Hackers revive years-old malware to exploit mass remote working

Strains that rely on social engineering are once again growing in popularity

Hackers are said to be turning to years-old malware strains to provide support for fresh attacks amid the coronavirus pandemic, a new report has claimed.

The tactic is to blame for a sudden surge in the number of remote access trojans, keyloggers, botnets, and spyware tools detected since the start of the year, many of which are regarded as highly dangerous.

Each of these older strains rely on social engineering and phishing campaigns to spread, something that is being mobilised to exploit a shift to mass remote working.

The number of detections of NetWiredRC, a backdoor malware that first surfaced in 2014, rose 200% between December and March, according to Malwarebytes' CTNT report. This particular strain has been associated with a number of state-sponsored attacks, including APT33 attacks on organisations in the US, Saudi Arabia, and South Korea.

Researchers also witnessed a 109% increase in the use of the AveMaria remote access trojan between February and March alone, spread using phishing emails that claim to contain information about the effective use of face masks.

In the case of the LokiBot malware, a well-known keylogger and botnet first discovered in 2015, hackers are relying on the unusual tactic of hiding source code inside image files, rather than pdf and document attachments that remote workers have been told to guard against.

Other examples include AZORult, a four-year-old malware that acts as a downloader for other malware, which is said to be behind the spike in the number of coronavirus-themed emails. This includes an email that claims to be a receipt for a bulk order of ventilators, the attachment in which directs users to a fake Johns Hopkins University coronavirus map application.

It's through fake applications like this that other malware, including the DanaBot strain – which saw a 166% increase between February and March – are spread.

Researchers also recorded a 26% rise in the number of card skimming attacks between February and March, largely driven by a sudden drastic shift towards online shopping.

"Themed phishing campaigns usually don't last too long," explained Malwarebytes in the report. "In fact, once enough information about their existence has been distributed, the attacks will become less effective and we'll see a return to regular attacks, like those pretending to be from a bank or shipping company.

However, the report added that given organisations are likely to ask many of their employees to continue to work remotely, the trend of hackers targeting systems through vulnerable endpoints will also remain.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Security best practices for PostgreSQL

Securing data with PostgreSQL

Download now

Transform your MSP business into a money-making machine

Benefits and challenges of a recurring revenue model

Download now

The care and feeding of cloud

How to support cloud infrastructure post-migration

Watch now

Recommended

Weakness in Mamba ransomware could help recover data
ransomware

Weakness in Mamba ransomware could help recover data

26 Mar 2021
Invoice ZLoader campaign hides within encrypted Excel docs
malware

Invoice ZLoader campaign hides within encrypted Excel docs

8 Mar 2021
MacBook users warned against EvilQuest ransomware
ransomware

MacBook users warned against EvilQuest ransomware

19 Feb 2021
Agent Tesla malware evades security controls to infect systems
malware

Agent Tesla malware evades security controls to infect systems

3 Feb 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Data belonging to 500 million LinkedIn users found for sale on hacker marketplace
hacking

Data belonging to 500 million LinkedIn users found for sale on hacker marketplace

8 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021