Some of the key takeaways from April’s Latest Intelligence, and the threat landscape in general, include an increase in the number of web attacks blocked per day, the Hajime worm takes on Mirai, and Longhorn cyber espionage group linked to tools and operational protocols detailed in Vault 7 leak.
Web attacks
Symantec blocked 1,038,000 web attacks per day in April, the highest level seen since January 2016.
[click_to_tweet:1]
When it came to exploit kit activity, RIG remained in the number one spot and saw an increase in activity, with 29.5 percent of all toolkit activity (up from 13.6 the previous month). Magnitude (6.3 percent) and Sundown (5.3) took second and third place respectively, trading spots from last month.
Figure 1. Symantec blocked 1,038,000 web attacks per day in April
April also saw reports of an unnamed bank in Brazil suffering a web attack that involved hackers taking over all the bank’s online operations for five hours. Hackers managed to intercept all of the bank's online banking, mobile, point-of-sale, ATM, and investment transactions by compromising 36 of the bank's domains, including internal email and FTP servers. Researchers said the attackers gained access to the bank’s systems by sending employees information-stealing malware masquerading as a Trusteer banking security plug-in application.
Malware
The number of new malware variants detected by Symantec reached 81 million in April, up from 77.5 million in March.
The email malware rate also increased to 1 in 482 emails, up from 1 in 668 the previous month. The return of the Necurs botnet near the end of March may be to blame for this increase. However, the rate is still well below the rates seen throughout 2016.
In April, Symantec published research on the Hajime worm that revealed details about how it works. The worm appears to be the work of a white hat hacker attempting to wrestle control of Internet of Things (IoT) devices from Mirai (Linux.Gafgyt) and other similar threats.
The Vault 7 leaks were still making headlines in April when Symantec published a blog linking spying tools and operational protocols detailed in the leaked documents to cyber attacks against at least 40 targets in 16 different countries. The tools were used by a group dubbed Longhorn, which Symantec had been monitoring for three years. The cyber espionage group targeted not only governments and international organizations, but also targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors.
Spam
There was a slight increase in the global spam rate in April, up 0.4 percentage points from the previous month to 54.2 percent. The Construction sector had the highest rate of spam in April at 59.7 percent.
The ongoing fight against malware and spam continued in April when the US Justice Department launched a coordinated takedown operation in an attempt to disrupt and dismantle the Kelihos botnet (W32.Waledac). Symantec has been protecting customers from Kelihos for a number of years and has been actively monitoring its spam and phishing campaigns.
Phishing
At 1 in 5,611 emails, the phishing rate in April was up from March (1 in 9,138). Although the phishing rate increased it was still lower than October 2016, which was the lowest rate seen during all of 2016.
Figure 2. The email phishing rate for April increased to 1 in 5,611 emails
Researchers discovered what they called an undetectable phishing attack method in April that is a variation of a homograph attack—where Unicode characters that look like other characters are used in place of others to hide a phishing site. Although many websites use Punycode to avoid this issue, it was discovered that if every character is replaced with one from a foreign language, the protections in place no longer work.
Mobile
Although there were no new Android malware families discovered in April, the number of Android variants increased to 62, up from 60 the previous month.
In April, Google released the first developer preview of its latest mobile operating system, Android 0. Symantec published a blog detailing how changes made to the latest OS will make life more difficult for mobile ransomware developers. Android O has deprecated several types of system-type windows, which means that Android ransomware using system-type windows will no longer work on devices running the new OS, even if the relevant permission has been granted by the device's user.
This is just a snapshot of the news for the month. Check out the Latest Intelligence for the big picture of the threat landscape with more charts, tables, and analysis.