Despite an 8% decrease in overall malware detections in Q2 2020, 70% of all attacks involved zero day malware – variants that circumvent antivirus signatures, which represents a 12% increase over the previous quarter, WatchGuard found.
Malware detections during Q2 2020
Attackers are continuing to leverage evasive and encrypted threats. Zero day malware made up more than two-thirds of the total detections in Q2, while attacks sent over encrypted HTTPS connections accounted for 34%. This means that organizations that are not able to inspect encrypted traffic will miss a massive one-third of incoming threats.
Even though the percentage of threats using encryption decreased from 64% in Q1, the volume of HTTPS-encrypted malware increased dramatically. It appears that more administrators are taking the necessary steps to enable HTTPS inspection, but there’s still more work to be done.
“The rise in sophisticated attacks, despite the fact that overall malware detections declined in Q2 2020, likely due to the shift to remote work, shows that attackers are turning to more evasive tactics that traditional signature-based anti-malware defences simply can’t catch.
“Every organization should be prioritising behaviour-based threat detection, cloud-based sandboxing, and a layered set of security services to protect both the core network, as well as remote workforces.”
The scam script Trojan.Gnaeus made its debut at the top of WatchGuard’s top 10 malware list for Q2, making up nearly one in five malware detections. Gnaeus malware allows threat actors to hijack control of the victim’s browser with obfuscated code, and forcefully redirect away from their intended web destinations to domains under the attacker’s control.
To combat these threats, organizations should prevent users from loading a browser extension from an unknown source, keep browsers up to date with the latest patches, use reputable adblockers and maintain an updated anti-malware engine.
Attackers increasingly use encrypted Excel files to hide malware
XML-Trojan.Abracadabra is a new addition to the top 10 malware detections list, showing a rapid growth in popularity since the technique emerged in April.
Abracadabra is a malware variant delivered as an encrypted Excel file with the password “VelvetSweatshop”, the default password for Excel documents. Once opened, Excel automatically decrypts the file and a macro VBA script inside the spreadsheet downloads and runs an executable.
The use of a default password allows this malware to bypass many basic antivirus solutions since the file is encrypted and then decrypted by Excel. Organizations should never allow macros from an untrusted source, and leverage cloud-based sandboxing to safely verify the true intent of potentially dangerous files before they can cause an infection.
An old, highly exploitable DoS attack makes a comeback
A six-year-old DoS vulnerability affecting WordPress and Drupal made an appearance on a list of top 10 network attacks by volume in Q2. This vulnerability is particularly severe because it affects every unpatched Drupal and WordPress installation and creates DoS scenarios in which bad actors can cause CPU and memory exhaustion on underlying hardware.
Despite the high volume of these attacks, they were hyper-focused on a few dozen networks primarily in Germany. Since DoS scenarios require sustained traffic to victim networks, this means there’s a strong likelihood that attackers were selecting their targets intentionally.
Malware domains leverage command and control servers to wreak havoc
Two new destinations made top malware domains list in Q2. The most common was findresults[.]site, which uses a C&C server for a Dadobra trojan variant that creates an obfuscated file and associated registry to ensure the attack runs and can exfiltrate sensitive data and download additional malware when users start up Windows systems.
One user alerted the WatchGuard team to Cioco-froll[.]com, which uses another C&C server to support an Asprox botnet variant, often delivered via PDF document, and provides a C&C beacon to let the attacker know it has gained persistence and is ready to participate in the botnet.
DNS firewalling can help organizations detect and block these kinds of threats independent of the application protocol for the connection.
Google is providing a new “risky files” scanning feature to Chrome users enrolled in its Advanced Protection Program (APP).
About the Advanced Protection Program
Google introduced the Advanced Protection Program in 2017.
It’s primarily aimed at users whose accounts are at high risk of compromise through targeted attacks – journalists, human rights and civil society activists, campaign staffers and people in abusive relationships, executives and specific employees – but anyone can sign up for it.
