Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/24/2020
06:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Malware Attacks Declined But Became More Evasive in Q2

Most of the malware used in attacks last quarter were designed to evade signature-based detection tools, WatchGuard says.

A new analysis of malware activity during the second quarter of this year uncovered some mixed news for enterprise organizations.

While malware detections in Q2 decreased 8% compared with the previous quarter, attacks involving malware that were not detectable by signature-based antivirus systems jumped 12% during the same quarter. Some seven in 10 attacks that organizations encountered in Q2, in fact, involved malware designed to circumvent antivirus signatures.

Related Content:

Most Cyberattacks in 2019 Were Waged Without Malware

Special Report: Computing's New Normal, a Dark Reading Perspective

New on The Edge: Making the Case for Medical Device Cybersecurity

Security vendor WatchGuard recently analyzed malware attack data gathered from nearly 42,000 of its Firebox appliances at customer locations worldwide. Together, the devices blocked more than 28.5 million malware samples representing some 410 unique attack signatures — a 15% increase from Q1.

Corey Nachreiner, CTO of WatchGuard and co-author of the report, says the biggest takeaway from the analysis was the increase in attacks involving malware variants that used so-called "packers" or "crypters" to evade detection mechanisms.

Such tools allow attackers to essentially repackage or obfuscate the same executable in slightly different ways each time so it can be used over and over again against signature-based defenses.

"Repackaging executables used to take some skill," Nachreiner says. "However, the bar has been lowered" for cybercriminals, he says.

Numerous tools and services are available in underground markets these days that allow even low-skilled attackers to acquire subtly modified variants of previously known malware — often for as little as $50 to $200 — and use them in new attacks. Qbot, a threat that has been around since at least 2008, is one of the better known examples of how attackers keep reusing the same malware by constantly tweaking it to evade signature-based tools.

Meanwhile, the 8% percent decline in overall malware detections at the enterprise perimeter that WatchGuard observed last quarter was not entirely unexpected, Nachreiner says. With most organizations shifting to a largely remote workforce in recent months because of the COVID-19 pandemic, attacks on enterprise endpoints declined as well, he noted.

WatchGuard's analysis also revealed an increase in JavaScript-based attacks last quarter, compared with Q1. Nearly one in five of the malware samples that WatchGuard detected and blocked in Q2 involved a scam script called Trojan.Gnaeus. According to WatchGuard, the malware is designed to let attackers hijack a victim's browser and redirect it forcefully from the intended destination to a domain under attacker control. Another JavaScript malware that made WatchGuard's top 10 list last quarter was J.S.PopUnder, a malicious ad-serving tool.

As has been the case for some time now, attackers continued to heavily use Microsoft Office documents and files to conceal and distribute malware. One of the most prolific examples of this past quarter was an XML Trojan called Abracadabra, which was delivered as an encrypted Excel file with the default password for Excel documents, "VelvetSweatshop." The encryption allowed the malware to evade most detection tools, while the default password allowed the file to automatically get decrypted when opened and to download and run an executable.

"The malware used an interesting technique to evade blocks" and was another reminder why traditional signature-based detection is no longer sufficient, Nachreiner says.

Malware still remains a major cause for data breaches. But the number of breaches resulting from malware infections has been gradually declining in recent years. According to Verizon's 2020 Data Breach Investigations Report (DBIR), only 17% of the breaches it investigated last year were malware-related, compared with 45% that were triggered by external hacking and 22% via social engineering.

Compared with 2016, when Trojan-type malware accounted for nearly 50% of the breaches that Verizon investigated, last year the number was about 6.5%. Much of the decline has to do with improved enterprise defenses, which in turn has led to an increase in the use of legitimate, dual-use admin tools and living-off-the land techniques in attacks.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
remmons53
50%
50%
remmons53,
User Rank: Apprentice
9/28/2020 | 11:53:06 AM
It Must Be Time To Retire
In 2004 the major antivirus companies such as Symantic, McAfee, Norton, etc, made a joint announcement that their products' methods of signature identification was no longer sufficient to protect IT environments.  The reason was that it was too easy to "pack" the malware, changing it's signature. They noted that they could provide a temporary delay of malware, to give companies time to patch their systems - the only way to truly protect their IT environment, repair the flaw.  Reading this article was like reading the 'recent discovery' that most security incidents are internal.  I started working IT in 1985 and IT Security in 1992 and that's always been the case.  I think it's time I retire before you folks 'discover' that IBM mainframes are incredibly faster than servers.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25660
PUBLISHED: 2020-11-23
A flaw was found in the Cephx authentication protocol in versions before 15.2.6 and before 14.2.14, where it does not verify Ceph clients correctly and is then vulnerable to replay attacks in Nautilus. This flaw allows an attacker with access to the Ceph cluster network to authenticate with the Ceph...
CVE-2020-25688
PUBLISHED: 2020-11-23
A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a...
CVE-2020-25696
PUBLISHED: 2020-11-23
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating sy...
CVE-2020-26229
PUBLISHED: 2020-11-23
TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability...
CVE-2020-28984
PUBLISHED: 2020-11-23
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.