• Home
  • /
  • Malware
  • /
  • Significant changes coming to SA’s threat landscape - Kaspersky

Significant changes coming to SA’s threat landscape - Kaspersky

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 26 Nov 2021
Maria Garnaeva
Maria Garnaeva

SA, Kenya and Nigeria are facing a significant change in the cyber threat landscape.

So said Maria Garnaeva, a senior security researcher at Kaspersky ICS CERT team, who was speaking at an event in Johannesburg this week.

Regular, self-propagating malware, she says, is decreasing dramatically, as it isn’t effective any longer because it cannot slip through the security nets. This means that the region will see the growth of new cyber crime models in the upcoming year.

“When looking at the overall number of mass cyber attacks this year, we saw a 7.5% drop in Nigeria, a 12% drop in SA and an unheard of 28.6% drop in Kenya,” she added.

The reason for this was the introduction and popularisation of new cyber crime models in the region, and cyber crime tools becoming more targeted. In addition, she noted a long-standing trend where malware authors rely more on the human factor than the technical advantage of their tools over security solutions.

Anomalous spyware

“This stimulated the evolution of phishing schemes in 2021, and in particular, the region saw a slew of ‘anomalous’ spyware attacks,” said Garnaeva.

She said traditional phishing spyware attack begin when bad actors infect a victim by sending them an e-mail with a malware-laden attachment or a link to a malicious Web site, and end when the spyware is downloaded and activated on the target’s device.

Once he or she has gathered all necessary data, the operator normally ends the operation by trying to leave the infected system undetected.

However, when it comes to anomalous attacks, the victim’s device becomes not only a source of data but also a vehicle to distribute more spyware. Once the malware’s operators have access to the victim’s email server, they can use it to send phishing emails from a legitimate business’s email address.

“The Anomalous spyware attacks have a huge potential for growth in South Africa, Kenya and Nigeria in 2022, because unlike regular spyware the entry level for attackers who wish to employ this tactic is significantly lower  since instead of paying for their own infrastructure, they abuse and employ the victims’ resources. We see that cheaper attack methods have always been on the rise in the region and cyber criminals quickly pick up on new tactics,” says Garnaeva.

Kaspersky advises countries in the region to prepare themselves for attacks of this nature.

Mass scale attacks are transforming

At the same time, Garnaeva warned that mass scale attacks are not disappearing, but rather transforming.

A scourge that is on the rise, she said, are mass-scale and pervasive fake installer campaigns, where fake pirated software sites serve up malware-as-a-service.

These attacks happen when a user looks for a free version of a highly popular, legitimate spyware. Cyber criminals offer them a fake installer using black SEO techniques, that involve the manipulation and abuse of legitimate search engines.

This happens through various techniques, such as keyword stuffing, cloaking, and using private link networks, and results in fraudulent Web sites topping search lists.

In this way, she explained, several dozen malware samples are downloaded and installed with the goal of turning the infected devices into a part of the notorious Glupteba botnet, that is known for its stealthy and sophisticated functionality.

This fake installer campaign and botnet have been extremely active in SA this year, and will continue to evolve, she added.

“While the Glupteba botnet seems to be a threat for consumers, we are still researching it and keeping an eye on its behaviour, since some distributed malware resembles APT-related samples like Lazarus APT group's and were recently used in the largest DDoS attack in Russia,” Garnaeva said.

However, these factors may point to the fact that we are now entering the era where APT actors are starting to use existing malware distribution platforms, which makes an attribution of such attacks even harder, and opens a new vector similar to supply chain attacks, she said.