Malware goes regional as attackers change tactics

SEO techniques employed to increase visibility of poisoned documents claims Netskope


Most malware attacks now originate from the same region as the victim, according to a new report, a sign that malicious actors are changing their tactics.

The findings come from research by cloud security outfit Netskope, which compiled its new Cloud and Threat Report from trends observed over the last 12 months.

One such trend is that most recent malware attacks came from within the same region as the victim, a marked difference from previous years, according to Netskope, which believes this is a strategic tactic used by attackers to avoid geofencing filters and other prevention measures.

This is especially true for North America, where 84 percent of all malware downloads by victims in this region during the past year could be traced to websites hosted within the North American region itself.

Netskope is a provider of a Cloud Access Security Broker (CASB), a tool that sits between organizations and cloud services to enforce security policies.

A rise in the use of search engines to deliver malware seen by Netskope over the past year demonstrates how adept attackers have become at SEO, the firm said. Malware downloads referred via search engines largely comprised malicious PDF files, with other techniques included fake CAPTCHAs that redirect users to phishing, spam, scam, and malware websites.

Netskope also found that Trojans account for 77 percent of all malware downloads, with attackers using social-engineering techniques to get malicious payloads past their victims and secure that initial foothold inside their systems, which may then install backdoors to their networks, steal information, or deploy ransomware.

Meanwhile, 47 percent of malware downloads originate from cloud apps, compared with 53 percent delivered from traditional websites, Netskope claims.

However, widely used cloud apps continue to be the source of many cloud malware downloads, including collaboration and webmail apps, with attackers taking advantage of the ability to send messages directly to their victims in emails, direct messages, comments and document shares.

"Malware is no longer confined to traditional risky web categories. It is now lurking everywhere, from cloud apps to search engines, leaving organizations at greater risk than ever before," Netskope Threat Research Director Ray Canzanese said in a statement.

He added that corporate security leaders need to regularly revisit their malware protection strategy and ensure all possible entry points are accounted for. In particular, steps should be taken to stop employees falling victim to the social-engineering techniques and targeted attack methods used by attackers.

Netskope said that EXE and DLL files account for nearly half of all malware downloads as malicious actors continue to see Microsoft Windows as a prime target for attacks.

However, Netskope also claimed that attacks involving malicious Microsoft Office files are on the decline and have returned to levels seen before the Emotet malware struck. This is despite recent reports that the Emotet malware has seen a strong resurgence in recent weeks.

Netskope's Cloud and Threat Report is produced by Netskope Threat Labs, and a copy can be downloaded from the company's website. ®


Other stories you might like

  • Will this be one of the world's first RISC-V laptops?
    A sneak peek at a notebook that could be revealed this year

    Pic As Apple and Qualcomm push for more Arm adoption in the notebook space, we have come across a photo of what could become one of the world's first laptops to use the open-source RISC-V instruction set architecture.

    In an interview with The Register, Calista Redmond, CEO of RISC-V International, signaled we will see a RISC-V laptop revealed sometime this year as the ISA's governing body works to garner more financial and development support from large companies.

    It turns out Philipp Tomsich, chair of RISC-V International's software committee, dangled a photo of what could likely be the laptop in question earlier this month in front of RISC-V Week attendees in Paris.

    Continue reading
  • Did ID.me hoodwink Americans with IRS facial-recognition tech, senators ask
    Biz tells us: Won't someone please think of the ... fraud we've stopped

    Democrat senators want the FTC to investigate "evidence of deceptive statements" made by ID.me regarding the facial-recognition technology it controversially built for Uncle Sam.

    ID.me made headlines this year when the IRS said US taxpayers would have to enroll in the startup's facial-recognition system to access their tax records in the future. After a public backlash, the IRS reconsidered its plans, and said taxpayers could choose non-biometric methods to verify their identity with the agency online.

    Just before the IRS controversy, ID.me said it uses one-to-one face comparisons. "Our one-to-one face match is comparable to taking a selfie to unlock a smartphone. ID.me does not use one-to-many facial recognition, which is more complex and problematic. Further, privacy is core to our mission and we do not sell the personal information of our users," it said in January.

    Continue reading
  • Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware
    Russia-linked crime-as-a-service crew is rich, professional – and investing in R&D

    Analysis Wizard Spider, the Russia-linked crew behind high-profile malware Conti, Ryuk and Trickbot, has grown over the past five years into a multimillion-dollar organization that has built a corporate-like operating model, a year-long study has found.

    In a technical report this week, the folks at Prodaft, which has been tracking the cybercrime gang since 2021, outlined its own findings on Wizard Spider, supplemented by info that leaked about the Conti operation in February after the crooks publicly sided with Russia during the illegal invasion of Ukraine.

    What Prodaft found was a gang sitting on assets worth hundreds of millions of dollars funneled from multiple sophisticated malware variants. Wizard Spider, we're told, runs as a business with a complex network of subgroups and teams that target specific types of software, and has associations with other well-known miscreants, including those behind REvil and Qbot (also known as Qakbot or Pinkslipbot).

    Continue reading

Biting the hand that feeds IT © 1998–2022