Fileless Malware on the Rise, Traditional Defenses Failing

An alarming majority of malware (75 percent) is going undetected by “traditional malware solutions,” according to a new report. And nearly three-quarters of threats detected in the last quarter were zero-day malware — an all-time high.

The Internet Security Report for Q1 2021 from WatchGuard Technologies found that malicious scripts are delivering fileless malware in the form of an XML external entity. The most widespread was XML.JSLoader, which made the top 10 for the first time in the first quarter of 2021. According to researchers: “The sample WatchGuard identified uses an XML external entity (XXE) attack to open a shell to run commands to bypass the local PowerShell execution policy and runs in a non-interactive way, hidden from the actual user or victim. This is another example of the rising prevalence of fileless malware and the need for advanced endpoint detection and response capabilities.”

A ransomware loader called Zmutzy made the top 2 in Q1. It manifests as a disguised e-mail attachment. According to the researchers: “Associated with Nibiru ransomware specifically, victims encounter this threat as a zipped file attachment to an e-mail or a download from a malicious website. Running the zip file downloads an executable, which to the victim appears to be a legitimate PDF. Attackers used a comma instead of a period in the file name and a manually adjusted icon to pass the malicious zip file off as a PDF. This type of attack highlights the importance of phishing education and training, as well as implementing back-up solutions in the event that a variant like this unleashes a ransomware infection.”

The report highlighted a number of other trends in malware and network attacks:

  • Half of the top 10 malware families by volume were new to the top 10, including Ursu, Trojan.IFrame, XML.JSLoader, Zmutzy, and Zum.Androm;

  • Encrypted connections saw less zero-day malware (60.3 percent) than the overall average (74 percent);

  • Network attacks reached a three-year high during the first quarter, at 4.2 million Intrusion Prevention Service (IPS) hits on Firebox appliances;

  • More than 5 million malicious domains were blocked by DNSWatch in the quarter, a 281 percent increase over Q4 2020; and

  • Exploits against ProxyLogin Exchange Server flaws increased 1,600 percent.

A complete report and executive summary is available on the WatchGuard site, as well as an infographic with highlights from the report.

About the Author

David Nagel is the former editorial director of 1105 Media's Education Group and editor-in-chief of THE Journal, STEAM Universe, and Spaces4Learning. A 30-year publishing veteran, Nagel has led or contributed to dozens of technology, art, marketing, media, and business publications.

He can be reached at [email protected]. You can also connect with him on LinkedIn at https://www.linkedin.com/in/davidrnagel/ .


Featured

  • college students in a classroom focus on a silver laptop, with a neural network diagram on the monitor in the background

    Report: 93% of Students Believe Gen AI Training Belongs in Degree Programs

    The vast majority of today's college students — 93% — believe generative AI training should be included in degree programs, according to a recent Coursera report. What's more, 86% of students consider gen AI the most crucial technical skill for career preparation, prioritizing it above in-demand skills such as data strategy and software development.

  • laptop with a neural network image, surrounded by books, notebooks, a magnifying glass, a pencil cup, and a desk lamp

    D2L Lumi AI Updates Add Personalized Study Supports

    Learning platform D2L has announced new artificial intelligence features for D2L Lumi that help provide more personalized study supports for students.

  • three glowing stacks of tech-themed icons

    Research: LLMs Need a Translation Layer to Launch Complex Cyber Attacks

    While large language models have been touted for their potential in cybersecurity, they are still far from executing real-world cyber attacks — unless given help from a new kind of abstraction layer, according to researchers at Carnegie Mellon University and Anthropic.

  • young man in a denim jacket scans his phone at a card reader outside a modern glass building

    Colleges Roll Out Mobile Credential Technology

    Allegion US has announced a partnership with Florida Institute of Technology (FIT) and Denison College, in conjunction with Transact + CBORD, to install mobile credential technologies campuswide. Implementing Mobile Student ID into Apple Wallet and Google Wallet will allow students access to campus facilities, amenities, and residence halls using just their phones.