Netskope Threat Labs publishes a monthly summary blog post of the top threats we are tracking on the Netskope platform. The purpose of this post is to provide strategic, actionable intelligence on active threats against enterprise users worldwide.
Summary
- Attackers continue to attempt to fly under the radar by using cloud apps to deliver malware, with 57% of all malware downloads in July originating from 167 cloud apps.
- Although Microsoft OneDrive remains the top app in terms of the number of malware downloads, the percentage of malware downloads from OneDrive continued to fall for the fourth consecutive month.
- RaspberryRobin, an evasive Trojan used to deliver a variety of malware payloads, and Phobos, a ransomware family that targets small- and medium-sized businesses, made the top ten list for the first time in July.
Cloud Malware Delivery
Attackers attempt to fly under the radar by delivering malicious content via popular cloud apps. Abusing cloud apps for malware delivery enables attackers to evade security controls that rely primarily on domain block lists and URL filtering, or that do not inspect cloud traffic. In July 2023, 57% of all HTTP/HTTPS malware downloads originated from popular cloud apps. For each of the past six months, at least half of all malware downloads have originated from cloud apps.
At the same time, the total number of cloud apps from which malware downloads originated increased to 167, indicating that attackers continue to reach their victims on an increasingly diverse set of cloud apps.
Attackers achieve the most success reaching enterprise users when they abuse cloud apps that are already popular in the enterprise. Microsoft OneDrive, the most popular enterprise cloud app, has held the top spot for the most cloud malware downloads for more than six months. Although the percentage of cloud downloads from OneDrive has fallen for the fourth consecutive month, it still remains in first place. Squarespace, a free web hosting service, is in the second place spot for a third consecutive month as a variety of different malware families continue to be hosted on Squarespace sites. Other top apps for malware downloads include free web hosting services (Weebly), free software hosting sites (GitHub), collaboration apps (SharePoint), cloud storage apps (Azure Blob Storage, Google Drive, Amazon S3), and webmail apps (Outlook.com). DocPlayer, a free document sharing app, made the top ten for the fourth consecutive month as malicious PDF files have increased in popularity. In total, the top ten accounted for two-thirds of all cloud malware downloads, with the remaining one-third spread over 157 other cloud apps. The top ten list is a reflection of attacker tactics, user behavior, and company policy.
Top Malware File Types
By file type, Microsoft Windows Portable Executable files (EXE/DLL) were knocked out of the top spot for the first time in five months, falling to the third spot, behind PDF files and ZIP archive files. Malicious PDF files have been gaining popularity over the past six months as attackers use them in a variety of ways, including as phishing bait and as tools to trick users into downloading Trojans. ZIP archives are commonly used to hide Trojans alongside benign content, in an attempt to avoid detection. The remaining file types are mostly unchanged from last month.
Top Malware Families
Attackers are constantly creating new malware families and new variants of existing families, either as an attempt to bypass security solutions or to update their malware’s capabilities. In July 2023, 71% of all malware downloads detected by Netskope were either new families or new variants that had not been observed in the preceding six months. The other 29% were samples that had been previously observed during the preceding six months and are still ci