Netskope Threat Labs publishes a monthly summary blog post of the top threats we are tracking on the Netskope platform. This post aims to provide strategic, actionable intelligence on active threats against enterprise users worldwide.

Summary

• OneDrive and SharePoint were again in the top of the list of top cloud apps used for malware downloads, showing a very strong preference from adversaries.
• Attackers continue to attempt to fly under the radar by using cloud apps to deliver malware, with 49% of all malware downloads in January originating from 178 cloud apps.
• A wide variety of malware families were circulating in January. Malware families including the Infostealer AgentTesla, the RAT AdWind, and the ransomware Lockbit and Trigona were among top families.

Cloud Malware Delivery

Attackers attempt to fly under the radar by delivering malicious content via popular cloud apps. Abusing cloud apps for malware delivery enables attackers to evade security controls that rely primarily on domain block lists and URL filtering or don’t inspect cloud traffic. In January 2024, 49% of all HTTP/HTTPS malware downloads originated from popular cloud apps. The percentage of downloads from popular cloud apps has been hovering around 50% for the past six months.

The first month of the year started with many cloud apps from which malware downloads originated, at 178.

Attackers achieve the most success reaching enterprise users when they abuse cloud apps already popular in the enterprise. Microsoft OneDrive, the most popular enterprise cloud app, has again held the top spot for the most cloud malware downloads, which it has held for more than six months. 

The top 10 apps remained largely unchanged when compared to the apps used in the last six months of 2023. The top apps of January include hosting apps like SharePoint, email services like Microsoft Live Outlook, and free software hosting sites (GitHub). The top 10 list reflects attacker tactics, user behavior, and company policy.

Top Malware Families

Attackers are constantly creating new malware families and new variants of existing families, either in an attempt to bypass security solutions or to update their malware’s capabilities. In January 2024, 57% of all malware downloads detected by Netskope were either new families or new variants that had not been observed in the preceding six months. The other 43% were samples that had been previously observed during the preceding six months and are still circulating in the wild.

The following list contains the top malware and ransomware families blocked by Netskope in January 2024:

• Backdoor.Zusy (a.k.a. TinyBanker) is a banking Trojan based on the source code of Zeus, aiming to steal personal information via code injection into websites. Details
• Downloader.BanLoad is a Java-based downloader widely used to deliver a variety of malware payloads, especially banking Trojans. Details
• Infostealer.AgentTesla is a .NET-based remote access Trojan with many capabilities, such as stealing browsers’ passwords, capturing keystrokes, clipboard, etc. Details
• Phishing.PhishingX is a malicious PDF file used as part of a phishing campaign to redirect victims to a phishing page.
• Ransomware.LockBit 3.0 (a.k.a. Black) is the latest version of the LockBit ransomware, which emerged in September 2019, becoming one of the most relevant RaaS groups in the world. Details
• Ransomware.Trigona is a ransomware that started its activities around 2022 and is known for attacking MSSQL servers via brute force. The malware has both a Windows and Linux version. Details
• RAT.AdWind is a RAT that can perform actions such as log keystrokes, collect sensitive information, download and run other payloads, and more. Details
• Trojan.FormBook (a.k.a. XLoader) is a malware that provides full control over infected machines, offering many functionalities such as stealing passwords and executing additional malware. Details
• Trojan.Razy is a Trojan typically distributed via malicious ads disguised as legitimate software, often used to steal cryptocurrency data. Details
• Trojan.Valyria (a.k.a. POWERSTATS) is a family of malicious Microsoft Office Documents that contain embedded malicious VBScripts, usually to deliver other malicious payloads. Details

Recommendations

Attackers have always sought to evade detection and avoid suspicion in delivering malware. Two strategies that attackers have been using increasingly in the past six months are delivering malware by abusing cloud apps and packaging malware in PDF files. Netskope Threat Labs recommends that you review your security posture to ensure that you are adequately protected against both of these trends:

• Inspect all HTTP and HTTPS downloads, including all web and cloud traffic, to prevent malware from infiltrating your network. Netskope customers can configure their Netskope NG-SWG with a Threat Protection policy that applies to downloads from all categories and applies to all file types.
• Ensure that your security controls recursively inspect the content of popular archive files, such as ZIP files, for malicious content. Netskope Advanced Threat Protection recursively inspects the contents of archives, including ISO, TAR, RAR, 7Z, and ZIP.
• Ensure that high-risk file types like executables and archives are inspected using both static and dynamic analysis before being downloaded. Netskope Advanced Threat Protection customers can use a Patient Zero Prevention Policy to hold downloads until they have been fully inspected.
• Configure policies to block downloads from apps that are not used in your organization to reduce your risk surface to only those apps and instances that are necessary for the business.
• Block downloads of all risky file types from newly registered domains and newly observed domains.

In addition to the recommendations above, Remote Browser Isolation (RBI) technology can provide additional protection when there is a need to visit websites that fall into categories that present higher risk, such as Newly Observed and Newly Registered Domains.

About This Report

Netskope provides threat and data protection to millions of users worldwide. Information presented in this report is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization. This report contains information about detections raised by Netskope’s Next Generation Secure Web Gateway (SWG), not considering the significance of the impact of each threat. Stats in this report are based on the period starting June 1, 2023 through January 31, 2024. Stats reflect attacker tactics, user behavior, and organization policy.