Evasive, basic, and encrypted malware all increased in Q4 2023, fueling a rise in total malware, according to WatchGuard.
Threat actors employ diverse tactics
The average malware detections rose 80% from the previous quarter, illustrating a substantial volume of malware threats arriving at the network perimeter. Geographically, most of the increased malware instances affected the Americas and Asia-Pacific.
“The Threat Lab’s latest research shows threat actors are employing various techniques as they look for vulnerabilities to target, including in older software and systems, which is why organizations must adopt a defense-in-depth approach to protect against such threats,” said Corey Nachreiner, chief security officer at WatchGuard.
“Updating the systems and software on which organizations rely is a vital step toward addressing these vulnerabilities. Additionally, modern security platforms that are operated by managed service providers can deliver the comprehensive, unified security that organisations need and enable them to combat the latest threats,” added Nachreiner.
Approximately 55% of malware arrived over encrypted connections, which was a 7% increase from Q3. Zero-day malware detections jumped to 60% of all malware detections, up from 22% the previous quarter. However, zero-day malware detections with TLS fell to 61%, which was a 10% decrease from Q3, showing the unpredictability of malware in the wild.
Top 5 widespread malware detections
Among the top 5 most-widespread malware detections were JS.Agent.USF and Trojan.GenericKD.67408266. Both variants redirect users to malicious links, and both malware loaders attempt to load DarkGate malware on the victim’s computer.
Q4 showed a resurgence in script-based threats, as scripts rose the most as an endpoint attack vector, with threats detected increasing 77% from Q3. PowerShell was the top attack vector that the researchers saw hackers use on endpoints. Browser-based exploits also rose significantly, increasing 56%.
Four of the top 5 most-widespread network attacks were Exchange server attacks. These attacks are specifically associated with one of the ProxyLogon, ProxyShell, and ProxyNotShell exploits. A ProxyLogon signature that has been present in the top 5 most-widespread signatures since Q4 2022 when it rose to second place among the most-widespread network attacks. These attacks illustrate the need to reduce reliance on on-premises email servers to mitigate security threats.
Cyberattack commoditisation continues
Cyberattack commoditisation continues, trending toward “victim-as-a-service” offerings. Glupteba and GuLoader were once again counted among the top 10 most prevalent endpoint malware in Q4, making a return as two of the most prolific variants analysed during the quarter. Glupteba is worth noting as a particularly formidable and sophisticated adversary, due in part to its prevalence targeting victims on a global scale.
A malware-as-a-service (MaaS), Glupteba’s malicious capabilities include downloading additional malware, masquerading as a botnet, stealing sensitive information, and mining cryptocurrency with tremendous stealth.
Once again in Q4, the Threat Lab reported a decline in ransomware detections compared to the previous quarter – observing a 20% decrease in overall volume for the last three months of 2023. Threat analysts also noted a decline in public ransomware breaches and attribute this trend to law enforcement’s ongoing takedown efforts of ransomware extortion groups.