Cybersecurity firm Kaspersky reports that a significant rise in the number of spyware, banking trojans and infostealer cyberattacks was detected in the first quarter of this year, compared with the first quarter of 2024.

Specifically, the number of spyware incidents detected increased by 264% year-on-year, the number of banking trojans detected increased by 136% and the number of infostealer incidents detected increased by 122%, said Kaspersky Global Research and Analysis Team lead security researcher Maher Yamout on September 16.

In sub-Saharan Africa, 42.4-million Web attacks and 95.6-million on-device attacks were detected in the first half of this year. The region recorded more than a doubling in spyware, as well as 64% more password stealer attacks and 12% more backdoor infections compared with the same period of the prior year, he said.

In South Africa, Kaspersky security tools blocked more than six-million online attack attempts on users in the first half of the year, and the threats included phishing scams, exploits, botnets, Remote Desktop Protocol attacks and network spoofing, such as fake WiFi networks.

One in five users in the country, or 20.9%, were targeted, Yamout told South African journalists during a briefing in Melrose, Johannesburg.

During the first-half of the year, 10.3-million on-device incidents were blocked, and 21.2% of South African users faced malware delivered via infected universal serial bus drives, compact discs, digital video discs and hidden installers, including ransomware, worms, backdoors, trojans, password stealers and spyware.

Industrial environments also remained a target, with attacks detected against 27.7% of industrial control systems computers in South Africa in the first half of this year.

CREDENTIAL STEALERS
“Infostealers have become mainstream and have become a big trend over the past few years. They are another type of malware that aims to steal credentials from infected devices, including browsers,” he said.

These malware collect passwords and credentials, which were a gold mine for cybercriminals, and such credentials could be used to target organisations, he said.

During the year, Kaspersky's research exposed SparkCat, which was the first stealer to infiltrate Apple’s App Store, and was also found on Google Play.

The malware scans photo galleries for screenshots containing sensitive data, such as wallet recovery phrases or passwords, demonstrating that storing credentials in images is unsafe.

A related family, SparkKitty, was later observed exfiltrating images and device details via apps distributed through official stores and scam sites, he said.

Kaspersky also collaborated with international law enforcement organisation Interpol to take down a large portion of infostealer infrastructure with people arrested across 26 countries.

“The statistics show the impact of our collaboration, with infections from those groups after the take-down decreasing by 97% compared to before the take-down,” Yamout said.

MACHINE LEARNING
Additionally, cybercriminals are using machine-learning tools to analyse password patterns, which expedite the time their password-cracking tools need to uncover passwords.

Currently, they were not generally using these cracked passwords to target people, but rather were using them to understand the patterns of passwords, as password creation by humans was linked to behavioural patterns, he explained.

This would help them to crack passwords in the future; normally the process could take months, but, if they knew the patterns, then they could crack passwords in a matter of days.

“Infostealers are making a huge impact globally. Expect the use of AI by cybercriminals also to increase. The amount of leaked data they can use is often significant and requires time to analyse. AI can help to expedite this process.

“We have seen a few cases so far and we have announced that some ransomware is using AI to analyse this mountain of data to find the points, or most sensitive data, to apply pressure to elicit the desired reaction,” said Yamout.

“An AI model trained on cybercriminal techniques can find the weaknesses much faster than a human can. What used to take months can now potentially take hours. Advanced Persistent Threat groups could use AI to infiltrate, execute, encrypt and exfiltrate information, potentially within hours,” said Kaspersky sub-Saharan Africa GM Chris Norton.

“The cybersecurity industry is also leveraging these technologies, with 99% of detections made by engines that use neural network techniques. Training these machine-learning models needs to be maintained constantly and, when a security researcher detects a variant of malware that the model does not know, we use it to train the model and enhance it to catch additional malware that displays similar behaviour,” said Yamout.

“It is a game of cat-and-mouse and we have to keep training our models and improving our systems,” he said.

Effective defence combined prevention and response and included adopting rigorous patching, strong authentication, limited remote access, endpoint detection and response, and extended detection and response solutions, regular backups, and user awareness to blunt phishing-led initial access, he advised.

Organisations should aim to reduce the attack surface, and plan for containment. If the controls shorten the time from the first suspicious event to isolation and rollback, then the economics have been changed for the cyberattackers, he added.