29 percent of threats previously unknown as hackers update tactics
The latest Quarterly Threat Insights Report from HP shows that 29 percent of malware captured between October and December 2020 was previously unknown, due to the widespread use of packers and obfuscation techniques by attackers seeking to evade detection.
In addition 88 percent of malware was delivered by email into users' inboxes, in many cases having bypassed gateway filters. It took 8.8 days, on average, for threats to become known by hash to antivirus engines, giving hackers over a week’s head-start on their campaigns.
"Opportunistic cybercrime does not show any signs of slowing," says Alex Holland, senior malware analyst at HP Inc. "Low-cost malware-as-a-service kits are an attractive prospect to cybercriminals and we have seen these continue to proliferate in underground forums. Kits like APOMacroSploit, which emerged in Q4 2020, can be bought for as little as $50 USD, illustrating just how low the barrier to entry is for opportunistic cybercrime. We have also seen threat actors continue to experiment with malware delivery techniques to improve their chances of establishing footholds into networks. The most effective execution techniques we saw in Q4 2020 involved old technologies like Excel 4.0 macros that often offer little visibility to detection tools."
The report uses information gathered from HP Sure Click, which lets malware run, tricking it into executing, while capturing a full infection chain within isolated, micro-virtual machines. Threats uncovered include a new of Office malware builder called APOMacroSploit used to target victims in delivery-themed spam campaigns, tricking them into opening weaponized XLS attachments. There was also information stealing malware called FickerStealer distributed via a malware campaign using misspelled domains of popular instant messaging services.
Trojans made up 66 percent of malware samples analyzed, driven largely by malicious spam campaigns distributing Dridex malware. 88 percent of malware detected was delivered via email -- with the most common lures being fake invoice attachments -- while web downloads were responsible for the remaining 12 percent. The most common types of malicious attachments were, documents (31 percent), archive files (28 percent), spreadsheets (19 percent) and executable files (17 percent).
"Q4 saw attackers shift from Word documents to executable files to deliver RATs. There was an uptick in malicious email campaigns targeting German users with Agent Tesla and Formbook RATs that were delivered as executables attached to emails," adds Holland. "The largest rise was in Dridex campaigns, which is typically used by attackers to deploy ransomware. Ultimately, any attacker gaining a foothold on an endpoint is bad news -- they can use this access to scrape credentials, move laterally between systems, exfiltrate data, or sell their access to other cybercriminals -- so it creates huge risk for businesses."
You can find out more on the HP Bromium blog.