- Anti-phishing protection, as attackers can steal users’ credentials, but they need the security key/smartphone that’s in the user’s possession to gain access to the account
- Extra protection from harmful downloads
- Protection from malicious third-party apps that may want to access users’ Google Account.
Some features, like the one announced on Wednesday, will work only if the user uses Google Chrome and is signed into it with their Advanced Protection Program identity.
Chrome started warning APP users when a downloaded file may be malicious last year, but now it will also give them the ability to send risky files for additional scanning by Google Safe Browsing’s full suite of malware detection technology before opening them.
“When a user downloads a file, Safe Browsing will perform a quick check using metadata, such as hashes of the file, to evaluate whether it appears potentially suspicious. For any downloads that Safe Browsing deems risky, but not clearly unsafe, the user will be presented with a warning and the ability to send the file to be scanned,” Chrome engineers explained.
“If the user chooses to send the file, Chrome will upload it to Google Safe Browsing, which will scan it using its static and dynamic analysis techniques in real time. After a short wait, if Safe Browsing determines the file is unsafe, Chrome will warn the user. As always, users can bypass the warning and open the file without scanning, if they are confident the file is safe. Safe Browsing deletes uploaded files a short time after scanning.”
Aside from helping users, the new feature is expected to help Google improve their ability to detect malicious files.
Shlayer adware creators have found a way to get their malicious payload notarized by Apple, allowing it to bypass anti-malware checks performed by macOS before installing any software.
What is Apple Notarization?
Apple uses a number of technologies to prevent malware from being offered for download on the App Store and from being run on Apple-developed devices:
- App Review: Apps are reviewed by Apple before being published on the App Store, and have to comply with specific guidelines to get accepted
- Code Signing: Developers sign their apps with a developer certificate issued by Apple to assure users that it is from a known source and the app hasn’t been modified since it was last signed. The macOS Gatekeeper verifies the developer certificate and checks the known-malware list when the application is first opened, and blocks the app from running if its known malware or if it doesn’t recognize the developer (certificate)
- Notarization: An automated check that scans software for malicious content and checks for code-signing issues. If the package passes the check, it gets a ticket that proves notarization has been successful and the ticket “tells” Gatekeeper that Apple notarized the software, i.e., that is effectively safe to run it.
Apple Notarization is a relatively new security mechanism that, in theory, should detect malicious software and prevent it from being installed on a macOS system. But, as it turns out, it’s not foolproof.
Notarized macOS malware
The first known instance of notarized macOS malware was discovered last week, by a college student who noticed that people who want to download Homebrew (downloadable from brew.sh) and make the mistake of entering the wrong URL (homebrew.sh) are getting served with a warning saying their Adobe Flash Player is out of date and offering an update for download.
Security researcher Patrick Wardle analyzed the served package and confirmed that it is not, in fact, an update, but a notarized version of the macOS Shlayer adware, which doesn’t get detected as malicious by Gatekeeper.
This particular variant of this common adware would be detected by various third-party antivirus applications, but there are still many macOS users that don’t run one as they believe that Macs can’t get malware.
How is this possible?
“We’re still not exactly sure what the Shlayer folks did to get their malware notarized, but increasingly, it’s looking like they did nothing at all,” said Apple security expert Thomas Reed, who compared the code of the notarized and that of an older (not notarized) Shlayer sample and spotted minor changes.
“It’s entirely possible that something in this code, somewhere, was modified to break any detection that Apple might have had for this adware. Without knowing how (if?) Apple was detecting the older sample, it would be quite difficult to identify whether any changes were made to the notarized sample that would break that detection,” he pointed out.
“This leaves us facing two distinct possibilities, neither of which is particularly appealing. Either Apple was able to detect Shlayer as part of the notarization process, but breaking that detection was trivial, or Apple had nothing in the notarization process to detect Shlayer, which has been around for a couple years at this point.”
Wardle notified Apple about the notarized Shlayer adware on August 28 and they revoked the used notarization certificates immediately. Two days later, though, the adware delivery campaign was still going strong: it was serving another Shlayer sample that had been notarized with another Apple Developer ID.
