Netskope Threat Labs publishes a monthly summary blog post of the top threats we are tracking on the Netskope platform. The purpose of this post is to provide strategic, actionable intelligence on active threats against enterprise users worldwide.
- Attackers continue to attempt to fly under the radar by using cloud apps to deliver malware, with 51% of all malware downloads in July originating from 155 cloud apps.
- Microsoft Live Outlook users were targeted with a widespread phishing campaign containing a PDF attachment that urged victims to update their Amazon billing details.
- The RagnarLocker and Rhysidia ransomware were among the top malware families detected on the Netskope platform in August.
Cloud Malware Delivery
Attackers attempt to fly under the radar by delivering malicious content via popular cloud apps. Abusing cloud apps for malware delivery enables attackers to evade security controls that rely primarily on domain block lists and URL filtering, or that do not inspect cloud traffic. In August 2023, 51% of all HTTP/HTTPS malware downloads originated from popular cloud apps, decreasing from July but still above its six month low of 49%.
The total number of cloud apps from which malware downloads originated also fell slightly, with malware downloads originating from 155 distinct cloud apps.
Attackers achieve the most success reaching enterprise users when they abuse cloud apps that are already popular in the enterprise. Microsoft OneDrive, the most popular enterprise cloud app, has held the top spot for the most cloud malware downloads for more than six months. For four straight months, the percentage of cloud malware downloads originating from Microsoft OneDrive had fallen, but appears to have stabilized at 23% in August. Malware downloads from Microsoft Live Outlook increased significantly in August, propelling it into the second place spot for the first time. Otherwise, the top ten apps remained largely unchanged and included free software hosting sites (GitHub), collaboration apps (SharePoint), free web hosting services (Weebly), cloud storage apps (Azure Blob Storage, Google Drive, Amazon S3), webmail apps (Outlook.com), and document sharing apps (DocPlayer). In total, the top ten accounted for two-thirds of all cloud malware downloads, with the remaining one-third spread over 145 other cloud apps. The top ten list is a reflection of attacker tactics, user behavior, and company policy.
The Rise of Microsoft Live Outlook
The sudden increase in malware downloads from Microsoft Live Outlook in August was caused primarily by a phishing campaign that began mid-month and continued through the end of the month. The attacker sent emails with a single-page PDF attachment that urged victims to re-enter their Amazon billing information. The attacker used a common social engineering technique, creating a false sense of urgency, by claiming the account was on hold and violating Amazon’s ToS. The attacker specifically targeted personal Microsoft Live Outlook accounts (not organizational Outlook.com email accounts). The effect of this widespread campaign is also visible in the next section as a rise in the number of malicious PDFs detected on the Netskope platform. The following is a screenshot of the PDF.
Top Malware File Types
Malicious PDF files continued to rise for the fourth consecutive month, claiming the top spot for the second consecutive month. This month’s increase was caused largely by the aforementioned phishing campaign targeting Microsoft Live Outlook users. Malicious EXE files edged out ZIP files for the second spot, while the rest of the top malicious file types remained largely unchanged from last month.
Top Malware Families
Attackers are constantly creating new malware families and new variants of existing families, either as an attempt to bypass security solutions or to update their malware’s capabilities. In August 2023, 70% of all malware downloads detected by Netskope were either new families or new variants that had not been observed in the preceding six months. The other 30% were samples that had been previously observed during the preceding six months and are still circulating in the wild.
By volume, Netskope blocks more Trojans than any other malware type. Trojans are commonly used by attackers to gain an initial foothold and to deliver other types of malware, such as infostealers, Remote Access Trojans (RATs), backdoors, and ransomware. Remaining in second place, but rising in popularity, were malware samples related to phishing campaigns, specifically caused by the aforementioned PDF files sent to Microsoft Live Outlook customers.
The following list contains the top malware and ransomware families blocked by Netskope in August 2023:
- Adware.Bundlore (a.k.a. SurfBuyer) is an OSX adware installer that has circulated in many forms including Flash player installers, hidden scripts, and browser plugins. Details
- Adware.Pirrit is an adware installer for OSX that has been around since 2016 that continues to circulate. Details
- Backdoor.Zusy (a.k.a. TinyBanker) is a banking Trojan based on the source code of Zeus, aiming to steal personal information via code injection into websites. Details
- Phishing.PhishingX is a malicious PDF file used as part of a phishing campaign to redirect victims to a phishing page.
- Trojan.Valyria (a.k.a. POWERSTATS) is a family of malicious Microsoft Office Documents that contain embedded malicious VBScripts usually to deliver other malicious payloads. Details
- Trojan.RaspberryRobin is widely used to spread other malware families, including IcedID and Clop, and has been spread in 7z, LNK, MSI, and other formats. Details
- Trojan.Razy is a Trojan typically distributed via malicious ads disguised as legitimate software, often used to steal cryptocurrency data. Details
- Trojan.Ursnif (a.k.a. Gozi) is a banking Trojan and backdoor, which had its source code leaked on GitHub in 2005, allowing attackers to create and distribute many variants. Details
- Ransomware.RagnarLocker is a RaaS (ransomware-as-a-service) group active since 2020 with different targets around the world, including companies from critical sectors. Details
- Ransomware.Rhysida first emerged in May 2023 and is a group that positions themselves as helping their targets by highlighting security issues, but still demands ransom payment. Details
Attackers have always sought to evade detection and avoid suspicion in delivering malware. Two strategies that attackers have been using increasingly in the past six months are to deliver malware by abusing cloud apps and to package malware in PDF files. Netskope Threat Labs recommends that you review your security posture to ensure that you are adequately protected against both of these trends:
- Inspect all HTTP and HTTPS downloads, including all web and cloud traffic, to prevent malware from infiltrating your network. Netskope customers can configure their Netskope NG-SWG with a Threat Protection policy that applies to downloads from all categories and applies to all file types.
- Ensure that your security controls recursively inspect the content of popular archive files such as ZIP files for malicious content. Netskope Advanced Threat Protection recursively inspects the content of archives, including ISO, TAR, RAR, 7Z, and ZIP.
- Ensure that high-risk file types like executables and archives are thoroughly inspected using a combination of static and dynamic analysis before being downloaded. Netskope Advanced Threat Protection customers can use a Patient Zero Prevention Policy to hold downloads until they have been fully inspected.
- Configure policies to block downloads from apps that are not used in your organization to reduce your risk surface to only those apps and instances that are necessary for the business.
- Block downloads of all risky file types from newly registered domains and newly observed domains.
In addition to the recommendations above, Remote Browser Isolation (RBI) technology can provide additional protection when there is a need to visit websites that fall in categories that present higher risk, like Newly Observed and Newly Registered Domains.
About This Report
Netskope provides threat and data protection to millions of users worldwide. Information presented in this report is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization. This report contains information about detections raised by Netskope’s Next Generation Secure Web Gateway (SWG), not considering the significance of the impact of each individual threat. Stats in this report are based on the period starting February 1, 2022 through August 31, 2023. Stats are reflection of attacker tactics, user behavior, and organization policy.
Interested in hearing more about cyber attack trends in 2023? Join us for the fourth annual SASE Week (September 26 – 28) where multiple sessions will dive into cyber attack trends from throughout the years, what you need to know, and what you need to do next. Register here.