Our malware threat report for Q1 2020 highlighted cyber threats and exploits that included, phishing and malspam campaigns, and a surge in Emotet related attacks. This midyear malware threat report provides more in-depth insight into sophisticated attacks including, PE (Portable Executable) and non-PE threat categories, Android and macOS threats. We’ll also take a closer look at growing Office attacks and IoT malware observed by the Avira Protection Labs.
In Q2 2020, we saw a very small reduction in total detection events. This overall reduction in detection events can be attributed to malware authors shifting from volume to more complex and sophisticated attack methodologies, leveraging MS Office, and script-based threats. Although mobile devices faced fewer attacks compared to Q1 2020, Adware and PUA continue to grow.
PE or ‘Portable Executable’ is commonly used to describe binary executables within the Windows OS. PE includes ‘.exe‘ and ‘.dll‘ file-types and less well-known formats such as ‘.scr‘. They are by far the most used data structure for malware attacks on the Windows platform.
In general, the mix of malware categories is quite stable, with trojans most often seen followed by file infectors.
Figure 1: PE detection categories in Q2, excluding Heuristic detections
The Ramnit, Sality and Virut families of PE file infectors are most commonly identified by our machine learning enabled heuristic systems. File infectors are noteworthy here. Due to their nature of possibly infecting hundreds to thousands of files per computer, they can generate a lot of unique detection events.
In 2019, Ramnit was among the top malware families causing financial attacks. The Ramnit malware family steals confidential data from infected machines or, depending on the variant, includes a botnet capability. It spreads through .exe, .dll, or HTML files.
Previously, it appeared to be a worm, but now the Sality malware family acts as a backdoor connecting infected machines to a botnet. It is most commonly distributed through .exe files. Recent variants can communicate through the P2P network.
Virut belongs to a polymorphic malware family and spreads through .exe files. It possesses entry-point obscuring capabilities, including IRC backdoor.
Non-PE threats, as the name suggests, are not Windows executables, but other means of infecting machines. In this category, we have Office files, scripts, PDFs, and other exploits.
Q2 2020 saw many more people from home as a result of the pandemic. Malware authors and bad actors have recognized the opportunity presented by users working outside the office and have adapted their attacks appropriately. In this quarter, we observed not only a surge in Non-PE samples in the wild but also an increase in (prevented) attacks on our customer base. We saw a significant rise in script-based detections (73.55%) and Office based macro detections (30.43%).
Figure 3: Logarithmic view of NonPE detection categories in Q2
When we take an in-depth into the top 10 NonPE threats, we observe the same trend. Office and Web-based detections hold the top positions:
Figure 4: Top 10 NonPE detections in Q2
One of the most prevalent malware families in the Office documents category was W97M/Marker malware. W97M/Marker infects other documents by appending the malicious code to the existing macro code. The name comes from the “you are marked” text comments used to locate the beginning of the code.
In Q2 2020, Avira telemetry showed a lot of Office threats that are using an old stack buffer overflow vulnerability in Microsoft Equation Editor, CVE-2017-11882. This enables remote code execution and downloads the malicious payload.
By far, the most significant increase has been observed in Office documents using Excel 4.0 or XLM macros techniques. It gained popularity among malware authors over the last year. As shown in the figure below, the peak was in May, followed by a decreasing trend in June.
Briefly, this is an ancient and well-known technique, but this new campaign made use of a few tricks to confuse users. Some of them were using the hidden or very hidden properties to camouflage the sheets which were containing the macro code, and others were password protected.
Figure 5: New incoming Excel samples based on version
Zloader and Dridex are well-known banking malware. They aim to steal credentials and other types of private information from targeted users. In Q2 2020, the primary infection vector was COVID-19 themed e-mails containing Office or PDF files, which further assisted the download of the malicious payload.
The global Android threat activity has toned down a bit this quarter, compared to the previous one. The first two months show a slight increase in detections compared to their respective months in the last quarter, with June being noticeably below March.
Figure 7: Android Threat Categories in 2020 Q2
Out of the top ten detected families, five of them have intrusive advertisement display capabilities, with Android/Hiddad being the first one on the list. It is worth mentioning that “droppers” make up a third of the top ten detected families this quarter.