Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/24/2020
06:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Malware Attacks Declined But Became More Evasive in Q2

Most of the malware used in attacks last quarter were designed to evade signature-based detection tools, WatchGuard says.

A new analysis of malware activity during the second quarter of this year uncovered some mixed news for enterprise organizations.

While malware detections in Q2 decreased 8% compared with the previous quarter, attacks involving malware that were not detectable by signature-based antivirus systems jumped 12% during the same quarter. Some seven in 10 attacks that organizations encountered in Q2, in fact, involved malware designed to circumvent antivirus signatures.

Related Content:

Most Cyberattacks in 2019 Were Waged Without Malware

Special Report: Computing's New Normal, a Dark Reading Perspective

New on The Edge: Making the Case for Medical Device Cybersecurity

Security vendor WatchGuard recently analyzed malware attack data gathered from nearly 42,000 of its Firebox appliances at customer locations worldwide. Together, the devices blocked more than 28.5 million malware samples representing some 410 unique attack signatures — a 15% increase from Q1.

Corey Nachreiner, CTO of WatchGuard and co-author of the report, says the biggest takeaway from the analysis was the increase in attacks involving malware variants that used so-called "packers" or "crypters" to evade detection mechanisms.

Such tools allow attackers to essentially repackage or obfuscate the same executable in slightly different ways each time so it can be used over and over again against signature-based defenses.

"Repackaging executables used to take some skill," Nachreiner says. "However, the bar has been lowered" for cybercriminals, he says.

Numerous tools and services are available in underground markets these days that allow even low-skilled attackers to acquire subtly modified variants of previously known malware — often for as little as $50 to $200 — and use them in new attacks. Qbot, a threat that has been around since at least 2008, is one of the better known examples of how attackers keep reusing the same malware by constantly tweaking it to evade signature-based tools.

Meanwhile, the 8% percent decline in overall malware detections at the enterprise perimeter that WatchGuard observed last quarter was not entirely unexpected, Nachreiner says. With most organizations shifting to a largely remote workforce in recent months because of the COVID-19 pandemic, attacks on enterprise endpoints declined as well, he noted.

WatchGuard's analysis also revealed an increase in JavaScript-based attacks last quarter, compared with Q1. Nearly one in five of the malware samples that WatchGuard detected and blocked in Q2 involved a scam script called Trojan.Gnaeus. According to WatchGuard, the malware is designed to let attackers hijack a victim's browser and redirect it forcefully from the intended destination to a domain under attacker control. Another JavaScript malware that made WatchGuard's top 10 list last quarter was J.S.PopUnder, a malicious ad-serving tool.

As has been the case for some time now, attackers continued to heavily use Microsoft Office documents and files to conceal and distribute malware. One of the most prolific examples of this past quarter was an XML Trojan called Abracadabra, which was delivered as an encrypted Excel file with the default password for Excel documents, "VelvetSweatshop." The encryption allowed the malware to evade most detection tools, while the default password allowed the file to automatically get decrypted when opened and to download and run an executable.

"The malware used an interesting technique to evade blocks" and was another reminder why traditional signature-based detection is no longer sufficient, Nachreiner says.

Malware still remains a major cause for data breaches. But the number of breaches resulting from malware infections has been gradually declining in recent years. According to Verizon's 2020 Data Breach Investigations Report (DBIR), only 17% of the breaches it investigated last year were malware-related, compared with 45% that were triggered by external hacking and 22% via social engineering.

Compared with 2016, when Trojan-type malware accounted for nearly 50% of the breaches that Verizon investigated, last year the number was about 6.5%. Much of the decline has to do with improved enterprise defenses, which in turn has led to an increase in the use of legitimate, dual-use admin tools and living-off-the land techniques in attacks.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
remmons53
50%
50%
remmons53,
User Rank: Apprentice
9/28/2020 | 11:53:06 AM
It Must Be Time To Retire
In 2004 the major antivirus companies such as Symantic, McAfee, Norton, etc, made a joint announcement that their products' methods of signature identification was no longer sufficient to protect IT environments.  The reason was that it was too easy to "pack" the malware, changing it's signature. They noted that they could provide a temporary delay of malware, to give companies time to patch their systems - the only way to truly protect their IT environment, repair the flaw.  Reading this article was like reading the 'recent discovery' that most security incidents are internal.  I started working IT in 1985 and IT Security in 1992 and that's always been the case.  I think it's time I retire before you folks 'discover' that IBM mainframes are incredibly faster than servers.
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-3995
PUBLISHED: 2020-10-20
In VMware ESXi (6.7 before ESXi670-201908101-SG, 6.5 before ESXi650-202007101-SG), Workstation (15.x before 15.1.0), Fusion (11.x before 11.1.0), the VMCI host drivers used by VMware hypervisors contain a memory leak vulnerability. A malicious actor with access to a virtual machine may be able to tr...
CVE-2020-7363
PUBLISHED: 2020-10-20
User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of UCWeb's UC Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects UCWeb's UC Browser version 13.0.8 and prior versions.
CVE-2020-7364
PUBLISHED: 2020-10-20
User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of UCWeb's UC Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects UCWeb's UC Browser version 13.0.8 and prior versions.
CVE-2020-7369
PUBLISHED: 2020-10-20
User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of the Yandex Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects the Yandex Browser version 20.8.3 and prior versions, and was fixed in version ...
CVE-2020-7370
PUBLISHED: 2020-10-20
User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of Danyil Vasilenko's Bolt Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects the Bolt Browser version 1.4 and prior versions.