In 2016, researchers uncovered how governments around the world were using a sophisticated espionage tool to spy on their citizens. Several years on – and multiple exposés later – the Israeli spyware known as Pegasus remains active. In recent months, Thai democracy activists were reportedly targeted by the spyware, while India’s prime minister was embroiled in controversy over accusations of using Pegasus to gain leverage for the elections.
The Pegasus spyware is a cyber espionage form of malicious software or malware, an umbrella term for programs or code harmful to computer systems. Its purpose is to invade, damage, or disable digital devices or systems, often by taking partial control over the device’s operations. Once a device is infected, malware can steal, encrypt, or delete data, alter or hijack core computer functions, and spy on computer activity without the user’s knowledge or permission.
The COVID-19 pandemic has fueled the rise of malware attacks. With the abrupt pivot to work-from-home setups and online business operations, those who lack basic digital security knowledge or skills are vulnerable to such attacks. According to Deep Instinct’s Cyber Threat Landscape Report, malware increased 358% overall in 2020.
In recent years, countries in South and Southeast Asia were among the hardest hit: in Southeast Asia, three countries – Vietnam, the Philippines, and Indonesia – saw an uptick in mobile malware attacks in 2021. Ransomware was one of the most pervasive malware threats in the region, with over 800,000 attacks detected in 2020, mostly in Vietnam, Indonesia, and Thailand. South Asian countries have also been the subject of attack, with cases of malware targeting over 200 organisations in Bangladesh.
Common types of malware
Though all malware attacks are intended to wreak havoc, they differ in how they work or spread within an infected system. Here are some of the most common types:
Virus: This is what people commonly associate with the term ‘malware’. A virus attaches itself to another program or file and, when executed unintentionally by the user (such as by opening a file or plugging in an infected device), the virus replicates itself by modifying other computer programs and files. It will then encrypt, corrupt, delete, or move data.
MyDoom is considered one of the most damaging viruses of all time. In 2004, it caused an estimated $38 billion in damages and infected about 25% of all emails worldwide, although it caused minimal damage in Asia. While no longer as prominent as it was before, MyDoom continues to be active over the past couple of years.
Worms: Similar to viruses, worms are self-replicating. The big difference is that worms can spread across systems on their own, without any action needed from users.
A well-known type of worm in South and Southeast Asia spreads via instant messaging, such as Facebook Messenger, WhatsApp, or Skype. Victims would receive messages from their contacts with a provocative message or enticing link (messages such as “LOL”, “You have to see this!” or “I found your video here”). When users click on the link, the exact message will then be sent to their own contacts. A recent example is one in the Philippines, where an instant messaging worm spread via Facebook Messenger with a message notifying the user that they were supposedly spotted in a salacious video.
Adware: This type of malware serves unwanted or sometimes malicious advertising on the infected system. While it is relatively harmless, it can be irritating as “spammy” ads will pop up on infected devices, significantly hampering the computer’s performance. On top of that, these ads may also lead users to download more harmful types of malware.
Fireball is a well-known adware that hijacks browsers and can be turned into a full-functioning malware downloader. Fireball is also capable of executing codes on the victim’s machines, potentially leading to the installation of additional malware or theft of sensitive account credentials.
In 2017, more than 250 million computers and one-fifth of corporate networks around the world were infected with Fireball. Of these, 25.3 million infections were in India and 13.1 million in Indonesia.
Spyware: This type of malware can secretly observe the computer user’s activities without permission and relay this information to the spyware creator.
The most controversial and well-known spyware in recent years is Pegasus, developed in 2011 by the Israeli organisation NSO. Reports by various organisations, including CitizenLab, have flagged the human rights risks posed by the spyware, particularly to civil society. Among other features, Pegasus is capable of reading and copying text messages, tracking phone calls and location data, accessing the device’s microphone and camera, and harvesting passwords and other information from installed apps. Recently, there have been reports of state-sponsored cyber-surveillance in several South and Southeast Asian countries, including Thailand, Singapore, and India.
Trojan horse (or trojan): One of the most dangerous malware types, it is usually disguised as a harmless file to trick users into installing it onto their system. Attackers can then gain access to infected computers to steal information or install other malicious files.
Emotet is an advanced Trojan designed to target banks and financial institutions. This type of malware spreads by first identifying vulnerable web servers from which spam email can be sent along with malicious links. Once it gains access to the system, it installs additional malicious files. Emotet continues to be active in the Asia-Pacific region, primarily targeting small and medium-sized enterprises in Vietnam, India, and Indonesia.
Keylogger: This type of malware records the user’s keystrokes to gather and steal sensitive information, such as usernames, passwords, or credit card details. One example is the Snake Keylogger malware, which tricks victims through a PDF file attachment that then installs malware. According to Fortinet, this malware can steal sensitive information including saved credentials, keystrokes, screenshots, and clipboard data.
In 2021, four critical infrastructure organisations in Southeast Asia were targeted in an espionage campaign, with attackers deploying keyloggers to steal data.
