Attackers get the tools they need to evade detection
HP Inc. reports results of its new quarterly report HP Wolf Security Threat Insights Report before. The analysis clearly shows that cyber marketplaces provide attackers with all the tools they need to bypass all detection measures when breaking into companies. The result: They are able to infect users’ devices.
The report is based on data from millions of endpoints running HP Wolf Security and includes the following key insights:
- Houdini’s final act: A new campaign targeted companies with fake shipping documents that hid the JavaScript malware Vjw0rm. The obfuscated code allowed the malware to bypass email defenses and reach end devices. The analyzed attack injected Houdini, a ten-year-old VBScript RAT, into the network. This shows that with the right pre-built tools from cyber crime marketplaces, cyber criminals are able to effectively use legacy malware by abusing the scripting capabilities built into operating systems.
- Cybercriminals use so-called “Jekyll and Hyde” attacks: HP discovered a Parallax RAT campaign that launches two threads when a user opens a malicious scanned invoice in an attempt to deceive them. The “Jekyll” thread opens a mock invoice copied from a legitimate online template. This reduces mistrust on the part of the recipient. The “Hyde” thread runs the malware in the background. This attack is easy for threat actors to carry out – and relatively inexpensive: Hacker forums offer pre-built Parallax kits for $65 per month.
HP has also found that attackers are “harassing” would-be cybercriminals, by deploying fake malware builders on code-sharing platforms such as GitHub. These repositories of malicious code entice would-be threat actors to infect their own machines. A popular malware builder, XWorm, is sold on underground markets for up to $500. These relatively high costs encourage cyber criminals on tight budgets to purchase fake, cracked versions.
HP Wolf Security isolates threats that evade detection tools on PCs. The malware is executed and analyzed in a secure environment without endangering the host. This also gives HP Wolf Security specific insight into the latest techniques cyber criminals are using in the rapidly changing cyber crime landscape. To date, HP Wolf Security customers have clicked on more than 30 billion email attachments, web pages and downloaded files without reporting a security breach.
The report shows how cybercriminals are increasingly diversifying their attack methods to bypass security policies and detection tools. Further results:
- Archives were the most popular malware file type for the sixth consecutive quarter, used in 36 percent of cases analyzed by HP.
- Although disabled by default, macro-enabled Excel add-in (.xlam) threats rose from No. 46 in Q2 to No. 7 as the most commonly abused file extension by attackers in Q3. Q3 also saw malware campaigns that abused PowerPoint add-ins.
- At least 12 percent of email threats identified by HP Sure Click evaded one or more email gateway scanners in both Q3 and Q2.
- In the third quarter, an increasing number of attacks with exploits in the Excel (91 percent) and Word (68 percent) formats were detected.
- The number of PDF threats isolated by HP Wolf Security increased five percentage points compared to the second quarter.
- The most important threat vectors in Q3 were emails (80 percent) and browser downloads (11 percent).
HP Wolf Security runs high-risk tasks in isolated, hardware-enhanced virtual machines on the endpoint. This means users are protected without affecting their productivity. In addition, detailed traces of infection attempts are recorded. HP application isolation technology also mitigates threats that other security tools miss. HP Wolf Security also provides insights into intrusion techniques and threat actor behavior