Endpoint Malware Threats See Shift as Campaigns Diversify
Endpoint Malware Threats See Shift as Campaigns Diversify

Image: Leon Seibert (unsplash)

In the second quarter of 2023, it was revealed that 95% of malware is delivered via encrypted channels. While the volume of endpoint malware is on the decline, campaigns are increasingly widespread. Despite a decrease in ransomware detections, double-extortion attacks are on the rise. Furthermore, threat actors continue to exploit older software vulnerabilities, WatchGuard reported.

WatchGuard’s Threat Lab noted in its latest analysis that fluctuations in advanced malware attacks and the evolution of multifaceted cyber threats demand continuous monitoring and adaptive security measures. Corey Nachreiner, the Chief Security Officer at WatchGuard, emphasized that no singular tactic defines the strategies of threat actors. Variations in risk levels based on different threats can emerge seasonally. Thus, organizations are urged to maintain an alert posture and embrace a holistic security strategy, potentially implemented by proficient managed service providers.

Under the Veil of Encryption

A significant portion of malware is concealed by SSL/TLS encryption, the standard for securing websites. Firms that neglect to scrutinize SSL/TLS traffic might inadvertently overlook a majority of malware threats. Zero-day malware made up a mere 11% of all detected malware, marking a record low. Interestingly, scrutiny of encrypted malware transmissions revealed that 66% of detections were elusive in nature. This suggests a continued trend of threat actors predominantly distributing sophisticated malware through encrypted channels.

In Q2 of 2023, endpoint malware detections witnessed an 8% decrease compared to the prior quarter. However, detections reported by 10 to 50 systems, or more than 100 systems, saw an uptick of 22% and 21% respectively. This suggests a broader proliferation of malware campaigns between the first and second quarters of 2023.

Double-extortion activities by ransomware groups surged by 72% quarter-to-quarter, with 13 new extortion groups being identified by the Threat Lab. Concurrently, there was a 21% quarter-to-quarter and a 72% year-to-year drop in ransomware detections on endpoints.

Six new malware strains were spotted in the Top 10 endpoint detections. Particularly noteworthy was the compromised 3CX installer, which constituted 48% of the total detections in the Q2 malware threats list. Furthermore, the multi-purpose Glupteba malware made a comeback in early 2023 after an interruption in its activities in 2021.

Persistent Focus on Outdated Software Vulnerabilities

Cyber adversaries persistently use Windows’ inherent tools to deliver malware payloads. Endpoint access methodologies highlighted a 29% increase in the misuse of native Windows OS utilities, representing 17% of all detections. On the contrary, script-based malware, like PowerShell, saw a 41% decline, even though scripts remain a dominant mode of malware delivery, making up 74% of all detections. Browser vulnerabilities dropped by 33%, constituting just 3% of all detections.

The Threat Lab team discovered three novel attack signatures from Q2 that exploited older vulnerabilities. Among them was a flaw from 2016 linked to an open-source learning tool on GitHub that was discontinued in 2018. Others included vulnerabilities in PHP and a decade-old buffer overflow in HP’s Open View Network Node Manager.

While examining malicious domains, there were instances of compromised self-hosted platforms, like WordPress blogs, and domain-shortening services used as hosts for malware or its command and control structure. Furthermore, a website associated with an educational competition in the Asia Pacific was compromised by Qakbot threat actors.