Netskope Threat Labs publishes a monthly summary blog post of the top threats we track on the Netskope platform. This post aims to provide strategic, actionable intelligence on active threats against enterprise users worldwide.
Summary
- OneDrive and GitHub were on the top of the list of top cloud apps used for malware downloads, showing a very strong preference from adversaries and the return of GitHub to the top three.
- Attackers continue to attempt to fly under the radar by using cloud apps to deliver malware. In February, 49% of all malware downloads originated from a record-setting 215 distinct cloud apps.
- The top malware families active in February included the banking trojan Grandoreiro, the RAT AdWind, and the ransomware Lockbit.
Cloud Malware Delivery
Attackers attempt to fly under the radar by delivering malicious content via popular cloud apps. Abusing cloud apps for malware delivery enables attackers to evade security controls that rely primarily on domain block lists and URL filtering or don’t inspect cloud traffic. In February 2024, 49% of all HTTP/HTTPS malware downloads originated from popular cloud apps. The percentage of downloads from popular cloud apps has hovered around 50% for the past six months.
The number of apps from which Netskope detected malware downloads increased significantly to a new high of 215 apps.
Attackers achieve the most success in reaching enterprise users when they abuse cloud apps that are already popular in the enterprise. Microsoft OneDrive, the most popular enterprise cloud app, has again held the top spot for the most cloud malware downloads, which it has held for more than six months.
Generally, the top 10 apps remained largely unchanged compared to the apps used in the last six months of 2023. GitHub, while consistently appearing in the top 10, returned to the top three for the first time since November. Post-exploitation tools such as SharpRound, PEASS, Mimikatz, and Lazagne are frequently downloaded directly from GitHub. Attackers use various techniques to download malware from GitHub, including making GET requests for the raw files and using the GitHub API.
The top 10 list reflects attacker tactics, user behavior, and company policy.
Top Malware Families
Attackers constantly create new malware families and variants of existing families to bypass security solutions or update their malware’s capabilities. In February 2024, 62% of all malware downloads detected by Netskope were either new families or new variants that had not been observed in the preceding six months. The other 38% were samples previously observed during the preceding six months and are still circulating in the wild.
The following list contains the top malware and ransomware families blocked by Netskope in February 2024:
- Backdoor.Zusy (a.k.a. TinyBanker) is a banking Trojan based on Zeus’s source code, aiming to steal personal information via code injection into websites. Details
- Downloader.BanLoad is a Java-based downloader widely used to deliver a variety of malware payloads, especially banking Trojans. Details
- Infostealer.Lazagne is a password recovery tool that can be used as a hacking tool to steal passwords from infected devices. Details
- Infostealer.RedLine is designed to steal data such as credit card numbers, passwords, VPN and FTP credentials, gaming accounts, and even data from crypto wallets. Details
- Phishing.PhishingX is a malicious PDF file used in a phishing campaign to redirect victims to a phishing page.
- Ransomware.LockBit 3.0 (a.k.a. Black) is the latest version of the LockBit ransomware, which emerged in September 2019, becoming one of the most relevant RaaS groups in the world. Details
- RAT.AdWind is a RAT that can perform actions such as logging keystrokes, collecting sensitive information, downloading and running other payloads, and more.