Rootkits: This malware type provides the attacker with administrator privileges or “root” access to the infected system. Typically, it is designed to stay hidden from the user, other software on the system, and the operating system itself. Because of this, anti-malware software may have a harder time detecting and removing rootkits. There are several types of rootkits, such as User Mode Rootkits, Kernel Mode Rootkits, Bootloader Rootkits, Memory Rootkits, and Firmware Rootkits.
One prominent attack occurred in 2008 when hackers installed rootkits in credit card readers shipped to Europe. The rootkits recorded the credit card information of their targets and sent the information to hackers in Pakistan. Recently, a rootkit dubbed CosmicStrand has been targeting victims in China, Vietnam, Iran, and Russia.
Ransomware: This malware locks victims out of their devices, forcing them to pay a ransom to regain access. Amid an increase in cybercrimes during the pandemic, ransomware has become one of the most prominent threats. In 2021, the Asia-Pacific region experienced a 168% increase in ransomware attacks.
In 2017, a mass cyberattack targeted computer systems worldwide. Universities, hospitals, and other organisations in several Asian countries including Indonesia, China, Singapore, Japan, and Korea were targeted by the ransomware WannaCry, WannaCrypt, WanaCrypt0r 2.0, and Wanna Decryptor. Aside from demanding ransom via Bitcoin, the malware also had a worm application, allowing it to spread rapidly to other devices.
How to know if your device is infected
The best way to tell if your device is infected is by scanning your system with a good anti-malware program. Here are a few signs that indicate the possibility of malware on your device:
- Your device is not working properly.
Sudden changes in your device’s normal operations may point to a possible malware infection. Your computer or mobile phone may slow down or crash frequently. You may also notice sudden loss of disk or storage space on your device.
- You are getting a lot of annoying ads.
You may notice an increase in ads and pop-ups, often from unknown sources, showing up at random on your device.
- Your system’s Internet activity increases.
Even when you are not doing anything on the computer, you may notice constant upload and download activity happening in the background that uses up a lot of internet bandwidth.
- Your computer settings have changed automatically.
A tell-tale sign of infection: changes in your computer settings and operations without you making these updates. For instance, your browser homepage and default search engine may have changed. You may also find that some programs, like your antivirus software, have stopped working. Unfamiliar apps and programs may also appear when trying to open files.
- You lose access to your files.
You may encounter error messages when trying to open files. Check the icons and file extensions – if these look different from the usual, this may be a sign of malware infection.
Protecting yourself against malware
There is no one-size-fits-all solution to prevent malware attacks. Applying good digital security practices is key to decreasing vulnerability and minimising potential harm. You can start by following the tips below:
- Practice digital hygiene in your personal and professional life.
- Use a strong password and enable two-factor authentication where possible.
- Organise your inbox and unsubscribe from junk email.
- Review privacy and security settings on your accounts.
- Encrypt your devices for added security.
- Think before you click. Do not click pop-up ads while browsing the Internet or unverified links in emails, text messages, and social media messages. Before opening email attachments from unknown senders, scan these first with an anti-malware program.
- Keep your system up-to-date and use software from legitimate sources. Always download software from official websites, not those available on peer-to-peer file transfer networks (torrents). Prioritise free and open-source software. For mobile phones, jailbreaking or rooting your device poses security risks – only download apps from the official app stores. Make sure to check the app’s ratings or reviews before installing.
- Keep regular backups. Back up your data regularly, so you have an up-to-date copy of your data if your files become inaccessible. It is recommended to have more than one backup and to keep these in separate locations.
- Antivirus is a must. Use good anti-malware or antivirus software that actively scans and blocks threats. Make sure to keep the antivirus database up-to-date to protect yourself from new and emerging threats.
Practising good digital hygiene is even more critical for civil society groups, non-government organisations (NGOs), and activists who are especially vulnerable to cyber attacks and other digital threats because of the nature of their work. As they often deal with sensitive information and work with at-risk communities, they are particularly targeted by bad actors. There have been reports of such attacks over the years, such as this 2012 case of a Thai NGO that was hacked to serve malware, and this 2015 report on a targeted attack against an NGO working on environmental issues in Southeast Asia. In 2020, a cyber-espionage group was found to be monitoring the activities of NGOs in South and East Asia.
Minimising these threats to civil society groups will require interventions and collaboration among various stakeholders, including security experts, community leaders, and big tech companies. To effectively fight malware attacks, it is also important to build a strong foundation of digital security practices. This includes being aware of digital threats, implementing individual and organisational policies on using digital devices, reporting threats, and educating others about digital security to create safer spaces for all.
Help spread awareness about these digital safety tips by sharing the infographics below with your networks:
If you would like to translate these graphics into your local languages, reach out to EngageMedia Digital Rights Project Manager Vino Lucero.
Learn more about EngageMedia’s work to enhance digital security for civil society as part of the Greater Internet Freedom program
1 thought on “Malware attacks in South and Southeast Asia: Identifying and responding to this growing threat”
Pingback: Thailand Digital Rights Forum: State surveillance, stifling laws impact digital rights and public trust in key institutions - EngageMedia