Print this page
Published in News

Zero day malware use increases

by on24 September 2020


Malware use generally falls

In its latest Internet Security Report, WatchGuard Technologies found that despite an eight percent decrease in overall malware detections in Q2 2020, 70 per cent of all attacks involved zero day malware - variants that circumvent antivirus signatures, which represents a 12 percent increase over the previous quarter.

WatchGuard’s Internet Security Report, which provides a detailed look at the latest malware and network attack trends, found that attackers are continuing to leverage evasive and encrypted threats. Zero day malware made up more than two-thirds of the total detections in Q2, while attacks sent over encrypted HTTPS connections accounted for 34 percent.

This means that organisations that are not able to inspect encrypted traffic will miss a massive one-third of incoming threats. Even though the percentage of threats using encryption decreased from 64 percent in Q1, the volume of HTTPS-encrypted malware increased dramatically.

Corey Nachreiner, CTO of WatchGuard said: “The rise in sophisticated attacks, despite the fact that overall malware detections declined in Q2, likely due to the shift to remote work, shows that attackers are turning to more evasive tactics that traditional signature-based anti-malware defences simply can’t catch. Every organisation should be prioritising behaviour-based threat detection, cloud-based sandboxing, and a layered set of security services to protect both the core network, as well as remote workforces.”

Apparently JavaScript-based attacks are rising. The scam script Trojan.Gnaeus made its debut at the top of WatchGuard’s top 10 malware list for Q2, making up nearly one in five malware detections. Gnaeus malware allows threat actors to hijack control of the victim’s browser with obfuscated code, and forcefully redirect away from their intended web destinations to domains under the attacker’s control. Another popup-style JavaScript attack, J.S. PopUnder, was one of the most widespread malware variants last quarter. In this case, an obfuscated script scans a victim’s system properties and blocks debugging attempts as an anti-detection tactic. To combat these threats, organisations should prevent users from loading a browser extension from an unknown source, keep browsers up to date with the latest patches, use reputable adblockers and maintain an updated anti-malware engine.

The report notes that attackers are using encrypted Excel files to hide their payloads.  XML-Trojan.Abracadabra is a new addition to WatchGuard’s top 10 malware detections list, showing a rapid growth in popularity since the technique emerged in April. Abracadabra is a malware variant delivered as an encrypted Excel file with the password “VelvetSweatshop”, the default password for Excel documents. Once opened, Excel automatically decrypts the file and a macro VBA script inside the spreadsheet downloads and runs an executable. The use of a default password allows this malware to bypass many basic antivirus solutions since the file is encrypted and then decrypted by Excel. Organisations should never allow macros from an untrusted source, and leverage cloud-based sandboxing to safely verify the true intent of potentially dangerous files before they can cause an infection.

There was also a six year old denial of service (DoS) vulnerability affecting WordPress and Drupal made an appearance on WatchGuard’s list of top 10 network attacks by volume in Q2. This vulnerability is particularly severe because it affects every unpatched Drupal and WordPress installation and creates DoS scenarios in which bad actors can cause CPU and memory exhaustion on underlying hardware. Despite the high volume of these attacks, they were hyper-focused on a few dozen networks primarily in Germany. Since DoS scenarios require sustained traffic to victim networks, this means there’s a strong likelihood that attackers were selecting their targets intentionally.

Two new destinations made WatchGuard’s top malware domains list in Q2. The most common was findresults[.]site, which uses a C&C (command & Control) server for a Dadobra trojan variant that creates an obfuscated file and associated registry to ensure the attack runs and can exfiltrate sensitive data and download additional malware when users start up Windows systems. One user alerted the WatchGuard team to Cioco-froll[.]com, which uses another C&C server to support an Asprox botnet variant, often delivered via PDF document, and provides a C&C beacon to let the attacker know it has gained persistence and is ready to participate in the botnet. DNS firewalling can help organisations detect and block these kinds of threats independent of the application protocol for the connection.

WatchGuard’s quarterly research reports are based on anonymised Firebox Feed data from active WatchGuard appliances whose owners have opted in to share data to support the Threat Lab’s research efforts. In Q2, nearly 42,000 WatchGuard appliances contributed data to the report, blocking a total of more than 28.5 million malware variants (684 perdevice) and more than 1.75 million network threats (42 per device). Firebox appliances collectively detected and blocked 410 unique attack signatures in Q2, a 15 percent increase over Q1 and the most since Q4 2018.


Read WatchGuard’s full Q2 2020 Internet Security Report here today: https://www.watchguard.com/wgrd-resource-center/security-report-q2-2020

Last modified on 24 September 2020
Rate this item
(0 votes)