Malware increasingly spread over infected documents, HP Bromium report
Almost a third of detected threats were previously unknown, claims a newly released HP-Bromium Threat Insights report. The analysis shows increasing use of malware-as-a-service (MaaS) kits and threats remaining undiscovered for days.
The latest quarterly report by HP-Bromium, covering the final quarter of 2020, shows that 29% of captured malware was previously unknown. The high volume of new threats is explained by the widespread use of packers and obfuscation techniques by attackers seeking to evade detection.
Authors of the report claim that it allows users to see how malware works in real life: HP’s security product permits the malware to run, tricking it into executing itself, thus allowing the system to capture the entire infection chain in micro-virtual machines.
The report found that 88% of malware was delivered by email into users’ inboxes, in many cases having bypassed gateway filters. On average, it took 8.8 days for threats to become known by hash to antivirus engines – giving threat actors a lengthy head-start to further their campaigns.
The report indicated that trojans made up two-thirds of malware samples, and the most common delivery method was email. 88% of detected malware was email-based, with the remaining 12% deployed via web downloads.
The most common type of dangerous attachments were documents (31%), archive files (28%), spreadsheets (19%), and executable files (17%).
Kits like APOMacroSploit, which emerged in Q4 2020, can be bought for as little as $50, illustrating just how low the barrier to entry is for opportunistic cybercrime,Alex Holland.
“Low-cost MaaS kits are an attractive prospect to cybercriminals, and we have seen these continue to increase in underground forums. Kits like APOMacroSploit, which emerged in Q4 2020, can be bought for as little as $50, illustrating just how low the barrier to entry is for opportunistic cybercrime,” Alex Holland, HP’s senior malware analyst, is quoted in a press release.
The report on data analyzed over Q4 2020 shows that web browser exploits often led victims to pages infected with FickerStelaer malware. HP’s analysts observed a campaign that relied on misspelled domains of popular instant messaging services. Once lured in, visitors were redirected to RigEk landing pages that attempted to exploit web browsers and plugin vulnerabilities to infect visitors’ PCs with information-stealing malware called FickerStealer.
The authors of the report noticed increased activity in the deployment of remote access Trojans (RATs). Perpetrators tricked victims into opening weaponized Excel files that lead to BitRAT Trojan being deployed on their computer.
Other threat actors also used Office products to trick victims into opening infected documents. For example, they used Word documents masquerading as pharmaceutical invoices that run malicious macros only after the document has been closed.
Emotet, a malware network taken down by Europol at the end of January, managed to leave its dent in the statistics as well. Authors claim that Emotet’s final burst of activity saw its operators modifying the downloader using DOSfuscation techniques to make its obfuscation more complex. To avoid suspicion, the downloader would generate an error message when opened.
“We have also seen threat actors continue to experiment with malware delivery techniques to improve their chances of establishing footholds into networks. The most effective execution techniques we saw in Q4 2020 involved old technologies like Excel 4.0 macros that often offer little visibility to detection tools,” claims Holland.
According to him, last year’s end saw the largest increase in Dridex campaigns. During such a campaign, threat actors use malicious software that targets banking and financial access by leveraging Microsoft Office macros to infect a system. The use of Dridex campaigns grew by a staggering 229%.
“Ultimately, any attacker gaining a foothold on an endpoint is bad news – they can use this access to scrape credentials, move laterally between systems, exfiltrate data, or sell their access to other cybercriminals – so it creates a huge risk for businesses,” he explained.
Authors of the report note that attackers continue to innovate, somewhat worryingly, by finding new ways to bypass detection, for example, increasingly adopting automation. Within a few days of undetected operation, threat actors manage to impact targeted businesses substantially.