Cybercriminals Leverage Microsoft Office
Exploits, Fileless PowerShell Threats, Locky “Lukitus” Ransomware,
Banking Trojans to Create Four New Malware Samples per Second in Q3
2017
NEWS HIGHLIGHTS
- McAfee Labs reports record volume of
new malware, surges 10% in Q3 2017 with 57.6 million samples
- Fileless malware leveraging Microsoft
PowerShell grew 119%
- Trickbot and other threats exploit
known and patched Microsoft vulnerabilities
- New ransomware rises by 36%, Lukitus
version of Locky ransomware emerges
- DragonFly 2.0 malware targets new
industries for espionage: pharmaceutical, finance, accounting
- New mobile malware jumps 60% with
infection rates remaining highest in Asia
McAfee, one of the world’s leading cybersecurity companies,
today released its McAfee Labs Threat Report: December 2017,
examining the growth and trends of new malware, ransomware, and
other threats in Q3 2017. McAfee Labs saw malware reach an all-time
high of 57.6 million new samples—four new samples per
second—featuring developments such as new fileless malware using
malicious macros, a new version of Locky ransomware dubbed Lukitus,
and new variations of the banking Trojans Trickbot and Emotet.
Threats attempting to exploit Microsoft technology vulnerabilities
were very prominent despite the fact that the platform vendor
addressed these issues with patches as early as the first quarter
of 2017.
“The third quarter revealed that attackers’ threat designs
continue to benefit from the dynamic, benign capabilities of
platform technologies like PowerShell, a reliable recklessness on
the part of individual phishing victims, and what seems to be an
equally reliable failure of organizations to patch known
vulnerabilities with available security updates,” said Raj Samani,
McAfee’s Chief Scientist. “Although attackers will always seek ways
to use newly developed innovations and established platforms
against us, our industry perhaps faces a greater challenge in the
effort to influence individuals and organizations away from
becoming their own worst enemies.”
Each quarter, McAfee Labs assesses the state of the cyber threat
landscape based on threat data gathered by the McAfee Global Threat
Intelligence cloud from hundreds of millions of sensors across
multiple threat vectors around the world. McAfee Advanced Threat
Intelligence complements McAfee Labs by providing in-depth
investigative analysis of cyberattacks from around the globe.
Known Vulnerabilities Exploited
The third quarter of 2017 saw cybercriminals continue to take
advantage of Microsoft Office vulnerabilities such as
CVE-2017-0199, which took advantage of a vulnerability within both
Microsoft Office and WordPad to allow remote code execution through
specially crafted files. To execute this attack, many took
advantage of a tool available via GitHub offering an easy route to
creating a backdoor attack without complex configuration.
New variations of the Trickbot banking Trojan featured code that
embedded the EternalBlue exploit responsible for the massive
WannaCry and NotPetya ransomware outbreaks in Q2. Despite
Microsoft’s continued efforts to counter EternalBlue with security
patches, the new Trickbot authors still found the proven technique
to be effective. They combined it with new features such as
cryptocurrency theft and new delivery methods, and made these new
Trickbot versions the most active banking Trojans in Q3.
“Once vulnerabilities are discovered and disclosed ‘into the
wild,’ or the hacker community, they present a blueprint for
malicious parties seeking to develop sophisticated threats that
exploit them,” said Steve Grobman, Chief Technology Officer at
McAfee. “The year 2017 will be remembered as the time when such
vulnerabilities were exploited to orchestrate large-scale cyber
events, including the WannaCry and NotPetya ransomware outbreaks,
and high-profile breaches such as at Equifax. Only by investing
more in the discovery and remediation of cyber vulnerabilities can
technology vendors, governments, and business enterprises hope to
gain a step on the cybercriminals working furiously to uncover and
take advantage of them.”
Fileless Threats
Fileless threats continued to be a growing concern in Q3, with
PowerShell malware growing by 119%. Very prominent in this category
was the Emotet banking Trojan, which spread around the world
through large spamming campaigns, and lured users into downloading
Microsoft Word documents. This act inadvertently activates a
PowerShell macro that downloads and installs the malware on their
systems.
“Although many cyberattacks continue to rely on the exploitation
of basic security vulnerabilities, exposures, and user behaviors,
fileless threats leverage the utility of our own system
capabilities,” said Vincent Weafer, Vice President for McAfee Labs.
