Some of the key takeaways from July’s Latest Intelligence, and the threat landscape in general, include an increase in the email malware rate, several malware threats add self-spreading functionality, and Symantec looks at how attackers are increasingly using living off the land tactics.
The email malware rate in July increased to one in 359 emails, up from one in 451 the previous month. This marks the highest rate seen in the past seven months.
This trend in malware being distributed through email seems to be catching on, with several infamous malware families recently adding functionality that allows them to spread via spam email.
Following the success of WannaCry and Petya, the banking Trojans Emotet (Trojan.Emotet) and TrickBot (Trojan.Trickybot) have both added support for self-spreading components. Emotet now has the capability to steal email credentials from infected computers and then use them to send out spam in order to spread itself. TrickBot takes advantage of SMB to spread to computers on the same network as the original host and also spreads itself via spam posing as invoices from a financial organization. However, TrickBot’s new module doesn’t appear to be fully implemented yet, according to the researchers that discovered it.
It’s not just banking malware that are working to bring worm-like functionality back in vogue. The ransomware Reyptson was discovered in July using stolen Thunderbird email client credentials to send out spam containing malicious links that ultimately lead to Reyptson being downloaded onto the recipient’s computer.
July also saw Symantec comment on another trend in the world of malware, so-called “living off the land” tactics. Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory. This allows them to minimize the risk of their attacks being discovered and blocked by traditional security tools. June’s Petya outbreak is a good example of an attack using living off the land tactics, with its use of system commands and legitimate tools such as PsExec and wmic.exe.