Botnet distribution of remote access Trojans doubles
Since the beginning of 2017, the number of remote access Trojan (RAT) files found among the malware distributed by botnets has almost doubled, according to a new report.
The botnet activity report from Kaspersky Lab analyzed more than 150 malware families and their modifications circulating through 60,000 botnets around the world.
The growth of multifunctional malware, like RATs, provides almost unlimited opportunities for attackers to exploit the infected PC. Njrat, DarkComet, and Nanocore topped the list of the most widespread RATs. Due to their relatively simple structure, these three backdoors can be modified by experienced or inexperienced threat actors. This allows the malware to be adapted for distribution in a specific region.
"The reason why RATs and other multipurpose malware are taking the lead when it comes to botnets is obvious: botnet ownership costs a significant amount of money and in order to make a profit, criminals should be able to use each and every opportunity to get money out of malware," says Alexander Eremin, security expert at Kaspersky Lab. "A botnet built out of multipurpose malware can change its functions relatively quickly and shift from sending spam to DDoS or to the distribution of banking Trojans. While this ability in itself allows the botnet owner to switch between different ‘active’ malicious business models, it also opens an opportunity for a passive income: the owner can simply rent out their botnet to other cybercriminals."
The only type of single use malware to show growth is coin miners. Overall the share of single-purpose malware distributed through botnets has dropped significantly in comparison to the second half of 2017. For example, 22.46 percent of all unique malicious files distributed through the botnets monitored by Kaspersky Lab were banking Trojans in 2017, while in the first half of 2018, the share of these fell to 13.25 percent of all malicious files.
Spam bots decreased significantly from 18.93 percent in the second half of 2017 to 12.23 percent in the first half of 2018. DDoS bots, yet another typical single-purpose malware, also dropped, from 2.66 percent in the second half of 2017 to just 1.99 percent in first half of 2018.
You can read more about the findings on the SecureList blog.