close
close
Your Network of Tomorrow
Your Network of Tomorrow
Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.
          Experience Netskope
          Get Hands-on With the Netskope Platform
          Here's your chance to experience the Netskope One single-cloud platform first-hand. Sign up for self-paced, hands-on labs, join us for monthly live product demos, take a free test drive of Netskope Private Access, or join us for a live, instructor-led workshops.
            A Leader in SSE. Now a Leader in Single-Vendor SASE.
            A Leader in SSE. Now a Leader in Single-Vendor SASE.
            Netskope debuts as a Leader in the Gartner® Magic Quadrant™ for Single-Vendor SASE
              Securing Generative AI for Dummies
              Securing Generative AI for Dummies
              Learn how your organization can balance the innovative potential of generative AI with robust data security practices.
                Modern data loss prevention (DLP) for Dummies eBook
                Modern Data Loss Prevention (DLP) for Dummies
                Get tips and tricks for transitioning to a cloud-delivered DLP.
                  Modern SD-WAN for SASE Dummies Book
                  Modern SD-WAN for SASE Dummies
                  Stop playing catch up with your networking architecture
                    Understanding where the risk lies
                    Advanced Analytics transforms the way security operations teams apply data-driven insights to implement better policies. With Advanced Analytics, you can identify trends, zero in on areas of concern and use the data to take action.
                        The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
                        The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
                        Netskope One Private Access is the only solution that allows you to retire your VPN for good.
                          Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
                          Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
                            Netskope GovCloud
                            Netskope achieves FedRAMP High Authorization
                            Choose Netskope GovCloud to accelerate your agency’s transformation.
                              Let's Do Great Things Together
                              Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.
                                Netskope solutions
                                Netskope Cloud Exchange
                                Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.
                                  Netskope Technical Support
                                  Netskope Technical Support
                                  Our qualified support engineers are located worldwide and have diverse backgrounds in cloud security, networking, virtualization, content delivery, and software development, ensuring timely and quality technical assistance
                                    Netskope video
                                    Netskope Training
                                    Netskope training will help you become a cloud security expert. We are here to help you secure your digital transformation journey and make the most of your cloud, web, and private applications.

                                      Netskope Threat Labs Stats for February 2024

                                      Mar 25 2024

                                      Netskope Threat Labs publishes a monthly summary blog post of the top threats we track on the Netskope platform. This post aims to provide strategic, actionable intelligence on active threats against enterprise users worldwide.

                                      Summary

                                      • OneDrive and GitHub were on the top of the list of top cloud apps used for malware downloads, showing a very strong preference from adversaries and the return of GitHub to the top three.
                                      • Attackers continue to attempt to fly under the radar by using cloud apps to deliver malware. In February, 49% of all malware downloads originated from a record-setting 215 distinct cloud apps.
                                      • The top malware families active in February included the banking trojan Grandoreiro, the RAT AdWind, and the ransomware Lockbit.

                                      Cloud Malware Delivery

                                      Attackers attempt to fly under the radar by delivering malicious content via popular cloud apps. Abusing cloud apps for malware delivery enables attackers to evade security controls that rely primarily on domain block lists and URL filtering or don’t inspect cloud traffic. In February 2024, 49% of all HTTP/HTTPS malware downloads originated from popular cloud apps. The percentage of downloads from popular cloud apps has hovered around 50% for the past six months.

                                      The number of apps from which Netskope detected malware downloads increased significantly to a new high of 215 apps.

                                      Attackers achieve the most success in reaching enterprise users when they abuse cloud apps that are already popular in the enterprise. Microsoft OneDrive, the most popular enterprise cloud app, has again held the top spot for the most cloud malware downloads, which it has held for more than six months. 

                                      Generally, the top 10 apps remained largely unchanged compared to the apps used in the last six months of 2023. GitHub, while consistently appearing in the top 10, returned to the top three for the first time since November. Post-exploitation tools such as SharpRound, PEASS, Mimikatz, and Lazagne are frequently downloaded directly from GitHub. Attackers use various techniques to download malware from GitHub, including making GET requests for the raw files and using the GitHub API.

                                      The top 10 list reflects attacker tactics, user behavior, and company policy.

