Some of the key takeaways from July’s Latest Intelligence, and the threat landscape in general, include an increase in the email malware rate, several malware threats add self-spreading functionality, and Symantec looks at how attackers are increasingly using living off the land tactics.
Malware
The email malware rate in July increased to one in 359 emails, up from one in 451 the previous month. This marks the highest rate seen in the past seven months.
Figure 1. The email malware rate in July increased to one in 359 emails, the highest rate seen since December
This trend in malware being distributed through email seems to be catching on, with several infamous malware families recently adding functionality that allows them to spread via spam email.
Following the success of WannaCry and Petya, the banking Trojans Emotet (Trojan.Emotet) and TrickBot (Trojan.Trickybot) have both added support for self-spreading components. Emotet now has the capability to steal email credentials from infected computers and then use them to send out spam in order to spread itself. TrickBot takes advantage of SMB to spread to computers on the same network as the original host and also spreads itself via spam posing as invoices from a financial organization. However, TrickBot’s new module doesn't appear to be fully implemented yet, according to the researchers that discovered it.
It’s not just banking malware that are working to bring worm-like functionality back in vogue. The ransomware Reyptson was discovered in July using stolen Thunderbird email client credentials to send out spam containing malicious links that ultimately lead to Reyptson being downloaded onto the recipient’s computer.
July also saw Symantec comment on another trend in the world of malware, so-called "living off the land" tactics. Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory. This allows them to minimize the risk of their attacks being discovered and blocked by traditional security tools. June’s Petya outbreak is a good example of an attack using living off the land tactics, with its use of system commands and legitimate tools such as PsExec and wmic.exe.
Spam
The global spam rate for July was the highest seen since March 2015, increasing 0.6 percentage points to 54.9 percent. As already discussed, several malware families were discovered in July to have added functionality that allowed them to send out spam containing copies of themselves. However, it’s not just malware authors that contribute to the world’s spam problem. A popular price comparison site was fined £80,000 (US$104,000) in July for spamming more than 7 million of its customers after they had specifically requested not to receive direct marketing emails from the company.
Phishing
The phishing rate also increased slightly in July, up to one in 1,968 emails, making it the highest rate seen for the past 12 months.
The threat posed by phishing attacks prompted one U.S. senator to take it upon himself to urge federal agencies to better protect themselves. U.S. Senator Ron Wyden sent a letter to the Department of Homeland Security in July calling for stricter controls when it comes to their email. Wyden’s letter called for agencies to use the email protocol called Domain-based Message Authentication, Reporting and Conformance (DMARC), in order to reduce the risk of phishing attacks involving spoofed email addresses.
Web attacks
July saw a small decrease in the number of web attacks blocked by Symantec per day. Although the number dropped from 1,159,398 per day to 1,158,985 per day, July is the fourth consecutive month with elevated web attack activity.
Figure 2. July marks four months of elevated web attack activity
July also saw researchers discover a new type of attack that targets fresh installations of WordPress. Attackers are scanning for a specific setup URL that new installations of the content management system use. The presence of this URL indicates that WordPress has recently been installed on a server but has yet to be configured, making it relatively easy for the attackers to not only take over the WordPress site but also the hosting account and all other sites on that account.
This is just a snapshot of the news for the month. Check out the Latest Intelligence for the big picture of the threat landscape with more charts, tables, and analysis.