“SecondWrite is excited to join Polyswarm’s marketplace as an engine. Our mission is to secure computers and networks using our market-leading technology to detect malware. Polyswarm enables us to reach a large community of users and provides us with additional recent samples for our threat intelligence.” stated Rajeev Barua, CEO of SecondWrite.
Verticals Affected: Financial, Various
Victim Location: US, UK, Germany, Canada
Related Malware Families: TrickBot, Ryuk, QakBot, Zloader
A number of threat intelligence companies have recently reported on the return of the Emotet banking trojan. We first saw new variants of Emotet in our marketplace on November 15, 2021, before any industry in-depth analysis reports were released.
Emotet was considered dead after its takedown by law enforcement groups in January 2021. Although leftover samples existed in the wild, there was no network infrastructure to support them. These samples were considered dead and aimless with no real purpose. We are seeing a rise of new, never-before-seen Emotet samples in our dataset. This surge of samples from our different sources have been identified and verified by our researchers as Emotet. These samples are currently highlighted in the Discovery section of our portal as first seen in PolySwarm compared to other scanning services.
Previous versions of Emotet were extremely dangerous because they spread quickly, were difficult to detect, and were used by other threat actor groups to install ransomware, stealers, and other malware. It seems the Emotet group is back with a vengeance and will attempt to operate at the level of its former glory. This could result in widespread infection targeting financial institutions, hospitals, and retailers during the holiday season.
The Emotet banking trojan, first seen in the wild in 2014, was once considered the “world’s most dangerous malware.” The threat actors behind Emotet created an elaborate infrastructure, the notorious Emotet malware botnet. Emotet was used as a loader for other cybercriminals. Emotet gained access to organizations, and the unauthorized access was sold to other criminal groups. TrickBot, QakBot, Zloader, and Ryuk threat actors were known to use the Emotet botnet to gain access to targets.
We are currently tracking all new samples and extracting not only host behavior and command and control network channels, but the different botnet IDs associated with them as well. All of this data and information is available in our datasets for enrichment purposes.
"As a unique malware detection and threat intelligence data platform, PolySwarm's crowdsourced model substantially improves the ability to explore, enrich, and mine malware data, which directly benefits the infosec community. Qi An Xin is excited to partner with PolySwarm to continue to innovate” Liejun Wang, Director of Threat Intelligence at QiAnXin.
QiAnXin has integrated with Polyswam its RedDrip APT scanner (RAS), a detection engine with the ability to scan files and determine the APT group behind the attacks. RAS engine uses a custom file that contains malware patterns to identify the corresponding APT Groups. The insight comes from monitoring and tracking conducted by the RedDrip Team researchers and analysis systems.
“We welcome Qi An Xin as a new participant in PolySwarm’s marketplace. We strive to bring specialized engines that contribute to the ecosystem, and Qi An Xin’s RedDrop APT scanner brings unique insight into Chinese malware and the actors behind them” stated Steve Bassi, CEO of PolySwarm.
About Qi An Xin
We recently completed the “New Engine Claiming and Management” milestone on our development roadmap. Our goal was to make it easier for Engine owners to build, configure and test an engine, and then join the PolySwarm Marketplace, so we’ve completely redesigned the architecture.
Today we introduce a new utility use for PolySwarm’s Nectar token for average users: distributing rewards for security-relevant data about TLS certificates, DNS resolutions, and potentially malicious files encountered in daily computer use. Many of these telemetry sources are already collected from user devices by Antivirus (AV) providers. Still, there are a number of serious issues with how they are collected, how users are compensated for their information, and how these results are shared. By re-imagining how this marketplace works, we can increase collection transparency, fairly compensate all participants in the marketplace, and, most importantly, create a more unified source of security telemetry that will better protect users worldwide.
In our original whitepaper, we discussed the fragmentation of the AV market and how, in its current form, this fragmentation leads to worse outcomes for users in the marketplace. However, this fragmentation is not limited simply to the world of scanner providers: it affects many other parts of the security industry as well. As we built the PolySwarm marketplace, we realized that many of the disparate pieces of security information our customers were trying to connect are often ones that exist, but in practice, are inaccessible due to the fragmentation of the market.
To attack this problem, we are extending our original design and adding a decentralized marketplace for security telemetry. Users will install a browser extension and, later, a system daemon that reports their telemetry, using privacy-sensitive data structures. Telemetry reports are received by Aggregators and are associated with a reporting user’s wallet, allowing querying by PolySwarm’s cyber security focused consumers who pay for query hits in NCT. Everyday users get paid to provide this telemetry, and, Aggregators and backers with NCT get rewarded for timely telemetry that highlights high-priority attacks and under-the-radar malware campaigns.
This new marketplace provides immediate benefits to all participants. Users get more control over their data and are actually compensated for the value they provide, as well as receive early warnings about threats they have encountered. Aggregators are no longer dependent on their own install base for data and earn NCT for providing query computation and telemetry validation. Stakers help the network determine the most useful sources of telemetry and help reduce the threat of spam on the network, for which they also earn a portion of NCT. Finally, Consumers will now be able to access a truly worldwide network to find the data they need to identify and fight emerging threats.
At PolySwarm, our mission is to bring the security community and users worldwide together to fight malware. By leveraging Ethereum’s global, decentralized network, our new marketplace will greatly further our efforts to bring these groups together by enabling (and incentivizing!) everyone to help solve this difficult problem.
Read the whitepaper here
The last 12 months have been intense yet very productive for PolySwarm, as we have scaled our platform, fast-tracked user acquisition and released new key features.
Let’s do a quick recap of what we’ve accomplished before we get into what lies ahead of us.