“The attackers’ ability to agilely continue their attack (with other notarized payloads) is noteworthy. Clearly in the never ending cat & mouse game between the attackers and Apple, the attackers are currently (still) winning,” Wardle commented.
Reed pointed out that notarizing malicious software is just one of the ways adware distributors are trying to bypass macOS and user defenses.
“We’re seeing quite a few cases where malware authors have stopped signing their software, and have instead been shipping it with instructions to the user on how to run it,” he explained.
“The malware comes on a disk image (.dmg) file with a custom background. That background image shows instructions for opening the software, which is neither signed nor notarized.”
Microsoft’s security experts have warned on Monday about several email malware delivery campaigns exploiting the COVID-19 pandemic targeting companies in the US and South Korea.
What they have in common is the ultimate delivery of the Remcos RAT (remote administration tool/Trojan), a piece of malware that allows hackers to have full control over the infected system, and the fact that the attached files have some atypical extensions.
In one campaign the attackers are impersonating the US Small Business Administration (SBA) and attempt to deliver a malicious IMG (disk image) attachment.
“The IMG file contains an executable file that uses a misleading PDF icon. When run, the executable file drops Remcos, which allows attackers to take control of affected machines,” the researchers noted.
In another one the attackers are impersonating CDC’s Health Alert Network (HAN) and carry malicious ISO (disk image) file attachments. In a third one they pose as the American Institute of Certified Public Accountants and deliver a ZIP archive containing the ISO file (carrying a malicious SCR file with a misleading PDF icon).
IBM X-Force researchers have also recently warned about a variety of fake US SBA emails carrying malicious IMG (disk image) and Universal Disk Format (UDF) image files leading to the Remcos RAT.
The US SBA is a good choice for malware peddlers to impersonate at this time.
“On March 27, 2020, $376 billion in relief payments for workers and small businesses was allocated via the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The US SBA and the Department of Treasury are the designated outlets for providing information and guidance on the implementation of the CARES programs, but with people looking out for their applications, these fake emails are evidence of malicious actors already exploiting reliance on digital updates, which many are expecting as they plan to receive the allocated federal aid,” IBM X-Force researchers pointed out.
The aforementioned campaigns are obviously targeting businesses but, according to Kaspersky Lab researchers, Remcos RAT and other malware peddlers have not forgotten about consumers.
To make it more likely the recipients will download and open a malicious attachment, they are impersonating package delivery services and saying that the recipient must read or confirm the information in an attached file in order to receive a package that’s come in.
Again, the malicious attachments come with some unusual file extensions such as ACE (archive file) and the more familiar RAR and ZIP (also archive files).
The device people use to communicate online – a smartphone, desktop, or tablet – can affect the extent to which they are willing to overshare intimate or personal information about themselves, according to the researchers from University of Pennsylvania.
Can you trust attachments? Be careful
Malware peddlers will try every emails and attachment combination and permutation they can think of to get past email security filters and get users to open those files.
Needless to say, everybody should always be wary of opening attachments and links in unsolicited emails – whether they have a familiar file extension or not.
If you really can’t resist the temptation or you aren’t sure about your ability to spot fake, malicious emails, you can always test the attached file before opening it. The VirusTotal analyzer is a popular, easy to use, and the most thorough option for checking files for malware, but there are others as well.
The Kwampirs (aka Orangeworm) attack group continues to target global healthcare entities in this time of crisis, the FBI has warned.
“Targeted entities range from major transnational healthcare companies to local hospital organizations,” the Bureau noted.
“The FBI assesses Kwampirs actors gained access to a large number of global hospitals through vendor software supply chain and hardware products. Infected software supply chain vendors included products used to manage industrial control system (ICS) assets in hospitals.”
This is the third FBI private industry notification since the beginning of the year about the group’s activities and the modular Kwampirs RAT it uses.
