Threat actors are chaining different combinations of attacks together like Lego bricks to sneak past detection tools, according to HP’s quarterly HP Wolf Security Threat Insights Report.
Based on data from millions of endpoints running HP Wolf Security, researchers found:
* It’s playtime for cybercriminals building Lego-style attacks: Attack chains are often formulaic, with well-trodden paths to the payload. Yet creative QakBot campaigns saw threat actors connecting different blocks together to create unique infection chains. By switching up different file types and techniques like Lego bricks, they were able to bypass detection tools and security policies. 32% of the QakBot infection chains analysed by HP in Q2 were unique.
* Spot the difference – blogger or keylogger: Attackers behind recent Aggah campaigns hosted malicious code within popular blogging platform, Blogspot. By hiding the code in a legitimate source, it makes it harder for defenders to tell if a user is reading a blog or launching an attack. Threat actors then use their knowledge of Windows systems to disable some anti-malware capabilities on the users’ machine, execute XWorm or the AgentTesla Remote Access Trojan (RAT), and steal sensitive information.
* Going against protocol: HP also identified other Aggah attacks using a DNS TXT record query – typically used to access simple information on domain names – to deliver the AgentTesla RAT. Threat actors know the DNS protocol is not often monitored or protected by security teams, making this attack extremely hard to detect.
* Multi-lingual malware: A recent campaign uses multiple programming language to avoid detection. Firstly, it encrypts its payload using a crypter written in Go, disabling the anti-malware scanning features that would usually detect it. The attack then switches language to C++ to interact with the victim’s operating system and run the .NET malware in memory – leaving minimal traces on the PC.
Patrick Schläpfer, senior malware analyst at the HP Wolf Security threat research team, comments: “Today’s attackers are becoming better organized and more knowledgeable. They research and analyse operating system internals, making it much easier for them to exploit the gaps. By knowing which doors to push, they can navigate internal systems with ease, using relatively simple techniques in very effective ways – without sounding the alarm.”
The report details how cybercriminal groups are diversifying attack methods to bypass security policies and detection tools. Key findings include:
* Archives were the most popular malware delivery type for the fifth quarter running, used in 44% of cases analysed by HP.
* Q2 saw a 23% rise in HTML threats stopped by HP Wolf Security compared to Q1.
* There was a 4%-point increase in executables from 14% to 18% from Q1 to Q2, mainly caused by usage of the PDFpower.exe file, which bundled software with a browser hijacking malware.
* HP noted a 6%-point drop in spreadsheet malware (19% to 13%) in Q1 compared to Q4, as attackers move away from Office formats that are more difficult to run macros in.
* At least 12% of email threats identified by HP Sure Click bypassed one or more email gateway scanner in Q2.
* The top threat vectors in Q2 were email (79%) and browser downloads (12%).
Dr Ian Pratt, global head of security for personal systems at HP Inc, comments: “While infection chains may vary, the methods of initiation remain the same – it inevitably comes down to the user clicking on something. Instead of trying to second guess the infection chain, organizations should isolate and contain risky activities such as opening email attachments, clicking on links, and browser downloads.”