Mastering obfuscation and widespread use of packers enabled 29% of malware to evade detection and classified as “previously unknown,” according to the findings of HP Inc. (HP) Quarterly Threat Insights Report, which provides analysis of real-world attacks against customers worldwide.
The HP report also found 88% of malware (malicious software) was able to bypass gateway filters and ended up in email inbox endangering corporate networks. HP said it usually takes 8.8 days, on average, for threats to become known by hash to antivirus engines, giving hackers over a week’s head-start to further their campaigns.
“This report highlights the deficiencies in traditional defenses that rely on detection to block malware,” said Dr. Ian Pratt, global head of Security for Personal Systems at HP Inc. “Attackers have repeatedly found new ways to bypass traditional detection-based tools, making it more important than ever for organizations to build zero-trust design principles into their security architecture.”
HP Sure Click was able to detect and mitigate attacks using its own “obfuscation” feature. It tricks the malware by letting it run but, in reality, it has already been identified, isolated, and monitored. It captures a full infection chain within isolated, micro-virtual machines. This hardware-enforced approach to security renders malware harmless and keeps customers safe.
Threats isolated by HP Sure Click
HP Sure Click has isolated a good number of threats and web exploits notable of which are FickerStealer, APOMacroSploit, ZLoader, and DOSfuscation, among others. Each malware has unique characteristics that exploit emails, send spam emails, and use Trojan.
HP Sure Click also detected DOSfuscation wherein the popular malware Emotet saw its operators modify the downloader using DOSfuscation techniques to make its obfuscation more complex. The downloader also generated an error message when opened, helping to avoid suspicion from users when the malicious documents didn’t behave as expected. It was eventually taken down in January 2021.
“Opportunistic cybercrime does not show any signs of slowing,” said Alex Holland, senior malware analyst at HP Inc. “Cybercriminals are exploiting low-cost malware-as-a-service kits, which are proliferating in underground forums. Kits like APOMacroSploit, which emerged in Q4 2020, can be bought for as little as $50, illustrating just how low the barrier to entry is for opportunistic cybercrime. We have also seen threat actors continue to experiment with malware delivery techniques to improve their chances of establishing footholds into networks. The most effective execution techniques we saw in Q4 2020 involved old technologies like Excel 4.0 macros that often offer little visibility to detection tools.”
The HP report also found that the most common type of malicious attachments includes documents (31%), archive files (28%), spreadsheets (19%), and executable files (17%). Trojans made up 66% of malware samples analyzed, driven largely by malicious spam campaigns distributing Dridex malware, which a recent HP blog flagged as having increased in prevalence by 239%.
“Q4 saw attackers shift from Word documents to executable files to deliver RATs. There was an uptick in malicious email campaigns targeting German users with Agent Tesla and Formbook RATs that were delivered as executables attached to emails,” Holland said. “The largest rise was in Dridex campaigns, which are typically used by attackers to deploy ransomware. Ultimately, any attacker gaining a foothold on an endpoint is bad news (because) they can use this access to scrape credentials, move laterally between systems, exfiltrate data, or sell their access to other cybercriminals. So it creates a huge risk for businesses.”