New WatchGuard Threat Lab Report Reveals Critical Malware Trends

• WatchGuard’s new Threat Lab report has revealed key trends in malware and cyberattacks.
• Critical analysis has disclosed large-scale targeting of Chromium browsers and growth in instances of endpoint malware detection.

WatchGuard has released its new quarterly report on internet security, including critical cyberattack data. The report comprises key insights on network-based malware, network attack trends, endpoint malware trends, leading malicious domains, and best practices for mitigating cyber threat risks.

This report has uncovered significant differences from the previous quarter, with malware detections dropping and endpoint malware detections rising. Furthermore, instances of signature-based malware detection have increased for endpoint and network products. Find out more about the key insights from the report here.

Key Malware Trends

The report warns that malware attacks on IoT devices will rise with increased living-off-the-land (LotL) strategies. While the number of malware attacks observed decreased, the attack methodologies became more advanced.

Some highlights of malware activity this quarter include the uncovering of the GoldenSpy campaign, in which China-based government-owned companies were caught spying on the country’s citizens. Another malware, Bash.MiraiB.C9B4EC13, was found targeting TP-Link Archer devices. It reused code from the Mirai botnet and exploited (CVE2023-1389) to access wireless routers.

The report revealed details about new malware families: the first one, Vundo.FKM is suspected of stealing passwords via a worm-like virus. The other malware is known as Trojan.Jeki.2. A malicious macro in Office documents runs PowerShell scripts to malware containing remote access trojans. The top 10 malware detections this quarter include Generic.3112968, GenericKD.70489621, Heur.RP.Cu2@b8XQ9afj, Ursu.6302, (Android) Generic.15257, Heur.RP.Cu2@bGGIINgj, Linux.XORDDoS.AT, Heur.RP.Cu2@b8XPSEbj, Vundo.FKM Password Stealer and Trojan.Jeki.2. These malware include versions of adware, droppers, Win code injections, password stealers, and Office exploits.

When it comes to encrypted malware, the top five threats include Heur2.ObfDldr.9.63A9E772.Gen, a malicious Microsoft document. The second is GenericKDZ.92453, which contains a variant of Agent Tesla. Agent.GIKS is another malware that contains a Microsoft Visual Basic Script that injects malicious code. The others are known password stealers, Logan.749, and Agent.IIQ.

According to the report, 62.7% of malware reports were in the Asia Pacific region. Malware reports in the Americas and the EMEA region dropped to 22.5% and 14.7%, respectively. Furthermore, an increase in evasive malware variants was witnessed, with 36% of zero-day malware using advanced evasion methods. This is especially true of malware sent over encrypted connections, accounting for 64%.

Malware authors are using increasingly sophisticated ways to infect their targets. While social engineering is common, vulnerability exploitation and obfuscation through legitimate software have also been seen. Regular updates, host-based EDRs, advanced sandboxing, and training against social engineering are recommended safeguards.

Malicious Domains

The malicious domains mentioned in the report involve malware delivery or the command and control process. pcdnbus[.]ou2sv[.]com and pandoramain-1794008345[.] Us-west-2[.]elb[.]amazonaws[.]com are known for enabling a botnet campaign named PandoraSpear. Another domain, ec2-14-122-45-127[.]compute-1[.]

amazonaws[.]cdnprivate[.]tel is part of the DarkGate malware’s command and control infrastructure. Ffoeefsheuesihfo[.]ru and hhplaytomp[.]com are being used for the Phorpiex botnet and the AllaKore remote access trojan, respectively.

Legitimate sites, sp[.]adriver[.]ru, differentia[.]ru, disorderstatus[.]ru, pm2bitcoin[.]com, stopify[.]co, d[.]zaix[.]ru, u[.]teknik[.]io, granerx[.]com, a[.]pomf[.]cat, and www[.]cashconverters[.]sg have been compromised to now host malicious content. Moreover, ulmoyc[.]com, unitednations-my[.]sharepoint[.]com, bestsports-stream[.]com, data[.]over-blog-kiwi[.]com, nucor-my[.]sharepoint[.]com, e[.]targito[.]com, www[.]898[.]tv, T[.]go[.]rac[.]co[.]uk, and agzagope-my[.]sharepoint[.]com have been noted as domains used for phishing operations.

Network Attack Trends

According to the report, several network threats rose 13% this quarter. While the number of unique IPS signatures triggered by attackers dropped 16%, the leading network attacks accounted for 57% of the detections. Most of the top network attackers are the same as those of the previous quarter except WEB HAProxy h1_headers_to_hdr_list Empty Header Name Access Control Bypass (CVE-2023-25725) and WEB Remote Command Execution via Shell Script -1.h. They are a mix of buffer overflow, web threat, and exploit attacks.

Network attacks were distributed relatively evenly around the world, with the Americas seeing 39% of all detections, followed by Europe, the Middle East, and Africa with 38%, and Asia and the Pacific with 23% of all detections.

This quarter, the number of malware threats increased by 75.7%. However, the number of newly discovered malware has fallen. The volumes have largely stagnated or decreased in terms of incidences where malware affected multiple machines. Glupteba, Mylobot, Khalesi, Conficker, GuLoader, Agent Tesla, FormBook, and attackers misusing NetSupport were the most prevalent malware operations.

Notably, attack vectors fell this quarter. The use of Acrobat, Office, browsers, Windows, and Scripts saw lower detection rates. Regarding browsers, Chrome was the most common vector, accounting for 78% of detections.

The report also covered ransomware operations, noting disruptions to the LockBit and ALPHV campaigns. Overall, the detections of ransomware operations fell by more than 23% this quarter, resulting in lower extortion attempts. However, new ransomware groups were also noted. These include AlphaLocker, APT73, dAn0n, DarkVault, Dispossessor, DoNex, Handala, Kill Security, NO-NAME, RansomHub, Red, Slug, and Trisec. Of these, RansomHub is the most active.

The report further details the most notable ransomware breaches, including those at Prudential Financial and Change Healthcare by ALPHV, Hipocrate Information Systems by Phobos, Fulton County and Subway by LockBit 3.0, Kenya Airways by RansomExx2, and Water for People by Medusa Blog.

Top Report Highlights

Some of the highlights of this quarter include:

• Network-based malware detections fell by around 50%.
• Zero-day malware incidences accounted for only 36% of all malware detections.
• Endpoint malware detections rose by more than 75% QoQ.
• Pandoraspear botnet reached WatchGuard’s top 10 detected malware.
• Encrypted malware grew to 69%
• Network attacks rose 13% QoQ.
• HAProxy Linux-based load balancer application vulnerability was a leading cause of network attacks.
• Endpoint malware detections rose by more than 75%.
• Eighty-eight unique malware variants were detected and blocked for every 100,000 machines.
• Malicious scripts are falling as a malware delivery vector.
• DarkGate uses malicious AWS and fake Akamai subdomains to lure targets.
• Endpoint ransomware attacks fell by around 23%.
• Chromium-based browsers produced 78% of the total volume of malware originating from attacks against web browsers or plugins.

Protection Best Practices

Finally, the report also discussed some of the more important security measures in this quarter. These include patching and updating software and hardware, training users about the risks of interacting with unsolicited Office documents, and setting up protections against botnets, including using a zero-trust approach. Learn more about the report hereOpens a new window .

LATEST NEWS STORIES

• Ransomware Attack Disrupts Pathology Services at London Hospitals
• Elevate Your Content With ElevenLabs’ New AI Sound Effects Tool
• New York Moves To Restrict Social Media Algorithms for Teens
• Microsoft To Invest $3.2 Billion in Swedish Cloud and AI Infrastructure