Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:40 PM
Connect Directly

Malware Attacks Declined But Became More Evasive in Q2

Most of the malware used in attacks last quarter were designed to evade signature-based detection tools, WatchGuard says.

A new analysis of malware activity during the second quarter of this year uncovered some mixed news for enterprise organizations.

While malware detections in Q2 decreased 8% compared with the previous quarter, attacks involving malware that were not detectable by signature-based antivirus systems jumped 12% during the same quarter. Some seven in 10 attacks that organizations encountered in Q2, in fact, involved malware designed to circumvent antivirus signatures.

Related Content:

Most Cyberattacks in 2019 Were Waged Without Malware

Special Report: Computing's New Normal, a Dark Reading Perspective

New on The Edge: Making the Case for Medical Device Cybersecurity

Security vendor WatchGuard recently analyzed malware attack data gathered from nearly 42,000 of its Firebox appliances at customer locations worldwide. Together, the devices blocked more than 28.5 million malware samples representing some 410 unique attack signatures — a 15% increase from Q1.

Corey Nachreiner, CTO of WatchGuard and co-author of the report, says the biggest takeaway from the analysis was the increase in attacks involving malware variants that used so-called "packers" or "crypters" to evade detection mechanisms.

Such tools allow attackers to essentially repackage or obfuscate the same executable in slightly different ways each time so it can be used over and over again against signature-based defenses.

"Repackaging executables used to take some skill," Nachreiner says. "However, the bar has been lowered" for cybercriminals, he says.

Numerous tools and services are available in underground markets these days that allow even low-skilled attackers to acquire subtly modified variants of previously known malware — often for as little as $50 to $200 — and use them in new attacks. Qbot, a threat that has been around since at least 2008, is one of the better known examples of how attackers keep reusing the same malware by constantly tweaking it to evade signature-based tools.

Meanwhile, the 8% percent decline in overall malware detections at the enterprise perimeter that WatchGuard observed last quarter was not entirely unexpected, Nachreiner says. With most organizations shifting to a largely remote workforce in recent months because of the COVID-19 pandemic, attacks on enterprise endpoints declined as well, he noted.

WatchGuard's analysis also revealed an increase in JavaScript-based attacks last quarter, compared with Q1. Nearly one in five of the malware samples that WatchGuard detected and blocked in Q2 involved a scam script called Trojan.Gnaeus. According to WatchGuard, the malware is designed to let attackers hijack a victim's browser and redirect it forcefully from the intended destination to a domain under attacker control. Another JavaScript malware that made WatchGuard's top 10 list last quarter was J.S.PopUnder, a malicious ad-serving tool.

As has been the case for some time now, attackers continued to heavily use Microsoft Office documents and files to conceal and distribute malware. One of the most prolific examples of this past quarter was an XML Trojan called Abracadabra, which was delivered as an encrypted Excel file with the default password for Excel documents, "VelvetSweatshop." The encryption allowed the malware to evade most detection tools, while the default password allowed the file to automatically get decrypted when opened and to download and run an executable.

"The malware used an interesting technique to evade blocks" and was another reminder why traditional signature-based detection is no longer sufficient, Nachreiner says.

Malware still remains a major cause for data breaches. But the number of breaches resulting from malware infections has been gradually declining in recent years. According to Verizon's 2020 Data Breach Investigations Report (DBIR), only 17% of the breaches it investigated last year were malware-related, compared with 45% that were triggered by external hacking and 22% via social engineering.

Compared with 2016, when Trojan-type malware accounted for nearly 50% of the breaches that Verizon investigated, last year the number was about 6.5%. Much of the decline has to do with improved enterprise defenses, which in turn has led to an increase in the use of legitimate, dual-use admin tools and living-off-the land techniques in attacks.


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/28/2020 | 11:53:06 AM
It Must Be Time To Retire
In 2004 the major antivirus companies such as Symantic, McAfee, Norton, etc, made a joint announcement that their products' methods of signature identification was no longer sufficient to protect IT environments.  The reason was that it was too easy to "pack" the malware, changing it's signature. They noted that they could provide a temporary delay of malware, to give companies time to patch their systems - the only way to truly protect their IT environment, repair the flaw.  Reading this article was like reading the 'recent discovery' that most security incidents are internal.  I started working IT in 1985 and IT Security in 1992 and that's always been the case.  I think it's time I retire before you folks 'discover' that IBM mainframes are incredibly faster than servers.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.