Webroot has released a new threat report which sums up what has been happening in the malware sector so far in 2019.
The report is described as a “mid-year update to the annual Webroot Threat Report” and it showcases data from the Webroot Platform, the company’s advanced machine learning-based threat analysis architecture, and trends, insights, and predictions from the Webroot Threat Research Team.
Malware and Reconnaissance
One thing the research team noticed is that there is a shift to more reconnaissance in malware campaigns. It seems that cyber criminals are performing more reconnaissance in advance to determine the value a system could give them. What does this mean? For example, if cybercriminals detect detect a system or network of systems which have excellent speed and processing power, they are likely to prefer to launch an attack that would use those systems to mine cryptocurrency.
Another intriguing observation is that malware has been targeting older operating systems. More specifically, malware specifically targeting Windows 7 machines has risen 71% in comparison with 2018. This may be because machines running Windows 7 are more prone to infections than Windows 10 systems, with home PC users twice as likely to become infected than business users.
One of the most notable malware pieces, besides ransomware, is a banking Trojan known as DanaBot. The DanaBot Trojan was first detected in May 2018. As it appears, samples continue to be spread to users worldwide.
One of the primary distribution techniques has been the use of SPAM email messages. Social engineering techniques are used that design the emails with elements taken from famous companies. This can confuse the users into thinking that they have received a legitimate notification or a password reset link. Upon interacting with the elements the users may download and execute the DanaBot Trojan file directly or be prompted into following “instructions” that will ultimately lead to its installation.
DanaBot has been found to contain a modular engine that can be customized according to the proposed targets. It follows a multi-stage infection pattern that begins with the initial infection. A series of scripts are called which downloads the main engine.
Phishing and Malicious URLs
“So far in 2019, nearly 1 in 4 malicious URLs (24%) were found on trusted domains,” the report says, adding that 1 in 50 URLs is malicious.
Criminals hijack pages on legitimate sites to host malicious content, knowing that it’s more difficult for security measures to block URLs on these domains, and that end users are less likely to be suspicious of pages on domains they recognize.
The researchers observed much of this behavior across 9 distinct domain content categories (of the top 1,000 most popular domains), including URL shorteners (bit.ly, TinyURL, tiny.cc, etc.), cloud storage (Dropbox, SharePoint, Google™ Drive, etc.),and digital media (Tumblr, Imgur, etc.).
More specifically, about 25% of malicious URLs were found to be hosted on trusted domains. This is because cybercriminals are well aware that trusted domain URLs are unlikely to raise a red flag in users and are also more difficult to block. In addition, nearly a third of the phishing sites the researchers detected used HTTPS to successfully lure users.
To sum up, so far in 2019 Webroot has discovered more than 1.5 million unique phishing URLs.”I expect phishing kits will continue to advance, adding further techniques to avoid automatic detection methods. The delivery of phishing pages will also likely become more dynamic, using various conditions to serve a more targeted phishing page which would increase the campaign’s likelihood of success,” concluded Senior Threat Analyst Dan Para.