Crimeware and financial cyberthreats in 2023

Every year, as part of the Kaspersky Security Bulletin, we predict which major trends will be followed in the coming year by attackers, who target financial organizations. The predictions, based on our extensive experience, help individuals and businesses improve their cybersecurity and prevent the vast range of possible risks.

As the financial threat landscape has been dramatically evolving over the past few years, with the expansion of such activities as ransomware or cryptofraud, we believe it is no longer sufficient to look at the threats to traditional financial institutions (like banks), but rather assess financial threats as a whole. The cybercriminal market has been developing extensively, with the overwhelming majority of cybercriminals pursuing one goal — financial profit, no matter the source. However, the way they do it varies from year to year, and understanding the changes in their tactics and tools can help organizations improve their security.

This year, we have decided to adjust our predictions accordingly, expanding them to encompass crimeware developments and financial cyberthreats as a whole.

This report assesses how accurately we predicted the developments in the financial threats landscape in 2022 and ponder at what to expect in 2023.

  • Rise and consolidation of information stealers. Our telemetry shows an exponential growth in infostealers in 2021. Given the variety of offers, low costs, and effectiveness, we believe this trend will continue. Additionally, they might even be used as bulk collectors for targeted and more complex attacks.

    Yes. While we haven’t seen exponential growth in the use of stealers, their advancement and evolution has been very noticeable. In 2022, we uncovered some new malicious families actively sold on dark markets, such as Rhadamanthys, BlueFox, and Parrot, stealing sensitive information from the victims’ devices. One of the most striking new stealers has been OnionPoison. Unlike common stealers, this malware gathered data that can be used to identify the victims, such as browsing histories, social networking account IDs and Wi-Fi networks. Previously discovered stealers have not been left behind. This year we observed the updates of AcridRain and Racoon stealers, and the remarkable evolution of RedLine stealer, making it a self-spreading threat that attacks gamers via YouTube. Also of note in 2022 are campaigns impersonating well-known software brands like Notepad++. The trend remains solid, and these types of campaigns impact a large number of users, hitting the target brand’s bottom line. Moreover, the ransomware gang ransomExx also abuses open source software by recompiling it to load a malicious shellcode; Notepad++ was also used in one of their attacks.

    While there are still top-level threats that are not distributed openly, the vast majority of stealers have become more affordable and cheaper for average cybercriminals, making this threat more likely to evolve even more in the following year.

  • Cryptocurrency targeted attacks. The cryptocurrency business continues to grow, and people continue to invest their money in this market because it’s a digital asset and all transactions occur online. It also offers anonymity to users. These are attractive aspects that cybercrime groups will be unable to resist. And not only cybercrime groups, but also state-sponsored groups who have already started targeting this industry. After the Bangladesh bank heist, the BlueNoroff group is still aggressively attacking the cryptocurrency business, and we anticipate this activity will continue.

    Despite these uncovered campaigns, attackers were still more likely to hunt for cryptocurrency using phishing, offering dubious cryptocurrency exchange platforms, and launching cryptojacking to illicitly mint cryptocurrency. Previously, mining was mostly a threat for general users, but today miners are stealing power from large businesses and critical infrastructures. Even big ransomware operators, for example, AstraLocker, are shutting down their operations to switch to cryptojacking.

  • More cryptocurrency-related threats: fake hardware wallets, smart contract attacks, DeFi hacks, and more. In the scramble for cryptocurrency investment opportunities, we believe that cybercriminals will take advantage of fabricating and selling rogue devices with backdoors, followed by social engineering campaigns and other methods to steal victims’ financial assets.

    Yes. In 2022, we observed many other cryptocurrency-related threats potentially costing users millions of dollars. Since the start of 2022, cybercriminals have stolen $3 billion from DeFi protocols, with 125 crypto hacks in total. According to the freshest data on DeFi, every hour 15 newly deployed scams against smart contracts are detected. At this rate, 2022 will likely surpass 2021 as the biggest year for hacking on record. The lack of state-of-the-art security for smart contracts leads to attacks on these platforms and, based on how the business model works, the potential theft of a lot of money.

