Starting with January 2023, Netskope Threat Labs will publish a monthly summary blog post of the top threats we are tracking on the Netskope Security Cloud platform. The purpose of this post is to provide strategic, actionable intelligence on active threats against enterprise users worldwide.
Summary
- Attackers continue to attempt to fly under the radar by using cloud apps to deliver malware, with 54% of all malware downloads in January originating from 142 cloud apps.
- ZIP files are gaining popularity among attackers who use the archive format to try to evade defenses and avoid suspicion. 21% of all malware downloads in January were ZIP files.
- Trojans continue to represent the majority of malware downloads, used to deliver payloads such as the infostealer AgentTesla and the ransomware Vice Society.
Cloud Malware Delivery
Attackers attempt to fly under the radar by delivering malicious content via popular cloud apps. Abusing cloud apps for malware delivery enables attackers to evade security controls that rely primarily on domain block lists and URL filtering, or that do not inspect cloud traffic. In January 2023, 54% of all HTTP/HTTPS malware downloads originated from popular cloud apps, increasing for the third consecutive month and reaching the highest levels in the past six months.
The increase in cloud malware downloads is driven partially by an increase in the number of distinct cloud apps from which malware are being downloaded. In January 2023, Netskope detected malware downloads from 142 cloud apps.
Attackers enjoy the most success reaching enterprise users when they abuse cloud apps that are already popular in the enterprise. Microsoft OneDrive, the most popular enterprise cloud app, has held the top spot for the most cloud malware downloads for more than six months. The other top apps for malware downloads include free web hosting services (Weebly), cloud storage apps (Amazon S3, Dropbox, Google Drive), collaboration apps (Sharepoint), webmail apps (Google Gmail, Outlook.com), and free software hosting sites (GitHub, SourceForge).
At 78% of cloud malware downloads, the top eight apps accounted for more malware downloads in January than they had anytime in the previous six months. A relative increase in malware downloads from Amazon S3 propelled it into the top five for only the second time in the past six months, while the remaining top apps remained relatively unchanged. The top ten list is a reflection of attacker tactics, user behavior, and company policy.
Top Malware File Types
By file type, Microsoft Windows Portable Executable files (EXE/DLL) accounted for the plurality of malware downloads in January, as they have for at least the past six months. Delivering malware in archive files, particularly ZIP files, has been gradually increasing and hit a six-month high in January at 21%, as attackers attempt to evade detection by hiding malware in ZIP files. PDF files have been exhibiting the opposite trend, gradually decreasing and hitting a six-month low in January. The popularity of other file types remains largely unchanged, as attackers continue to use a wide variety of file types to target their victims.
Top Malware Families
Attackers are constantly creating new malware families and new variants of existing families, either as an attempt to bypass security solutions or to update their malware’s capabilities. In January 2023, 58% of all malware downloads detected by Netskope were either new families or new variants that had not been observed in the preceding six months. The other 42% were samples that had been observed during the preceding six months and are still circulating in the wild.
By volume, Netskope blocks more Trojans than any other malware type. Trojans are commonly used by attackers to gain an initial foothold and to deliver other types of malware, such as infostealers, remote access trojans, backdoors, and ransomware. Other top malware types include phishing lures (typically PDF files designed to lure victims into phishing scams), viruses that can self-propagate, downloaders that deliver additional payloads, and infostealers whose primary purpose is stealing information (especially passwords, tokens, and cookies).
The following list contains the top malware and ransomware families blocked by Netskope in January 2023:
- Backdoor.Zusy (a.k.a. TinyBanker) is a banking trojan based on the source code of Zeus, aiming to steal personal information via code injection into websites. Details
- Downloader.Guloader is a small downloader known for delivering RAT and infostealers, such as AgentTesla, Formbook, and Remcos. Details
- Infostealer.AgentTesla is a .NET-based Remote Access Trojan with many capabilities, such as stealing browser’s passwords, capturing keystrokes, clipboard, etc. Details
- Infostealer.ClipBanker is an infostealer that steals banking information among other data and is typically spread via emails and social media Details
- Infostealer.Fareit (a.k.a Siplog, Pony) is both an infostealer and botnet, stealing credentials from VPNs, browsers, and more. Details
- Phishing.PhishingX is a malicious PDF file used as part of a phishing campaign to redirect victims to a phishing page.
- RAT.Remcos is a remote access trojan that provides an extensive list of features to remotely control devices, and it’s popularly abused by many attackers. Details
- Ransomware.Crysis (a.k.a Arena, Dharma, Wadhrama, ncov) is a ransomware variant typically installed by attackers who gain initial access via RDP. Details
- Ransomware.ViceSociety is a ra