Some of the key takeaways from October’s Latest Intelligence, and the threat landscape in general, include a sudden spike in new malware variants, spam reaching the highest rate in almost a year, an infamous DDoS botnet, and the discovery of a new Trojan used in high-level financial attacks.
The Latest Intelligence for October saw the number of new malware variants jump significantly, with 96.1 million unique variants seen.
Much of this increase can be attributed to the Kotver family of threats (Trojan.Kotver), which has seen increased growth in activity since early August. The uptick in the click-fraud malware’s activity is being helped along by JS.Nemucod, a downloader spread via malicious email attachments, which is dropping Kotver onto infected computers. Exploit kits and spam are also used to push Kotver.
Figure 1. October saw a significant increase in new malware variants
October saw the Mirai botnet (Linux.Gafgyt) achieve infamy when it used compromised Internet of Things (IoT) devices to conduct record-breaking distributed denial of service (DDoS) attacks, including one that knocked a range of well-known websites, such as Spotify, Twitter, and PayPal, offline. The botnet has carried out attacks reaching up to 1 Tbps.
Symantec discovered Trojan.Odinaff in October. Attackers with ties to the Carbanak group used the malware in a string of attacks against financial targets around the globe. Symantec also found evidence that the gang mounted attacks on SWIFT users by using malware to hide customers’ own records of SWIFT messages relating to fraudulent transactions.
The RIG exploit kit (EK) topped the charts again in October as the most active EK for the second month in a row, comprising 37.4 percent of all EK activity. Magnitude jumped from fourth to second place, up 0.6 percentage points over the previous month. Looking at these exploit kits individually, RIG saw a 69 percent increase in usage from September to October, while Magnitude saw a 45 percent increase.
Symantec blocked up to 460,000 web attacks per day in October, which is an increase over the previous month and due in part to the rise in EK activity. However, other factors can also have a contributing effect. Search engines, for example, came under fire in October when a report found that the number of malicious results returned in searches is continuingly growing, with six times as many web page threats found in results in 2016 compared to 2013.
The recent US election fever brought an increase in election-related spam. This was reflected in the Latest Intelligence for October, with the global spam rate reaching 54.1 percent, the highest rate seen since November 2015. Law enforcement continues to tackle the issue, however, recently bringing to justice a US-based spamming gang. The gang hacked into corporate servers to use them to send spam and steal employee email addresses. Over 50 million email addresses were discovered in the gang’s database when the suspects were detained.
Figure 2. Global spam rate for October reaches 54.1 percent
Last month, Symantec also warned about a major increase in the number of email-based attacks using malicious Windows Script File (WSF) attachments. Between October 3 and 4, Symantec blocked more than 1.3 million emails which distributed Ransom.Locky using this tactic, and another 918,000 emails on October 5. The number of emails with malicious WSF attachments being blocked by Symantec has drastically risen in the past several months, from 22,000 in June to over 2.2 million in September.
It’s not all bad news though as the phishing rate for October decreased to one in 5,313 emails. The sector with the highest phishing rate in October was Public Administration with one in 2,814 emails. Businesses with 1,501-2,500 employees had the highest phishing rate in October with one in 3,037 emails.
There were no new Android malware families discovered in October but the number of Android variants per family increased to 57. Mobile malware developers seem to be taking more time to improve existing threats rather than creating completely new ones. This can be seen with variants of Android.Lockscreen, which recently began using a simple but effective technique to raise the probability of compromising Android devices. The new variants declare their main activity as part of the launcher category to get around Android's auto-start restrictions. The main component of the threat is listed as an alternative to the default launcher app and, with a little social engineering, the threat can trick the user into launching the malware.
Manual sharing continues to dominate social media scams, though it declined 11.7 percentage points in October to 63.55 percent. In contrast, Fake Offers increased 10.9 percentage points during the month of October, up from 16.62 percent in September to 27.48 percent.
These are just a few items that stood out during the month. Be sure to check out the Latest Intelligence for more charts, tables, and analysis covering the threat landscape.