Cybercriminals who use botnets to conduct their attacks are shifting away from single-purpose malware and starting to focus on distributing malware that can be used for multiple purposes.
Kaspersky Lab researchers analysed 600,000 botnets around the world over the first half of 2018. It found more than 150 malware families, which comprised everything from banking Trojans to Remote Access Tools.
The report’s main findings indicate that the share of single-purpose malware has dropped significantly compared to the last half of 2017. Banking Trojans suffered the greatest drop between H2 2017 (22.46%) to just 13.25% in H1 2018.
Single-purpose malware known as spamming bots also dropped: from 18.93% in H2 2017 to 12.23% in H1 2018, indicating that botnets are distributing less of this particular type of malware.
Botnets were also less-often used to disturbed DDoS bots, as they also dropped from 2.66% in H2 2017 to 1.99% in H1 2018.
However, botnets are increasingly becoming carriers for Remote Access Tool (RAT) malware that is more flexible.
According to Kaspersky Labs, RATs can provide almost unlimited potential for exploiting an infected device.
In H1 2018, botnets distributed almost double the amount of RAT files than in H2 2017 – a jump from 6.55% to 12.22%.
The most common RAT tools include Njrat, DarkComet, and Nanocore. Because they are simple, amateur threat actors can adapt and use them for their own purposes.
“The reason why RATs and other multipurpose malware are taking the lead when it comes to botnets is obvious: botnet ownership costs a significant amount of money and in order to make a profit, criminals should be able to use each and every opportunity to get money out of malware,” comments Kaspersky Lab security expert Alexander Eremin.
“A botnet built out of multipurpose malware can change its functions relatively quickly and shift from sending spam to DDoS or to the distribution of banking Trojans. While this ability in itself allows botnet owner to switch between different ‘active’ malicious business models, it also opens an opportunity for a passive income: the owner can simply rent out their botnet to other criminals.”
To reduce the risk of turning your devices into part of a botnet, users are advised to: