Endpoint malware attacks decline as campaigns spread wider

In Q2 2023, 95% of malware now arrives over encrypted connections, endpoint malware volumes are decreasing despite campaigns growing more widespread, ransomware detections are declining amid a rise in double-extortion attacks, and older software vulnerabilities persist as popular targets for exploitation among modern threat actors, among other trends, according to WatchGuard.

“The data analyzed by our Threat Lab for our latest report reinforces how advanced malware attacks fluctuate in occurrence and multifaceted cyber threats continue to evolve, requiring constant vigilance and a layered security approach to combat them effectively,” said Corey Nachreiner, CSO at WatchGuard.

“There is no single strategy that threat actors wield in their attacks and certain threats often present varying levels of risk at different times of the year. Organizations must continually be on alert to monitor these threats and employ a unified security approach, which can be administered effectively by managed service providers, for their best defense,” Nachreiner continued.

Malware hidden behind encryption

Most malware lurks behind SSL/TLS encryption used by secured websites. Organizations that don’t inspect SSL/TLS traffic at the network perimeter are likely missing most malware. Furthermore, zero-day malware dropped to 11% of total malware detections, an all-time low. However, when inspecting malware over encrypted connections, the share of evasive detections increased to 66%, indicating attackers continue to deliver sophisticated malware primarily via encryption.

There was a slight 8% decrease in endpoint malware detections in Q2 2023 compared to the previous quarter. However, when looking at endpoint malware detections caught by 10 to 50 systems or 100 or more systems, these detections increased in volume by 22% and 21%, respectively. The increased detections among more machines indicate widespread malware campaigns grew from Q1 to Q2 of 2023.

Double-extortion attacks from ransomware groups increased 72% quarter over quarter, as the Threat Lab noted 13 new extortion groups. However, the rise in double-extortion attacks occurred as ransomware detections on endpoints declined 21% quarter over quarter and 72% year over year.

There were six new malware variants in the Top 10 endpoint detections. Threat Lab saw a massive increase in detections of the compromised 3CX installer, accounting for 48% of the total detection volume in the Q2 Top 10 list of malware threats. Furthermore, Glupteba, a multi-faceted loader, botnet, information stealer, and cryptominer that targets victims seemingly indiscriminately worldwide, made a resurgence in early 2023 after being disrupted in 2021.

Cybercriminals continue to target older software vulnerabilities

Threat actors increasingly leverage Windows living off-the-land binaries to deliver malware. In analyzing attack vectors and how threat actors gain access in endpoints, attacks that abused Windows OS tools like WMI and PSExec grew 29%, accounting for 17% of all total volume, while malware that used scripts like PowerShell dropped 41% in volume. Scripts remain the most common malware delivery vector, accounting for 74% of detections overall. Browser-based exploits declined 33%, accounting for 3% of the total volume.

Threat Lab researchers found three new signatures in the Top 10 network attacks for Q2 based on older vulnerabilities. One was a 2016 vulnerability associated with an open-source learning management system (GitHub) that was retired in 2018. Others were a signature that catches integer overflows in PHP, the scripting language used by many websites, and a 2010 buffer overflow and HP management application called Open View Network Node Manager.

In researching malicious domains, the Threat Lab team encountered instances of self-managed websites (such as WordPress blogs) and a domain-shortening service that were compromised to host either malware or malware command and control framework. Additionally, Qakbot threat actors had compromised a website dedicated to an educational contest in the Asia Pacific region to host command and control infrastructure for their botnet.