HP Inc. has released its quarterly HP Wolf Security Threat Insights Report, shedding light on the novel tactics used by threat actors who are orchestrating complex sequences of attacks resembling building blocks, allowing them to evade traditional detection mechanisms.
Benefiting from its expertise in identifying threats that manage to elude PC detection tools, HP Wolf Security offers a comprehensive view of the ever-evolving cybercrime landscape. Remarkably, HP Wolf Security’s clientele has interacted with over 30 billion email attachments, web pages, and downloaded files, all resulting in zero reported breaches.
Based on the analysis of vast endpoint data from systems secured by HP Wolf Security, researchers have uncovered the following trends:
– Playful Adaptations of Cyber Attacks: Cybercriminals are engaging in a “playtime” of sorts, employing building block style attacks. These attack chains often follow predictable patterns leading to the payload. However, imaginative campaigns utilizing the QakBot malware have demonstrated threat actors’ ability to assemble distinct blocks into unique infection chains. By altering file types and tactics, these actors have successfully evaded detection, with HP identifying 32% of QakBot infection chains in Q2 as entirely unique.
– Camouflaging Blogging and Keylogging: Recent Aggah campaigns have concealed malicious code within a widely used blogging platform, Blogspot. By integrating this code within a legitimate source, attackers have effectively blurred the lines between innocent browsing and malicious activity. These threat actors then leverage their knowledge of Windows systems to neutralize certain anti-malware features, enabling the execution of XWorm or the AgentTesla Remote Access Trojan (RAT), leading to data theft.
– Unconventional Protocol Manipulation: HP’s research has identified additional Aggah attacks utilizing a DNS TXT record query, a protocol normally reserved for retrieving basic domain name information. This atypical approach is challenging to detect as security teams rarely monitor or safeguard the DNS protocol, giving threat actors a stealthy avenue for deploying the AgentTesla RAT.
– Multilingual Malware Tactics: A recent campaign has embraced multiple programming languages to bypass detection. Initially, the payload is encrypted using a crypter coded in Go, effectively neutralizing conventional anti-malware scans. The attack then shifts to C++ to interface with the victim’s operating system, allowing the .NET malware to operate in memory, leaving minimal traces on the PC.
Patrick Schläpfer, Senior Malware Analyst at HP Wolf Security’s threat research team, underscores the evolving sophistication of attackers. He notes, “Today’s attackers are becoming better organized and more knowledgeable. They research and analyze operating system internals, making it much easier for them to exploit the gaps. By knowing which doors to push, they can navigate internal systems with ease, using relatively simple techniques in very effective ways – without sounding the alarm.”
The report delves into the diversification of attack methods among cybercriminal groups, all aimed at outsmarting security protocols and detection tools. Key insights include:
– Archives Remain Preferred Malware Delivery: Archives continued to be the favored medium for malware delivery, accounting for 44% of cases studied by HP.
– Surge in Halted HTML Threats: HP Wolf Security successfully thwarted 23% more HTML threats in Q2 compared to Q1.
– Rise in Executables: The usage of executables surged by 4%, from 14% in Q1 to 18% in Q2. This increase was primarily driven by the incorporation of the PDFpower.exe file, bundled with browser hijacking malware.
– Decline in Spreadsheet Malware: Spreadsheet malware decreased by 6%, dropping from 19% in Q1 to 13%. This trend reflects cybercriminals’ shift away from Office formats that are less conducive to running macros.
– Email Gateway Bypass: HP Sure Click identified that at least 12% of email threats circumvented one or more email gateway scanners in Q2.
– Dominant Threat Vectors: The primary threat vectors in Q2 were email (79%) and browser downloads (12%).
Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc., emphasizes that while infection chains may vary, the common denominator remains user interaction. Rather than attempting to predict the intricacies of the infection chain, Dr. Pratt advocates for organizations to concentrate on isolating and containing risky activities like opening email attachments, clicking on links, and initiating browser downloads.
HP Wolf Security deploys isolated, hardware-enforced virtual machines on endpoints to carry out potentially hazardous tasks, ensuring user protection without compromising productivity. The technology also captures detailed traces of attempted infections. HP’s application isolation technology proves effective against threats that bypass other security measures, offering unparalleled insights into emerging intrusion tactics and threat actor behaviors.
