A new analysis of malware activity during the second quarter of this year uncovered some mixed news for enterprise organizations.
While malware detections in Q2 decreased 8% compared with the previous quarter, attacks involving malware that were not detectable by signature-based antivirus systems jumped 12% during the same quarter. Some seven in 10 attacks that organizations encountered in Q2, in fact, involved malware designed to circumvent antivirus signatures.
Security vendor WatchGuard recently analyzed malware attack data gathered from nearly 42,000 of its Firebox appliances at customer locations worldwide. Together, the devices blocked more than 28.5 million malware samples representing some 410 unique attack signatures — a 15% increase from Q1.
Corey Nachreiner, CTO of WatchGuard and co-author of the report, says the biggest takeaway from the analysis was the increase in attacks involving malware variants that used so-called "packers" or "crypters" to evade detection mechanisms.
Such tools allow attackers to essentially repackage or obfuscate the same executable in slightly different ways each time so it can be used over and over again against signature-based defenses.
"Repackaging executables used to take some skill," Nachreiner says. "However, the bar has been lowered" for cybercriminals, he says.
Numerous tools and services are available in underground markets these days that allow even low-skilled attackers to acquire subtly modified variants of previously known malware — often for as little as $50 to $200 — and use them in new attacks. Qbot, a threat that has been around since at least 2008, is one of the better known examples of how attackers keep reusing the same malware by constantly tweaking it to evade signature-based tools.
Meanwhile, the 8% percent decline in overall malware detections at the enterprise perimeter that WatchGuard observed last quarter was not entirely unexpected, Nachreiner says. With most organizations shifting to a largely remote workforce in recent months because of the COVID-19 pandemic, attacks on enterprise endpoints declined as well, he noted.
As has been the case for some time now, attackers continued to heavily use Microsoft Office documents and files to conceal and distribute malware. One of the most prolific examples of this past quarter was an XML Trojan called Abracadabra, which was delivered as an encrypted Excel file with the default password for Excel documents, "VelvetSweatshop." The encryption allowed the malware to evade most detection tools, while the default password allowed the file to automatically get decrypted when opened and to download and run an executable.
"The malware used an interesting technique to evade blocks" and was another reminder why traditional signature-based detection is no longer sufficient, Nachreiner says.
Malware still remains a major cause for data breaches. But the number of breaches resulting from malware infections has been gradually declining in recent years. According to Verizon's 2020 Data Breach Investigations Report (DBIR), only 17% of the breaches it investigated last year were malware-related, compared with 45% that were triggered by external hacking and 22% via social engineering.
Compared with 2016, when Trojan-type malware accounted for nearly 50% of the breaches that Verizon investigated, last year the number was about 6.5%. Much of the decline has to do with improved enterprise defenses, which in turn has led to an increase in the use of legitimate, dual-use admin tools and living-off-the land techniques in attacks.