  • Targeted ransomware — more targeted and more regional. With the international efforts to crack down on major targeted ransomware groups, we will see a rise in small, regionally derived groups focused on local The adoption of Open Banking in more countries may lead to more opportunities for cyberattacks.

    Yes. We’ve observed a rise in the number of targeted and regional ransomware attacks. One of the reasons why ransomware attacks have become more regional is the decrease in collaboration between ransomware groups. In the past, many actors would join forces to attack and encrypt as many organizations around the world as possible. But thanks to international efforts, such as No More Ransom, to crack down on their work, global attacks have become much rarer.

    Interestingly, this trend was also influenced by geopolitical conflict, which we did not anticipate last year. Many ransomware groups took sides in the conflict between Russia and Ukraine, focusing their activities on destructive attacks or limiting the range of their targets by geography. The most significant reaction of all was likely by the Conti ransomware group, who announced that it would retaliate with full capabilities against any “enemy’s” critical infrastructure if Russia became a target of cyberattacks. On the other side, Kaspersky discovered Freeud, a wiper under the guise of ransomware whose creators proclaimed support for Ukraine.

  • Access broker specialists — professionalize access to compromised networks. Instead of major efforts to compromise access to a corporate or public entity, we can expect Ransomware-as-a-Service operators to seek to buy access to another cybercriminal group that already has access to the target, focusing their activity on ransomware deployment.

    Yes. Attackers have indeed resorted to buying initial access to compromised services more often than hacking it themselves. This has become a real stand-alone business in the dark web (Malware-as-a-Service, MaaS). This year we detected a malicious spam campaign targeting organizations tenfold growth in a month, spreading Emotet malware, which is used by Conti ransomware affiliates to gain initial access. Once access is obtained, the organization is placed into a pool of potential ransomware targets. This growth in the Emotet campaign suggests that the Access-as-a-Service continues to be actively used by cybercriminal groups, and the trend of hiring access broker specialists is likely to continue in 2023.

  • Mobile banking Trojans on the rise. As mobile banking experienced booming adoption worldwide due to the pandemic (in Brazil it represented 51% of all transactions in 2020), we can expect more mobile banking Trojans for Android, especially RATs that can bypass security measures adopted by banks (such as OTP and MFA). Regional Android implant projects will move globally, exporting attacks to Western European countries.

    Yes. Security remains the biggest problem for users who want to make regular mobile payments. As predicted, the number of mobile banking Trojan detections increased considerably in 2022 worldwide compared to the last year, reaching more than 55,000 attacks in the second quarter of 2022 alone. With the rising number of attacks, cybercriminals have evolved new banking Trojans, targeting mobile users. In 2022, Kaspersky researchers have so far discovered more than 190 applications distributing Harly Trojan with more than 4.8 million downloads. While these apps were available in official stores and disguised as legitimate apps, the fraudsters behind them subscribed unsuspecting users to unwanted paid services.

  • Rise of threat to online payment systems. Amid the pandemic, many companies went digital and moved their systems online. And the longer people stay at home because of quarantine and lockdowns, the more they rely on online markets and payment systems. However, this rapid shift is not accompanied by the appropriate security measures, and it is attracting lots of cybercriminals. This issue is particularly severe in developing countries, and the symptoms will last for a while.

    No. This year, we have not observed a lot of new fintech players that went big and which could become new targets for cybercriminals.

  • With more fintech apps out there, the increasing volume of financial data is attracting cybercriminals. Thanks to online payment systems and fintech applications, large amounts of important personal information is stored on mobile. Many cybercrime groups will continue to attack personal mobile phones with evolved strategies such as deep fake technology and advanced malware to steal victims’ data.

    No. Mobile malware techniques haven’t changed much in the course of 2022.

  • Remote workers using corporate computers for entertainment purposes, such as online games, continue to pose financial threats organizations. In a previous post, we wrote that users rely on corporate laptops to play video games, watch movies, and use e-learning platforms. This behavior was easy to identify because there was a boom in the Intel and AMD mobile graphic cards market in 2020-2021 compared to previous years. This trend is here to stay, and while during 2020 46% of employees had never worked remotely before, now two-thirds of them state they wouldn’t go back to the office, with the rest claiming to have a shorter office work week.