“By leveraging trusted applications or gaining access to native
system operating tools such as PowerShell or JavaScript, attackers
have made the development leap forward to take control of computers
without downloading any executable files, at least in the initial
stages of the attack.”
Lukitus Ransomware
One of the key developments in the ransomware space was the
emergence of Lukitus, a new version of Locky ransomware. The
ransomware was distributed by more than 23 million spam emails
within the first 24 hours of the attack. Overall in the category,
new ransomware samples increased by 36%. The number of total
ransomware samples has grown 44% in the past four quarters to 12.3
million samples.
DragonFly: New Industries, New Objectives
The McAfee Advanced Threat Research team found that DragonFly
2.0, the malware discovered earlier in 2017 in the energy sector,
has targeted organizations beyond original discoveries, including
the pharmaceutical, financial services, and accounting industries.
These attacks were initiated through spear-phishing emails, luring
recipients to click on links that download the Trojan and provide
attackers with network access.
“The actors involved in the DragonFly 2.0 attacks have a
reputation for initiating attacks for the purpose of conducting
reconnaissance on the inner workings of targeted sectors—with
energy and pharmaceutical confirmed as top priorities,” said
Christiaan Beek, McAfee Lead Scientist and Principal Engineer. “The
intellectual property and insider insights they obtain upon gaining
access to targeted sectors is of tremendous economic value.”
Q3 2017 Threat Activity
Security incidents. McAfee Labs counted 263 publicly
disclosed security incidents in Q3, a decrease of 15% from Q2. More
than 60% of all publicly disclosed security incidents in Q3 took
place in the Americas.
Vertical industry targets. The health and public sectors
accounted for more than 40% of total incidents in Q3.
- North America. Health sector
attacks continued to lead vertical sectors in Q3 security
incidents.
- Asia. Public sector, followed by
technology and individual attacks led in reported Q3
incidents.
- Europe, Oceana and Africa.
Public sector attacks led reported Q3 incidents.
Attack vectors. Account hijacking led disclosed attack
vectors, followed by leaks, malware, DDoS, and targeted
attacks.
Mobile malware. Total mobile malware continued to grow,
reaching 21.1 million samples. New mobile malware increased by 60%
from Q2, largely due to a rapid increase in Android screen-locking
ransomware.
Malware overall. New malware samples increased in Q3 to
57.5 million, a 10% increase. The total number of malware samples
grew 27% in the past four quarters to almost 781 million
samples.
Fileless malware. While JavaScript malware growth slowed
by 26% in Q3, PowerShell malware more than doubled with 119%.
Ransomware. New ransomware samples rose by 36% in Q3. The
total number of new ransomware samples grew 14% in the last quarter
to 12.2 million samples.
Mac malware. Mac OS malware samples increased by 7% in
Q3.
Macro malware. Total macro malware continued to grow,
increasing by 8% in Q3.
Spam campaigns. The Gamut botnet remains the most
prevalent spamming botnet during Q3, with the Necurs botnet a close
second. Necurs proliferated several Ykcol (Locky) ransomware
campaigns throughout the quarter with themes such as “Status
Invoice,” “Your Payment,” and “Emailing: [Random Numbers] JPG.”
For more information on these threat trends and statistics,
please visit:
- McAfee Labs Threats Report: December
2017
- Summary: McAfee Labs Threats Report
Notes All-Time Highs for Malware
- DragonFly targets new industries:
BioPharma, finance, accounting
- Looking into the World of Ransomware
Actors Reveals Some Surprises
About McAfee Labs
McAfee Labs is one of the world’s leading sources for threat
research, threat intelligence, and cybersecurity thought
leadership. With data from hundreds of millions of sensors across
key threats vectors—file, web, and network—McAfee Labs delivers
real-time threat intelligence, critical analysis, and expert
thinking to improve protection and reduce risks. McAfee Labs also
develops core threat detection technologies that are incorporated
into the broadest security product portfolio in the industry.
About McAfee
McAfee is one of the world’s leading independent cybersecurity
companies. Inspired by the power of working together, McAfee
creates business and consumer solutions that make the world a safer
place.
McAfee technologies’ features and benefits depend on system
configuration and may require enabled hardware, software, or
service activation. No computer system can be absolutely
secure.
View source
version on businesswire.com: http://www.businesswire.com/news/home/20171217005042/en/
McAfeeTaylor Duntontaylor_dunton@mcafee.comorZeno GroupGabby
Curtisgabby.curtis@zenogroup.com