Netskope Threat Labs publishes a quarterly summary blog post of the top threats we track on the Netskope platform. This post aims to provide strategic, actionable intelligence on active threats against enterprise users worldwide.
Summary
- GitHub and OneDrive were on the top of the list of top cloud apps used for malware downloads. While GitHub is mostly used to download post-exploitation tools, OneDrive is used to deliver the malware itself.
- The top malware families active in the past quarter included the Infostealer AgentTesla and the Remcos RAT.
Cloud Malware Delivery
Attackers attempt to fly under the radar by delivering malicious content via popular cloud apps. Abusing cloud apps for malware delivery enables attackers to evade security controls that rely primarily on domain block lists and URL filtering or don’t inspect cloud traffic.
Attackers achieve the most success in reaching enterprise users when they abuse cloud apps that are already popular in the enterprise. Although Microsoft OneDrive and GitHub have the same percentage points, we observe slightly different behavior in each app. While GitHub is mostly used to download post-exploitation tools (such as Mimikatz and Impacket), OneDrive is primarily used to deliver the malware payload itself (such as Bumblebee Loader).
Webflow, in fourth place, is noteworthy because in addition to malware downloads, we have also recently observed an increase in phishing pages created using the app.
The top 10 list below reflects attacker tactics, user behavior, an