Netskope Threat Labs publishes a monthly summary blog post of the top threats we are tracking on the Netskope platform. The purpose of this post is to provide strategic, actionable intelligence on active threats against enterprise users worldwide.
Summary
- Attackers continue to attempt to fly under the radar by using cloud apps to deliver malware, with 62% of all malware downloads in April originating from 150 cloud apps.
- While malicious PE (EXE/DLL) files, archives (ZIP, 7Z, GZ), and plain text files (PS, LNK) continue to dominate malware downloads, DMG files are on the rise as attackers target Mac OSX users.
- Trojans continue to represent the majority of malware downloads, used to deliver payloads such as the infostealers RecordBreaker and AgentTesla, and the Stop and Royal ransomware.
Cloud Malware Delivery
Attackers attempt to fly under the radar by delivering malicious content via popular cloud apps. Abusing cloud apps for malware delivery enables attackers to evade security controls that rely primarily on domain block lists and URL filtering, or that do not inspect cloud traffic. In April 2023, 62% of all HTTP/HTTPS malware downloads originated from popular cloud apps, matching the all-time high we saw in February.
At the same time, the number of distinct cloud apps from which users attempted to download malware decreased slightly from its February high, from 156 to 150.
Attackers achieve the most success reaching enterprise users when they abuse cloud apps that are already popular in the enterprise. Microsoft OneDrive, the most popular enterprise cloud app, has held the top spot for the most cloud malware downloads for more than six months. In April, it fell 10 points from the six-month high it hit in March. The other top apps for malware downloads include collaboration apps (Sharepoint), free software hosting sites (GitHub), free web hosting services (Weebly), and cloud storage apps (Azure Blob Storage, Google Drive, Box, Amazon S3). DocPlayer, a free document sharing app, re-entered the top ten in April after a brief hiatus. Meanwhile, webmail apps remained in the top ten, with Google Gmail edging out Outlook.com. The top ten list is a reflection of attacker tactics, user behavior, and company policy.
Top Malware File Types
By file type, Microsoft Windows Portable Executable files (EXE/DLL) accounted for the plurality of malware downloads in April, as they have for at least the past six months. Zip Archives, which had been steadily growing in popularity, saw a second consecutive decrease in April, but still remained in the second spot. Other archive formats RAR, GZip and 7 Zip stayed relatively constant, as did PDF files and text files, like PowerShell scripts and LNK files. Mac DMG files appeared in the top list for a second consecutive month as attacker activity targeting Mac OSX users remains constant.
Top Malware Families
Attackers are constantly creating new malware families and new variants of existing families, either as an attempt to bypass security solutions or to update their malware’s capabilities. In April 2023, 63% of all malware downloads detected by Netskope were either new families or new variants that had not been observed in the preceding six months. The other 37% were samples that had been previously observed during the preceding six months and are still circulating in the wild.
By volume, Netskope blocks more Trojans than any other malware type. Trojans are commonly used by attackers to gain an initial foothold and to deliver other types of malware, such as infostealers, Remote Access Trojans (RATs), backdoors, and ransomware. Other top malware types include phishing lures (typically PDF files designed to lure