    Yes. The level of cybersecurity after the pandemic and the initial adoption of remote work by organizations en masse has become better. Nevertheless, corporate computers used for entertainment purposes remain one of the most important ways to get initial access to a company’s network. Looking for alternative sources to download an episode of a show or a newly released film, users encounter various types of malware, including Trojans, spyware and backdoors, as well as adware. According to Kaspersky statistics, 35% of users who faced threats under the guise of streaming platforms were affected by Trojans. If such malware ends up on a corporate computer, attackers could even penetrate the corporate network and search for and steal sensitive information, including both business development secrets and employees’ personal data.

  • ATM and PoS malware to return with a vengeance. During the pandemic, some locations saw PoS (point of sale) and ATM transaction levels drop significantly. Lockdowns forced people to stay at home and make purchases online, and this was mirrored in PoS/ATM malware too. As restrictions are lifted, we should expect the return of known PoS/ATM malware and the appearance of new projects. Cybercriminals will regain their easy physical access to ATMs and PoS devices at the same time as customers of retailers and financial institutions.

    Yes. As predicted, with the lift of COVID-19 restrictions, attackers have stepped up their activities again in 2022. In the first eight months of the year, the number of unique devices affected by ATM/PoS malware grew by 19% as compared to the same period in 2020, and by nearly 4% compared to 2021. Kaspersky researchers have also discovered cybercriminals creating and deploying new never-seen-before tools targeting ATM and PoS devices. For instance, the Prilex threat group, famous for stealing millions of dollars from banks, has evolved substantially. Specifically, Prilex has upgraded its tools from a simple memory scraper to an advanced and complex malware that now targets modular PoS terminals and is the first malware able to clone credit card transactions, even those protected by CHIP and PIN.

    Perhaps one of the biggest shifts is PoS malware becoming a service sold on the dark web, which means it is now available to other cybercriminals, and the risk of losing money is increasing for businesses worldwide.

  • With the increasing popularity of cryptocurrencies, the number of crypto scams has also increased. However, we believe that users are now much more aware of crypto and will not fall for primitive scams, such as a video featuring an Elon Musk deepfake promising huge returns in a dodgy cryptocurrency investment scheme that went viral. Cybercriminals will continue to try to steal money through fake ICOs and NFTs along with other cryptocurrency-based financial theft (like exploitation of vulnerable smart contracts), but will make them more advanced and widespread.

    Many actors have their own malware, but that alone is not enough. Entire samples used to consist solely of ransomware, but the more diverse the modules in a piece of ransomware, the better it will evade detection. As a result, attackers are now paying much more attention to downloaders and droppers, which can avoid detection. This has become a major commodity in the MaaS industry, and there are even already favorites among cybercriminals on the dark web — the Matanbunchus downloader, for example. All in all, stealth execution and bypassing EDRs is what malicious loader developers are going to focus on in 2023.

    At the same time as vendors create and improve penetration testing frameworks to protect companies, crimeware actors are expected to use them much more actively for illegal activities. The most remarkable example of this trend starting to spread globally is Cobalt Strike. The tool is so powerful that threat groups have added it to their arsenal, already using it in a wide variety of attacks and cyberespionage campaigns. In 2022, the news hit the headlines that another pentester toolkit dubbed Brute Ratel C4 had been hacked, and is now being distributed on hacker forums. We predict that, along with the development of new penetration tools, cybercriminals will increasingly use them for their own malicious purposes — and Brute Ratel C4 and Cobalt Strike are just the beginning of this trend.

    As sanctions continue to be issued, the markets become more regulated, and technologies improve at tracking the flow and sources of Bitcoin, cybercrooks will rotate away from this cryptocurrency toward other forms of value transfer.

    Perhaps a surprising prediction in a report about future financial threats, yet ransomware has been one of the biggest threats in recent years, inflicting massive financial damage on organizations. As the geopolitical agenda increasingly occupies the attention not only of the public but also of cybercriminals, we expect ransomware groups to make demands for some form of political action, instead of demands for ransom money. One of such examples is Freeud, a brand-new ransomware with wiper capabilities.