Fileless Malware on the Rise, Traditional Defenses Failing
An alarming majority of malware (75 percent) is going undetected by “traditional malware solutions,” according to a new report. And nearly three-quarters of threats detected in the last quarter were zero-day malware — an all-time high.
The Internet
Security Report for Q1 2021 from WatchGuard
Technologies found that malicious scripts are delivering
fileless malware in the form of an XML external entity. The most
widespread was XML.JSLoader, which made the top 10 for the first time
in the first quarter of 2021. According to researchers: “The sample
WatchGuard identified uses an XML external entity (XXE) attack to
open a shell to run commands to bypass the local PowerShell execution
policy and runs in a non-interactive way, hidden from the actual user
or victim. This is another example of the rising prevalence of
fileless malware and the need for advanced endpoint detection and
response capabilities.”
A ransomware loader called Zmutzy made the top 2 in Q1. It manifests
as a disguised e-mail attachment. According to the researchers:
“Associated with Nibiru ransomware specifically, victims encounter
this threat as a zipped file attachment to an e-mail or a download
from a malicious website. Running the zip file downloads an
executable, which to the victim appears to be a legitimate PDF.
Attackers used a comma instead of a period in the file name and a
manually adjusted icon to pass the malicious zip file off as a PDF.
This type of attack highlights the importance of phishing education
and training, as well as implementing back-up solutions in the event
that a variant like this unleashes a ransomware infection.”
The report highlighted a number of other trends in malware and
network attacks:
-
Half of the top 10 malware families by volume were new to the
top 10, including Ursu, Trojan.IFrame, XML.JSLoader, Zmutzy, and
Zum.Androm;
-
Encrypted connections saw less zero-day malware (60.3 percent) than the
overall average (74 percent);
-
Network attacks reached a three-year high during the first quarter,
at 4.2 million Intrusion Prevention Service (IPS) hits on Firebox
appliances;
-
More than 5 million malicious domains were blocked by DNSWatch in
the quarter, a 281 percent increase over Q4 2020; and
-
Exploits against ProxyLogin Exchange Server flaws increased 1,600 percent.
A complete
report and executive summary is available on the WatchGuard site, as well as an
infographic
with highlights from the report.