HP has released its quarterly HP Wolf Security Threat Insights Report, which shows how threat actors are connecting different types of attacks to evade detection tools.
By isolating threats that have escaped detection tools on computers, HP Wolf Security has specific insight into the latest techniques cybercriminals are using in the rapidly changing cybercrime landscape. To date, HP Wolf Security customers have clicked on over 30 billion email attachments, web pages, and downloaded files with no reported breaches.
Based on data from millions of endpoints running HP Wolf Security, researchers found:
- It's game time for cybercriminals who engineer attacks: Attack chains are often standardized, with established paths to the payload. However, creative QakBot campaigns have seen threat actors link different blocks together to create unique infection chains. By changing different file types and techniques they were able to bypass detection tools and security policies. 32% of QakBot infection chains analyzed by HP in the second quarter were unique.
- Spot the difference – blogger ή keylogger: The attackers behind the recent Aggah campaigns hosted malicious code inside Blogspot, the popular blogging platform. By hiding the code in a legitimate source, it makes it difficult for defenders to tell whether a user is reading a blog or launching an attack. Threat actors then use their knowledge of Windows to disable certain anti-malware features on users' PCs, run XWorm or the AgentTesla Remote Access Trojan (RAT), and steal sensitive information.
- Going against protocol: HP has additionally identified Aggah attacks that use a TXT DNS record query – typically used to access simple information about domain names – to deliver the AgentTesla RAT. Threat actors know that the DNS protocol is often not monitored or protected by security teams, making this attack extremely difficult to detect.
- Multilingual Malware: A recent campaign uses multiple programming languages to avoid detection. First, it encrypts its payload using a cipher written in Go, disabling anti-malware scanning features that would normally detect it. The attack then switches language to C++ to interact with the victim's operating system and execute the .NET malware in memory – leaving minimal traces on the computer.
Patrick Schläpfer, Senior Malware Analyst in HP Wolf Security's threat research team, comments:
“Today's attackers are becoming better organized and more informed. They research and analyze the internals of the operating system, which makes it very easy for them to exploit vulnerabilities. By knowing which doors to open, they can navigate the internal systems with ease, using relatively simple techniques in very effective ways – without raising the alarm.”
The report details how cybercriminal groups are diversifying their attack methods to bypass security policies and detection tools. Key findings include:
- Files were the most popular type of malware delivery for the fifth consecutive quarter, used in 44% of cases analyzed by HP.
- The second quarter saw a 23% increase in HTML threats stopped by HP Wolf Security compared to the first quarter.
- There was a 4% increase in executable files (from 14% to 18%) from the first to the second quarter, which was mainly due to the use of the PDFpower.exe file, which combined software with browser hijacking malware.
- HP saw a 6% decrease in spreadsheet malware (from 19% to 13%) in the first quarter compared to the fourth quarter, as attackers move away from Office formats that are more difficult to run macros on.
- At least 12% of email threats detected by HP Sure Click bypassed one or more email gateway scanners in the second quarter.
- The top threat vectors in the second quarter were email (79%) and browser downloads (12%).
Dr. Ian Pratt, Global Head of Security for Personal Systems, HP Inc., comments:
“While infection chains may vary, the initiation methods remain the same—they inevitably result in the user clicking on something. Instead of trying to guess the chain of infection, organizations should isolate and limit risky activities such as opening email attachments, clicking links and browser downloads.”
HP Wolf Security runs the dangerous tasks on isolated, hardware-enhanced virtual machines running at the endpoint to protect users without affecting their productivity. It also records detailed traces of infection attempts. HP application isolation technology mitigates threats that escape other security tools and provides unique insights into new attack techniques and threat actor behavior.
HP_Wolf_Security_Threat_Insights_Report_Q1_2023.pdf