On the 14th of May, more than two dozen talented musicians from Europe will compete in Stockholm in one of the longest-running television shows in history – Eurovision. For the 61th time, contestants representing members of the European Broadcasting Union will perform an original piece to compete for the jury’s and public’s favor in the event’s final round.
While building a repertoire of elements to demonstrate skill or talent is central to almost any public competition, it is not solely the sound, instruments or originality that count in the grand finale. Showmanship, stagecraft and other elements are also a vital part of the scoring, as globally, hundreds of millions of viewers vote for their favorites.
In contrast to the Eurovision contestants, malware writers try to make their creations as stealthy as possible. But thanks to unique behavior and sometimes even unintended showmanship of their malicious code, they end up in the limelight.
A good example of this is the ransomware Cerber. On top of encrypting files and demanding $500 as ransom for their decryption, it also “speaks” to the victim, thus attracting the interest of both the security community and the public.
According to BleepingComputer.com it repeats a short notice multiple times: “Attention! Attention! Attention! Your documents, photos, databases and other important files have been encrypted.”
Unluckily for its victims, Cerber also grabbed our attention by being effective at what it does, primarily encrypting files. To this day, there is no decryptor available for this family of malware.
The Android lock-screen ransomware Jisut demonstrated an even higher level of showmanship, as a portion of its hundreds of variants had the ability to play a specific song. It picked a very famous piece, the theme from the horror movie Psycho, which was directed by Alfred Hitchcock. As a bonus, it also causes the affected device to vibrate in an infinite loop.
Communicating with fans and answering fan mail is a vital part of being a famous artist. Similarly, by implementing a LiveChat feature in their PadCrypt ransomware, cybercriminals realized their need to communicate directly with its audience of victims. Via the live chat, cybercriminals offered detailed instructions on how to proceed with the ransom payment.
Thus it seems there are other areas of show business that inspire malware writers as well. Similar to participants on reality shows, some cybercriminals look for a victim’s “most embarrassing moments”.
This is true especially for spyware families that are able to take control over a smartphone’s mic. Thanks to this ability, they can record or even livestream users’ under-the-shower performances.
Others, like SchwarzeSonne (BlackSun) are more into the “visual arts” and try to hijack webcams. No matter what you do in front of your laptop camera, this spyware can record and publish it online. Some cybercriminals go even further, contacting victims or blackmailing them to keep the footage out of sight.
But being the loudest often doesn’t make the malware in question the most dangerous. Actually, most malicious actors try hard to avoid attention at any cost and aim for a “stealthy performance”.
by Ondrej Kubovic, ESET