Netskope Threat Labs Stats for June 2023

Netskope Threat Labs publishes a monthly summary blog post of the top threats we are tracking on the Netskope platform. The purpose of this post is to provide strategic, actionable intelligence on active threats against enterprise users worldwide.

Summary

• Attackers continue to attempt to fly under the radar by using cloud apps to deliver malware, with 60% of all malware downloads in June originating from 155 cloud apps.
• While Microsoft OneDrive, the most popular enterprise app, continues to be the cloud app with the most malware downloads, the share of downloads it represents has decreased for the third consecutive month.
• Bundlore and Pirrit, two adwares targeting Mac OS X users, made the top ten list for malware downloads as attackers continue to target OS X. 

Cloud Malware Delivery

Attackers attempt to fly under the radar by delivering malicious content via popular cloud apps. Abusing cloud apps for malware delivery enables attackers to evade security controls that rely primarily on domain block lists and URL filtering, or that do not inspect cloud traffic. In June 2023, 60% of all HTTP/HTTPS malware downloads originated from popular cloud apps, one point higher than May and one point lower than the all-time high in February.

At the same time, the total number of cloud apps from which the downloads originated fell slightly from its all time high in May to 155.

Attackers achieve the most success reaching enterprise users when they abuse cloud apps that are already popular in the enterprise. Microsoft OneDrive, the most popular enterprise cloud app, has held the top spot for the most cloud malware downloads for more than six months. Although the percentage of cloud downloads from OneDrive has fallen for the third consecutive month, it still remains in first place. Other top apps for malware downloads include free web hosting services (Squarespace and Weebly), free software hosting sites (GitHub), collaboration apps (SharePoint), cloud storage apps (Azure Blob Storage, Google Drive, Box), and webmail apps (Outlook.com). DocPlayer, a free document sharing app, made the top ten for the third consecutive months as malicious PDF files have increased in popularity. The top ten list is a reflection of attacker tactics, user behavior, and company policy.

Top Malware File Types

By file type, Microsoft Windows Portable Executable files (EXE/DLL) accounted for the plurality of malware downloads in June, as they have for the past four months. Remaining in second place for the second consecutive month were PDF files, which increased their lead over ZIP archives slightly. Mac DMG files were edged out of the top ten by malicious 7 Zip files after a three-month stay in the top ten list.

Top Malware Families

Attackers are constantly creating new malware families and new variants of existing families, either as an attempt to bypass security solutions or to update their malware’s capabilities. In June 2023, 55% of all malware downloads detected by Netskope were either new families or new variants that had not been observed in the preceding six months. The other 45% were samples that had been previously observed during the preceding six months and are still circulating in the wild.

By volume, Netskope blocks more Trojans than any other malware type. Trojans are commonly used by attackers to gain an initial foothold and to deliver other types of malware, such as infostealers, Remote Access Trojans (RATs), backdoors, and ransomware. Other top malware types include phishing lures (typically PDF files designed to lure victims into phishing scams), viruses (which can propagate themselves), downloaders (which download additional malicious payloads), and file-based exploits. The relative distribution of malware types changes very little month-over-month.

The following list contains the top malware and ransomware families blocked by Netskope in June 2023:

• Adware.Bundlore (a.k.a. SurfBuyer) is an OSX adware installer that has circulated in many forms including Flash player installers, hidden scripts, and browser plugins. Details
• Adware.Pirrit is an adware installer for OSX that has been around since 2016 that continues to circulate. Details
• Backdoor.Zusy (a.k.a. TinyBanker) is a banking Trojan based on the source code of Zeus, aiming to steal personal information via code injection into websites. Details
• Infostealer.AgentTesla is a .NET-based Remote Access Trojan with many capabilities, such as stealing browsers’ passwords, capturing keystrokes, clipboard, etc. Details
• Infostealer.Lazagne is a password recovery tool that can be used as a hacking tool to steal passwords from infected devices. Details
• Phishing.PhishingX is a malicious PDF file used as part of a phishing campaign to redirect victims to a phishing page.
• Ransomware.Akira first emerged in March 2023 and has a universal decrypter that was released by Avast in June 2023. Details
• Trojan.AmsiBypass is a malicious PowerShell script that attempts to bypass the Windows Antimalware Scan Interface (AMSI). Details
• Trojan.Valyria (a.k.a. POWERSTATS) is a family of malicious Microsoft Office Documents that contain embedded malicious VBScripts usually to deliver other malicious payloads. Details
• Trojan.Razy is a Trojan typically distributed via malicious ads disguised as legitimate software, often used to steal cryptocurrency data. Details

Recommendations

Attackers have always sought to evade detection and avoid suspicion in delivering malware. Two strategies that attackers have been using increasingly in the past six months are to deliver malware by abusing cloud apps and to package malware in archive files. Netskope Threat Labs recommends that you review your security posture to ensure that you are adequately protected against both of these trends:

• Inspect all HTTP and HTTPS downloads, including all web and cloud traffic, to prevent malware from infiltrating your network. Netskope customers can configure their Netskope NG-SWG with a Threat Protection policy that applies to downloads from all categories and applies to all file types.
• Ensure that your security controls recursively inspect the content of popular archive files such as ZIP files for malicious content. Netskope Advanced Threat Protection recursively inspects the content of archives, including ISO, TAR, RAR, 7Z, and ZIP.
• Ensure that high-risk file types like executables and archives are thoroughly inspected using a combination of static and dynamic analysis before being downloaded. Netskope Advanced Threat Protection customers can use a Patient Zero Prevention Policy to hold downloads until they have been fully inspected.
• Configure policies to block downloads from apps that are not used in your organization to reduce your risk surface to only those apps and instances that are necessary for the business.
• Block downloads of all risky file types from newly registered domains and newly observed domains.

In addition to the recommendations above, Remote Browser Isolation (RBI) technology can provide additional protection when there is a need to visit websites that fall in categories that present higher risk, like Newly Observed and Newly Registered Domains.

About This Report

Netskope provides threat and data protection to millions of users worldwide. Information presented in this report is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization. This report contains information about detections raised by Netskope’s Next Generation Secure Web Gateway (SWG), not considering the significance of the impact of each individual threat. Stats in this report are based on the period starting December 1, 2022 through June 30, 2023. Stats are reflection of attacker tactics, user behavior, and organization policy.