources required to conduct its malicious activity. It gathers the local settings on the target machine, and if it detects the language is Russian, Ukrainian, Belarusian, Kazakh, Kyrgyz, Armenian, Tajik, or Uzbek, it will terminate its activity. From the target machine, steal information from browsers, it takes screenshots, steal system information, login information and bank details, as well as monitor emails and steal from cryptocurrency wallets.

Gafgyt IoT malware

It is forcing Wi-Fi routers to join its botnet army. The malware exploits potential vulnerabilities of tens of thousands of Wi-Fi routers. It ropes victimized devices into a botnet for selling distributed denial of service (DDoS) attack capabilities to cybercriminals. The main targets of this malware include small office and home routers from well-known brands.
This aggressive malware updated with new capabilities spreads by killing rival malware. Initially, it emerged in 2014, but now it's updated and is directed at vulnerabilities in three wireless router models Huawei HG532, Realtek RTL81XX, and Zyxel P660HN-T1A.

Chrome zero-day Malware

(November 01, 2019) Kaspersky researchers Anton Ivanov and Alexey Kulaev discovered and reported actively exploited Chrome zero-day CVE-2019-13720 described as a use-after-free bug in Chrome's audio component. The Google disclosed it on Halloween night 2019 and released patch Chrome 78.0.3904.87 and a new release v78.0.3904.87 for Windows, Mac, and Linux.

Android 8 (Oreo) or later devices bug

(October 2019) Android 8 (Oreo) or later devices bug lets hackers plant malware to a nearby phone via Android OS service NFC beaming. It allows Android devices to send data such as images, files, videos, or even apps (APK files) to another nearby device using NFC (Near-Field Communication) radio waves as an alternative to WiFi or Bluetooth.
The NFC connection initiates when two devices put near each other at a distance of 4 cm (1.5 inches) or smaller. Hence the attacker needs to bring the phone close to the victim.
By default, Android smartphone has NFC feature enabled. And if Android Beam service is also enabled, a nearby attacker could plant malware (malicious apps) on their phones. It makes millions of user remains at risk.
Since there's no prompt for an install from an unknown source, tapping the notification starts the malicious app's installation. There's a danger that many users might misinterpret the message as coming from the Play Store and install the app, thinking it's an update.

Preventive Measure

  • Disable Android Beam and NFC if not required. If Android phones used as access cards or as a contactless payment solution, NBC can be enabled while disabling Android Beam services.
  • Update the phone to receive the October 2019 security updates to remove the Android Beam service from the OS whitelist of trusted sources.
  • Starting with Android 8, Google redesigned mechanism in an app-based security setting where users can visit the “Install apps from unknown sources” and allow specific apps to install other apps. Hence devices not allowed to install apps from unknown sources outside the official Play Store are considered untrusted and unverified.
  • To stay safe, any user can disable both the NFC feature and the Android Beam service.