According to the alert:
- The attack group first establishes a broad and persistent presence on the targeted network and then delivers and executes the Kwampir RAT and other malicious payloads
- Kwampirs actors have successfully gained and sustained persistent presence on victim networks for a time period ranging from three to 36 months
- The Kwampir RAT is modular and, depending on the target, different modules are dropped. But it seems that the threat actors main goal is cyber espionage
- Significant intrusion vectors include: lateral movement between company networks during mergers and acquisitions; malware being passed between entities through shared resources and internet facing resources during the software co-development process; and software supply chain vendors installing infected devices on the customer/corporate LAN or customer/corporate cloud infrastructure.
“Kwampirs campaign actors have targeted companies in the imaging industry, to include networked scanner and copier-type devices, with domain access to customer networks. The FBI assesses these imaging vendors are targeted to gain access to customer networks, including remote or cloud management access, which could permit lateral CNE movement within victim networks,” the FBI added.
While the Kwampirs/Orangeworm threat actors is considered to be an APT (Advanced Persistent Threat), it is currently unknown whether they are state-backed.
What is known is that they don’t go after PII, payment card data, and are not interested in destroying or encrypting data for ransom – though, according to the FBI, several code-based similarities exist between the Kwampirs RAT and the Shamoon/Disstrack wiper malware.
The group also doesn’t limit their targeting to healthcare and software supply chain organizations. To a lesser extent, they go after companies in the energy and engineering industry as well as financial institutions and prominent law firms, across the United States, Europe, Asia, and the Middle East.
Defense and post-infection remediation
The notice delivers best practices for network security and defense to be incorporated before infection, recommended post-infection actions and identifies residual Kwampirs RAT host artifacts that can help companies to determine if they were a victim.
SANS ISC handler (and Dean of Research at the SANS Technology Institute Twitter) Johannes Ullrich notes that Kwampirs will likely enter an organization’s network undetected as part of a software update from a trusted vendor.
“Anti-malware solutions will detect past versions. But do not put too much trust in anti-malware to detect the next version that is likely tailored to your organization,” he added, and offered helpful advice for writing abstracted detection signatures that might come in handy.
While not recently updated, the MITRE ATT&CK entry for the Kwampirs malware may also be helpful. For more technical details about the malware, you might want to check out ReversingLabs’s recent analysis.
Evasive malware has grown to record high levels, with over two-thirds of malware detected by WatchGuard in Q4 2019 evading signature-based antivirus solutions.
This is a dramatic increase from the year-long average of 35% for 2019 and points to the fact that obfuscated or evasive malware is becoming the rule, not the exception. Companies of all sizes need to deploy advanced anti-malware solutions that can detect and block these attacks.
In addition, widespread phishing campaigns exploiting a Microsoft Excel vulnerability from 2017 have been detected. This ‘dropper’ exploit was number seven on WatchGuard’s top ten malware list and heavily targeted the UK, Germany and New Zealand. It downloads several other types of malware onto victims’ systems, including a keylogger named Agent Tesla that was used in phishing attacks in February 2020 that preyed on early fears of the coronavirus outbreak.
Businesses of all sizes need to invest in multiple layers of security
“Our findings from Q4 2019 show that threat actors are always evolving their attack methods,” said Corey Nachreiner, CTO at WatchGuard.
“With over two-thirds of malware in the wild obfuscated to sneak past signature-based defenses, and innovations like Mac adware on the rise, businesses of all sizes need to invest in multiple layers of security. Advanced AI or behavioural-based anti-malware technology and robust phishing protection like DNS filtering will be especially crucial.”
Other key findings from the Q4 2019 report include:
- Mac adware jumps in popularity in Q4 – One of the top compromised websites detected in Q4 2019 hosts a macOS adware called Bundlore that masquerades as an Adobe Flash update. This lines up with a MalwareBytes report from February 2020 that showed a rise in Mac malware, particularly adware.
- SQL injection attacks became the top network attack in 2019 – SQL injection attacks rose an enormous 8000% in total between 2018 and 2019, becoming the most common network attack of the year by a significant margin.
