Top malware threats to watch: CryptoWall, Jellyfish, Demon, and Moose

Posted by Paul Hanley on Jul 2, 2015 8:50:00 AM

MalwareIt’s becoming more and more commonplace to read headlines reporting the latest and “greatest” security breach affecting a major corporation. Target, Home Depot, Anthem, and even the United States government have all been affected by cybercriminals hacking into their system and exploiting their sensitive information.

While these attacks are becoming more frequent, they’re also becoming more sophisticated. Cloud computing has made it easier for cybercriminals to infiltrate systems and obtain sensitive information. Of these cybercriminals, malware authors are key players. They’re creating new software used to steal this information, and they’re perfecting the variants of malware that already exist. To understand these developments, let’s look at the top three types of malware IT service providers and SMBs need to be aware of today.

Veteran malware: CryptoWall

In early 2014, CryptoWall became well known as the latest ransomware with the potential to make a big impact on consumers and businesses. In fact, in just over a year since its inception, CryptoWall has totaled more than $18 million in losses

Originally, security experts thought this type of malware emerged as a poorly designed copycat of its predecessor CryptoLocker. In hindsight, the authors of CryptoWall were likely testing its effectiveness during this time and making improvements based on what they learned.

Not only has CryptoWall remained relevant, it’s also become easier to deploy and harder to track. Just a few months ago, CryptoWall 3.0 emerged as the next generation of the malware, and these latest versions are using new methods to infect systems. So, even though CryptoWall has been around for more than a year, the developers are findings ways to improve it and continue to make it one of the most effective and lucrative variants of malware.

To avoid a CryptoWall attack, be cautious of downloading attachments or clicking on advertisements that look suspicious and may be infected. Also, keep your antivirus software up to date, and be sure to back up your data. If you’re attacked, your files will be encrypted, and you’ll be forced to pay the ransom. But, if you’re prepared, you can simply restore from your backed up data. 

GPU-based malware: Jellyfish rootkit and Demon keylogger

As older types of malware become more sophisticated, new threats continue to emerge. Jellyfish and Demon are two new variants that are surfacing. Both of are proofs of concept that we can expect to hear more about soon.

Jellyfish is a rootkit, a type of software that can open a backdoor into an operating system for the deployment of other types of malware, such as CryptoWall. This Linux-based GPU (graphics processor unit) rootkit embeds itself in an OS kernel and runs on the graphic cards within the system.

Demon, on the other hand, is a type of malware known simply as a “keylogger.” This type of software tracks the keystrokes on a computer, so it can detect usernames and passwords that are typed on a computer.  Demon uses the direct memory access available to a GPU to access the system’s keyboard buffer, which allows it to track things almost as fast as they can be typed.

Besides the obvious issues Demon and Jellyfish present, because the malware is GPU-based, its code can be cross-platform. This means the malware authors only have to write the code once and they can easily deploy it across a variety of systems. The only OS-specific code would be the loading program itself, which is relatively trivial in comparison.  

Both Jellyfish and Demon are significantly faster and harder to detect than your run-of-the-mill malware because they are GPU-based. Because they’re proof-of-concept malware, no one knows exactly what impact they’ll have on cybersecurity. The fact of the matter is that no one is ready for them. We can expect to see more variants of them as integrated GPUs such as those in Intel’s Broadwell or the upcoming Skylake-series CPUs start performing on par with dedicated units.

Internet of Things malware: Moose

We can expect to see an up-and-coming malware called Moose develop into the first wave of what could become a sizable cyber threat. This proof-of-concept malware targets cable and DSL modems, home routers, embedded computers, Linux-based operating systems, and potentially anything connected to the Internet. It then turns those devices into a proxy network for launching fraudulent social networking accounts.

Moose also relates directly to the rise of the Internet of Things (IoT). The number of network-enabled devices is rapidly increasing, and security is not keeping pace. This means there’s no easy way to patch security vulnerabilities in these smart devices.

For example, a “smart refrigerator” doesn’t have a sequence of updates like a Windows operating system would. This leaves the device vulnerable to cybercriminals. And it’s already happening. A  smart refrigerator was infected with Moose malware and delivered 750,000 malicious emails.Tweet: True story: A smart refrigerator was infected with Moose malware and delivered 750,000 malicious emails. #IoT

Attackers are starting to catch onto the fact that these Internet-connected devices don’t have any security measures in place to prevent them from gaining access. As they begin learning more about the vulnerabilities and infrastructure of these devices, it’s a sure bet that they’ll target them as easy prey.

While the Moose malware wasn’t specifically designed to target IoT devices, it could infect a number of such devices, including ones commonly used in the healthcare industry. Many modern hospitals use EKG machines, pulse oximeters, and oxygen monitors to administer care. With the development of the Internet of Things, these devices have now become network-enabled.

For this reason, service providers operating in the healthcare IT industry need to be particularly aware of Moose malware. Developers of these medical devices are often rushing to get things to market rather than worrying about the security. So, it’s up to IT providers to protect their customers from these threats. This means informing their customers of such vulnerabilites and helping them to protect their critical devices. 

IT service providers need to be informed

We’ve only touched the surface on CryptoWall, Jellyfish and Demon, and Moose. But, it’s already clear to see that IT service providers need to be aware of these malware threats. It’s also imperative for organizations to back up their business critical data offsite, and those who don’t risk their livelihood. In the wake of a cyber attack or other data loss event, having their data backed up is essential to a business’s survival.

Take our malware quiz:  How well do you know the latest malware threats?  

Image curteosy of Stuart Miles at

Topics: Malware, Cyber Security

Which Data Loss Gremlin Is Targeting You
MSP Health Check
MSP Phishing Quiz
Intronis Local Lunches
MSP Marketing Assessment