                                      Top Malware Families

                                      Attackers constantly create new malware families and variants of existing families to bypass security solutions or update their malware’s capabilities. In February 2024, 62% of all malware downloads detected by Netskope were either new families or new variants that had not been observed in the preceding six months. The other 38% were samples previously observed during the preceding six months and are still circulating in the wild.

                                      The following list contains the top malware and ransomware families blocked by Netskope in February 2024:

                                      • Backdoor.Zusy (a.k.a. TinyBanker) is a banking Trojan based on Zeus’s source code, aiming to steal personal information via code injection into websites. Details
                                      • Downloader.BanLoad is a Java-based downloader widely used to deliver a variety of malware payloads, especially banking Trojans. Details
                                      • Infostealer.Lazagne is a password recovery tool that can be used as a hacking tool to steal passwords from infected devices. Details
                                      • Infostealer.RedLine is designed to steal data such as credit card numbers, passwords, VPN and FTP credentials, gaming accounts, and even data from crypto wallets. Details
                                      • Phishing.PhishingX is a malicious PDF file used in a phishing campaign to redirect victims to a phishing page.
                                      • Ransomware.LockBit 3.0 (a.k.a. Black) is the latest version of the LockBit ransomware, which emerged in September 2019, becoming one of the most relevant RaaS groups in the world. Details
                                      • RAT.AdWind is a RAT that can perform actions such as logging keystrokes, collecting sensitive information, downloading and running other payloads, and more. Details
                                      • Trojan.Razy is a Trojan typically distributed via malicious ads disguised as legitimate software, often used to steal cryptocurrency data. Details
                                      • Trojan.Valyria (a.k.a. POWERSTATS) is a family of malicious Microsoft Office Documents that contain embedded malicious VBScripts, usually to deliver other malicious payloads. Details
                                      • Trojan.Grandoreiro is a LATAM banking trojan with the goal of stealing sensitive banking information, commonly targeting Brazil, Mexico, Spain, and Peru. Details

                                      Recommendations

                                      Attackers have always sought to evade detection and avoid suspicion in delivering malware. Attackers have been increasingly using two strategies in the past six months: delivering malware by abusing cloud apps and packaging malware in PDF files. Netskope Threat Labs recommends that you review your security posture to ensure that you are adequately protected against both of these trends:

                                      • Inspect all HTTP and HTTPS downloads, including all web and cloud traffic, to prevent malware from infiltrating your network. Netskope customers can configure their Netskope NG-SWG with a Threat Protection policy that applies to downloads from all categories and applies to all file types.
                                      • Ensure that your security controls recursively inspect the content of popular archive files, such as ZIP files, for malicious content. Netskope Advanced Threat Protection recursively inspects the contents of archives, including ISO, TAR, RAR, 7Z, and ZIP.
                                      • Ensure that high-risk file types like executables and archives are inspected using both static and dynamic analysis before being downloaded. Netskope Advanced Threat Protection customers can use a Patient Zero Prevention Policy to hold downloads until they have been fully inspected.
                                      • Configure policies to block downloads from apps that are not used in your organization to reduce your risk surface to only those apps and instances that are necessary for the business.
                                      • Block downloads of all risky file types from newly registered domains and newly observed domains.

                                      In addition to the recommendations above, Remote Browser Isolation (RBI) technology can provide additional protection when there is a need to visit websites that fall into categories that present higher risk, such as Newly Observed and Newly Registered Domains.

                                      About This Report

                                      Netskope provides threat and data protection to millions of users worldwide. Information presented in this report is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization. This report contains information about detections raised by Netskope’s Next Generation Secure Web Gateway (SWG), not considering the significance of the impact of each threat. Stats in this report are based on the period starting July 1, 2023 through February 29, 2024. Stats reflect attacker tactics, user behavior, and organization policy.

                                      author image
                                      Leandro Fróes
                                      Leandro Fróes is a Senior Threat Research Engineer at Netskope, where he focuses on malware research, reverse engineering, automation and product improvement.
                                      Leandro Fróes is a Senior Threat Research Engineer at Netskope, where he focuses on malware research, reverse engineering, automation and product improvement.

                                      Stay informed!

                                      Subscribe for the latest from the Netskope Blog