Cyber Marketplaces for Attackers

Cyber marketplaces for attackers

Attackers are teasing would-be cyber criminals by deploying fake malware kits on code-sharing platforms like GitHub.

The latest HP Wolf Security Threat Insights Report shows that cyber marketplaces give attackers all the tools they need to bypass all detection measures when infiltrating organisations. The report is based on data from millions of endpoints running HP Wolf Security.

Houdini’s final act

A new campaign targeted organisations with fake shipping documents hiding the Vjw0rm JavaScript malware. The obfuscated code allowed the malware to bypass email defences and reach end devices. The analysed attack fed Houdini, a ten-year-old VBScript RAT, into the network. This shows that with the right pre-built tools from cybercrime marketplaces, cybercriminals are able to effectively deploy old malware by abusing the scripting capabilities built into operating systems.

Cybercriminals use “Jekyll and Hyde” attacks

HP discovered a Parallax RAT campaign that launches two threads when a user opens a malicious scanned invoice in order to trick them. The “Jekyll” thread opens a fake invoice copied from a legitimate online template. This reduces the recipient’s mistrust. The “Hyde” thread executes the malware in the background. This attack is easy for threat actors to carry out – and relatively inexpensive: hacker forums offer ready-made Parallax kits for 65 US dollars per month.

Attackers provide fake malware kits on code-sharing platforms such as GitHub. These repositories of malicious code entice wannabe threat actors to infect their own machines. One popular malware kit, XWorm, is offered on underground markets for up to 500 US dollars. This relatively high cost tempts cyber criminals with tight budgets to buy fake, cracked versions.

Archives are the most popular malware file type

The report also shows how cyber criminals are increasingly diversifying their attack methods to circumvent security policies and detection tools. Further findings:

  • Archives were the most popular malware file type for the sixth consecutive quarter, used in 36 percent of the cases analysed.
  • Despite being disabled by default, macro-enabled Excel add-in (.xlam) threats rose from 46th place in Q2 to 7th place among the most commonly abused file extensions by attackers in Q3. In Q3, there were also malware campaigns that abused PowerPoint add-ins.
  • At least 12 per cent of email threats identified by HP Sure Click bypassed one or more email gateway scanners in both Q3 and Q2.
  • In Q3, more attacks were detected using exploits in Excel (91 per cent) and Word (68 per cent) formats.
  • The number of isolated PDF threats rose by five percentage points compared to the second quarter.
  • The most important threat vectors in Q3 were emails (80 per cent) and browser downloads (11 per cent).