Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:40 PM
Connect Directly

Malware Attacks Declined But Became More Evasive in Q2

Most of the malware used in attacks last quarter were designed to evade signature-based detection tools, WatchGuard says.

A new analysis of malware activity during the second quarter of this year uncovered some mixed news for enterprise organizations.

While malware detections in Q2 decreased 8% compared with the previous quarter, attacks involving malware that were not detectable by signature-based antivirus systems jumped 12% during the same quarter. Some seven in 10 attacks that organizations encountered in Q2, in fact, involved malware designed to circumvent antivirus signatures.

Related Content:

Most Cyberattacks in 2019 Were Waged Without Malware

Special Report: Computing's New Normal, a Dark Reading Perspective

New on The Edge: Making the Case for Medical Device Cybersecurity

Security vendor WatchGuard recently analyzed malware attack data gathered from nearly 42,000 of its Firebox appliances at customer locations worldwide. Together, the devices blocked more than 28.5 million malware samples representing some 410 unique attack signatures — a 15% increase from Q1.

Corey Nachreiner, CTO of WatchGuard and co-author of the report, says the biggest takeaway from the analysis was the increase in attacks involving malware variants that used so-called "packers" or "crypters" to evade detection mechanisms.

Such tools allow attackers to essentially repackage or obfuscate the same executable in slightly different ways each time so it can be used over and over again against signature-based defenses.

"Repackaging executables used to take some skill," Nachreiner says. "However, the bar has been lowered" for cybercriminals, he says.

Numerous tools and services are available in underground markets these days that allow even low-skilled attackers to acquire subtly modified variants of previously known malware — often for as little as $50 to $200 — and use them in new attacks. Qbot, a threat that has been around since at least 2008, is one of the better known examples of how attackers keep reusing the same malware by constantly tweaking it to evade signature-based tools.

Meanwhile, the 8% percent decline in overall malware detections at the enterprise perimeter that WatchGuard observed last quarter was not entirely unexpected, Nachreiner says. With most organizations shifting to a largely remote workforce in recent months because of the COVID-19 pandemic, attacks on enterprise endpoints declined as well, he noted.

WatchGuard's analysis also revealed an increase in JavaScript-based attacks last quarter, compared with Q1. Nearly one in five of the malware samples that WatchGuard detected and blocked in Q2 involved a scam script called Trojan.Gnaeus. According to WatchGuard, the malware is designed to let attackers hijack a victim's browser and redirect it forcefully from the intended destination to a domain under attacker control. Another JavaScript malware that made WatchGuard's top 10 list last quarter was J.S.PopUnder, a malicious ad-serving tool.

As has been the case for some time now, attackers continued to heavily use Microsoft Office documents and files to conceal and distribute malware. One of the most prolific examples of this past quarter was an XML Trojan called Abracadabra, which was delivered as an encrypted Excel file with the default password for Excel documents, "VelvetSweatshop." The encryption allowed the malware to evade most detection tools, while the default password allowed the file to automatically get decrypted when opened and to download and run an executable.

"The malware used an interesting technique to evade blocks" and was another reminder why traditional signature-based detection is no longer sufficient, Nachreiner says.

Malware still remains a major cause for data breaches. But the number of breaches resulting from malware infections has been gradually declining in recent years. According to Verizon's 2020 Data Breach Investigations Report (DBIR), only 17% of the breaches it investigated last year were malware-related, compared with 45% that were triggered by external hacking and 22% via social engineering.

Compared with 2016, when Trojan-type malware accounted for nearly 50% of the breaches that Verizon investigated, last year the number was about 6.5%. Much of the decline has to do with improved enterprise defenses, which in turn has led to an increase in the use of legitimate, dual-use admin tools and living-off-the land techniques in attacks.


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/28/2020 | 11:53:06 AM
It Must Be Time To Retire
In 2004 the major antivirus companies such as Symantic, McAfee, Norton, etc, made a joint announcement that their products' methods of signature identification was no longer sufficient to protect IT environments.  The reason was that it was too easy to "pack" the malware, changing it's signature. They noted that they could provide a temporary delay of malware, to give companies time to patch their systems - the only way to truly protect their IT environment, repair the flaw.  Reading this article was like reading the 'recent discovery' that most security incidents are internal.  I started working IT in 1985 and IT Security in 1992 and that's always been the case.  I think it's time I retire before you folks 'discover' that IBM mainframes are incredibly faster than servers.
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. Its AbuseFilterCheckMatch API reveals suppressed edits and usernames to unprivileged users through the iteration of crafted AbuseFilter rules.
PUBLISHED: 2021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. A MediaWiki user who is partially blocked or was unsuccessfully blocked could bypass AbuseFilter and have their edits completed.
PUBLISHED: 2021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. The Special:AbuseFilter/examine form allowed for the disclosure of suppressed MediaWiki usernames to unprivileged users.
PUBLISHED: 2021-04-22
An issue was discovered in the CommentBox extension for MediaWiki through 1.35.2. Via crafted configuration variables, a malicious actor could introduce XSS payloads into various layers.
PUBLISHED: 2021-04-22
An issue was discovered in the PageForms extension for MediaWiki through 1.35.2. Crafted payloads for Token-related query parameters allowed for XSS on certain PageForms-managed MediaWiki pages.