Bad guys are implementing multiple evasion techniques in efforts to avoid detection and target individuals for fast and easy financial gain.
According to Mimecast’s first Threat Intelligence Report: Black Hat Edition 2019, 67b emails were rejected globally between April and June this year for displaying highly malicious attack techniques out of the nearly 160b emails processed.
Interestingly, the report cites that threat actors are adapting how they engage their targeted victims, initiating through email first and then shifting to SMS, a less secure communications channel.
On the other hand, an increasing amount of more complex targeted attacks using obfuscation; layering and bundling of malware were often used. Researchers found that threat actors using these types of attacks are familiarizing themselves with their target’s security environment and then implementing multiple evasion techniques in efforts to avoid detection.
Microsoft Excel: Most popular
A large number of known malware campaigns were observed, including ones incorporating Emotet, Adwin, Necurs, and Gandcrab malware.
Microsoft Excel was one of the most popular file types used to distribute malicious activity, as more than 40% of threats detected were using files associated with it. File types associated with Microsoft Word were seen in nearly 15% of threats.
Attackers are using either simple and opportunistic attacks or complex and targeted attacks based on necessity to impact the target.
Josh Douglas, vice president of threat intelligence at Mimecast, said that the cyberthreat landscape will continue to evolve as threat actors continue to look for new ways to bypass security channels to breach their targets.
“We’ve observed malware-centric campaigns becoming more sophisticated, often using different types of malware in different phases of an attack – yet, at the same time very simple attacks are also increasing significantly,” he said.
Moreover, he said that threat actors are becoming more organised and business-like by implementing subscription and as-a-service-based business models to deliver malware in an effort to reduce their work and improve their return-on-investments.
Most targeted sector - professional education
Spam is heavily used by threat actors as a conduit to distribute malware, he said and added that professional education sector was the most targeted sector, 256 attacks per year, followed by software and SaaS, 109 attacks per user, and IT resellers, 82 attacks per user.
Douglas said that professional education sector is likely seen as a prime target due to constantly changing student populations that are not likely to have high security awareness and the potential for attackers to get access to personal data.
Since the cat-and-mouse game with attackers will continue for the foreseeable future, Mimecast researchers believe that attackers will continue to refresh older malware to help avoid detection, move towards more manipulative social engineering techniques, and leverage URLs hosted on well-known, generally trusted cloud platforms to spread malware.
Mimecast has detected an evolution of malware threats where threat actors’ link to documents or landing pages on well-known cloud platforms using URLs that otherwise would appear to be legitimate. These documents or landing pages then link or redirect users to other malicious sites or documents that download malware onto a victim’s system.
In addition, threat actors will make increasing use of file encryption to further evade scanner detections.