Some of the key takeaways from June’s Latest Intelligence, and the threat landscape in general, include the Petya threat, increases in spam and phishing, and further declines in RIG exploit kit activity.
Of course the big malware story of June was Ransom.Petya. This worm spread through SMB shares and by using the EternalBlue and EternalRomance exploits. Initially pegged as ransomware, the threat not only encrypted files, but it overwrote and encrypted the master boot record. When the computer is restarted, the user is presented with a ransom notice requesting $300 in bitcoins to unencrypt and recover the files.
However, as more analysis was carried out it became clear that it was likely a wiper instead of ransomware. It turned out that the “installation key” in the message was randomly generated. Another randomly generated Salsa20 key was used to encrypt the disk. However, there was no relation between the two keys, meaning that the disk could not be decrypted.
Figure 1. Ransom.Petya tells victims their files have been encrypted
The global spam rate increased in June, reaching 54.3 percent of email. This is the second time in the last twelve months that the spam rate has reached this height, tying the spam rate seen in November 2016.
One particularly sinister spam run that appeared during June was found spreading a new variant of the Zusy malware. This malware arrives as a PowerPoint attachment that includes a specially crafted link inside. A user doesn’t even have to click the link—simply mousing over the URL will activate the threat. Fortunately the threat will trigger a Microsoft Office warning rather than executing the payload automatically. The threat has been seen arriving in spam emails that appear as purchase orders or order confirmations, with attachment names such as “order.ppsx,” “invoice.ppsx,” or “order&prsn.ppsx.”
The number of web attacks blocked per day declined for the first time in four months. However, at 1,159,000 blocked attacks a day, this rate is still well above the point where it began to climb back in February, when there were approximately 394,000 attacks per day.
The RIG toolkit was once again the most active web attack toolkit in June, though it saw a 3.6 percentage point decline. This is the third month in a row that RIG has declined and follows news of major attack campaigns, such as Pseudo-Darkleech and EITest, moving away from using RIG. In the case of the latter, the attackers behind EITest have moved on to using social engineering techniques to carry out their malicious activities. In related news, security researchers were able to shut down around 40,000 subdomains associated with RIG back in March, which has no doubt contributed to the decline in RIG activity.
The phishing rate increased for the third month in a row, up to one in 1,975 emails. This is the second-highest rate seen in the last year, only barely falling short of July 2016’s rate of one in 1,886 emails. Phishing rates also increased across most industries and organization sizes, the exception being the Public Administration sector, where the phishing rate dropped from one in 1,981 emails to one in 2,125.
Figure 2. Phishing increased for the third month in a row in June, up to one in 1,975 emails
In one particular phishing campaign in June, attackers appear to have set their sights on Android users. In this case, the URLs present in the phishing emails rely on a large number of hyphens to conceal the actual domain that the link points to. With the actual domain pushed out of the visible portion of the mobile browser’s address bar, the link appears to point to legitimate subdomains that the user is likely to be familiar with.
Two new Android malware families appeared on the threat landscape during the month of June. One of these threats, Android.WannaLocker, appears to be riding on the coattails of the WannaCry ransomware outbreak from last May. This mobile threat appears to mimic the look and feel of the infamous desktop ransomware, but will only encrypt files found in a device’s external storage.
This is just a snapshot of the news for the month. Check out the Latest Intelligence for the big picture of the threat landscape with more charts, tables, and analysis.