Kaspersky Lab has found a growing demand for malware that is flexible enough to perform almost any task, while downloads of remote access trojan (RAT) families have also grown significantly in the first half of 2018.
In a botnet activity analysis of over 150 malware families and their modifications circulating through 600,000 botnets in H1 of 2018, Moscow-headquartered Kaspersky found versatile malware increasingly favoured by botnet customers.
“A botnet built out of multipurpose malware can change its functions relatively quickly and shift from sending spam to DDoS or to the distribution of banking Trojans,” said Alexander Eremin at Kaspersky Lab.
He added: “While this ability in itself allows [a] botnet owner to switch between different ‘active’ malicious business models, it also opens an opportunity for a passive income: the owner can simply rent out their botnet to other criminals.”
Kaspersky Lab tracks the activity of botnets using a technology that emulates infected computers (bots) to retrieve operational data about the actions of botnet operators.
There is no shortage of infectious riches to distribute – the company identified 13,858 unique malicious file downloads in the first half of 2018. The table to the left shows the Top 10 malware types downloaded by botnets so far this year, according to Kaspersky.
In terms of territorial distribution of control servers, the backdoor NjRAT claimed the “most international” prize, with C&C centers in 99 countries. Kaspersky ascribed the geographical scope to “the ease of configuring a personal backdoor, allowing anyone to create their own botnet with minimal knowledge of malware development.”
Remote Access Trojan Activity on the Rise
The share of detected Trojans – responsible for the BackSwap banking malware increasingly used against financial institutions – crept up overall from 32.89 percent to 34.25 percent. In comparison, the share of single-purpose malware distributed through botnets dropped. Spamming bots, for example, fell from 18.93 percent in H2 2017 to 12.23 percent in H1 2018.
Some 22.46 percent of all unique malicious files distributed through Kaspersky Lab were banking Trojans; this compared to 13.25 percent in H1 2018. DDoS bots also dropped, from 2.66 percent in H2 2017 to 1.99 percent in H1 2018.
Kaspersky added that the only type of single-purpose malware to demonstrate significant growth were miners.
Last month, Kaspersky reported that mobile banking Trojans reached an all-time high in the second quarter of 2018, peaking at over 61,000 — a three-fold growth over Q1 2018. Mobile malware such as Trojans are being disguised as apps, and are overlaying interfaces on top of a banking app’s interface to steal information, Kaspersky said.