- Hackers increasingly using automated malware distribution – Many attacks hit 70 to 80 percent of all Fireboxes in a single country, suggesting attackers are automating their attacks more frequently.
Amid significant increases in both malware and network attacks, multiple Apache Struts vulnerabilities – including one used in the devastating Equifax data breach – appeared for the first time on WatchGuard’s list of most popular network attacks in Q3 2019.
Massive fallout from the Equifax breach
The report also highlights a major rise in zero day malware detections and, increasing use of Microsoft Office exploits and legitimate penetration testing tools.
Apache Struts 2 Remote Code Execution enables attackers to install Python or make a custom HTTP request to exploit the vulnerability with just a few lines of code and obtain shell access to an exposed system. This threat was accompanied by two additional Apache Struts vulnerabilities on the top ten network attacks list in Q3 2019, as overall network attacks increased in volume by 8%.
The massive fallout from the Equifax breach put the severity of this vulnerability on full display and should serve as a reminder of how important it is for web admins to patch known flaws as soon as possible.
“Our latest threat intelligence showcases the variability and sophistication of cybercriminals’ growing playbook. Not only are they leveraging notorious attacks, but they’re launching evasive malware campaigns and hijacking products, tools and domains we use every day,” said Corey Nachreiner, CTO, WatchGuard Technologies.
“As threat actors continue to modify their tactics, organizations of every size must protect themselves, their customers and their partners with a set of layered security services that cover everything from the core network to endpoints, to the users themselves.”
Attackers continue to favor Microsoft Office exploits
Two malware variants affecting Microsoft Office products made WatchGuard’s top ten list of malware by volume, as well as the top ten most-widespread malware list last quarter. This indicates that threat actors are doubling down on both the frequency with which they leverage Office-based attacks, as well as the number of victims they’re targeting.
Both attacks were primarily delivered via email, which highlights why organizations should increasingly focus on user training and education to help them identify phishing attempts and other attacks leveraging malicious attachments.
Zero day malware instances spike to 50%, as overall malware detections rise
After stabilizing at around 38% of all malware detections over the past several quarters, zero day malware accounted for half of all detections in Q3. The overall volume of malware detected increased by 4% compared to Q2 2019, with a massive 60% increase over Q3 2018.
The fact that half of malware attacks in Q3 were capable of bypassing traditional signature-based solutions illustrates the need for layered security services that can protect against advanced, ever-evolving threats.
Cybercriminals may be leveraging legitimate pentesting tools for attacks
Two new malware variants involving Kali Linux penetration testing tools debuted on WatchGuard’s top ten list of malware by volume in Q3. The first was Boxter, a PowerShell trojan used to download and install potentially unwanted programs onto a victim’s device without consent.
The second was Hacktool.JQ, which represents the only other authentication attack tool besides Mimikatz (which dropped in prevalence by 48% compared to Q2, and 16% compared to Q3 2018) to make the list.
It’s unclear whether the rise in these detections comes from legitimate pentesting activities or malicious attackers leveraging readily available open source tools. Organizations must continue to leverage anti-malware services to prevent data theft.
Malware attacks targeting the Americas increase drastically
More than 42% of all malware attacks in Q3 2019 were aimed at North, Central and South America; up from just 27% in Q2. This represents a significant geographic shift in focus for attackers compared to last quarter, as EMEA and APAC (which were tied for the top regional malware target in Q2) accounted for 30% and 28% of all malware attacks in Q3, respectively.
Although the specific motivations are unclear, this trend indicates attackers are bringing new malware campaigns online that specifically target users in the Americas region.
The Council to Secure the Digital Economy (CSDE), a partnership between global technology, communications, and internet companies supported by USTelecom—The Broadband Association and the Consumer Technology Association (CTA), released the International Botnet and IoT Security Guide 2020, a comprehensive set of strategies to protect the global digital ecosystem from the growing threat posed by botnets, malware and distributed attacks. International Botnet and IoT Security Guide 2020 Botnets are large networks of compromised devices under the … More