Attackers are teasing would-be cyber criminals by deploying fake malware kits on code-sharing platforms like GitHub.
The latest HP Wolf Security Threat Insights Report shows that cyber marketplaces give attackers all the tools they need to bypass all detection measures when infiltrating organisations. The report is based on data from millions of endpoints running HP Wolf Security.
Houdini’s final act
Cybercriminals use “Jekyll and Hyde” attacks
HP discovered a Parallax RAT campaign that launches two threads when a user opens a malicious scanned invoice in order to trick them. The “Jekyll” thread opens a fake invoice copied from a legitimate online template. This reduces the recipient’s mistrust. The “Hyde” thread executes the malware in the background. This attack is easy for threat actors to carry out – and relatively inexpensive: hacker forums offer ready-made Parallax kits for 65 US dollars per month.
Attackers provide fake malware kits on code-sharing platforms such as GitHub. These repositories of malicious code entice wannabe threat actors to infect their own machines. One popular malware kit, XWorm, is offered on underground markets for up to 500 US dollars. This relatively high cost tempts cyber criminals with tight budgets to buy fake, cracked versions.
Archives are the most popular malware file type
The report also shows how cyber criminals are increasingly diversifying their attack methods to circumvent security policies and detection tools. Further findings:
- Archives were the most popular malware file type for the sixth consecutive quarter, used in 36 percent of the cases analysed.
- Despite being disabled by default, macro-enabled Excel add-in (.xlam) threats rose from 46th place in Q2 to 7th place among the most commonly abused file extensions by attackers in Q3. In Q3, there were also malware campaigns that abused PowerPoint add-ins.
- At least 12 per cent of email threats identified by HP Sure Click bypassed one or more email gateway scanners in both Q3 and Q2.
- In Q3, more attacks were detected using exploits in Excel (91 per cent) and Word (68 per cent) formats.
- The number of isolated PDF threats rose by five percentage points compared to the second quarter.
- The most important threat vectors in Q3 were emails (80 per cent) and browser downloads (11 per cent).