Overview
After a second quarter marked by a significant disruption to the Necurs botnet and associated quiet in malicious document campaigns, the third quarter flipped the script with record-breaking message volumes. While the vast majority of these messages were distributing Locky ransomware, Q3 was also characterized by significant variety and evolution in other types of ransomware and banking Trojans.
On one hand, we observed increasing sophistication in malicious macros with new sandbox evasion techniques and more targeted attacks, as well as shifts in business email compromise (BEC) techniques. On the other hand, the volume of messages distributing Locky ransomware via malicious document attachments and attached JavaScript reached into the hundreds of millions on some days, with actors opting to blanket entire regions with their attacks.
Exploit kit (EK) activity leveled off at dramatically reduced levels from its January peak, but we uncovered malvertising operations leveraging EKs of unprecedented sophistication and scale. At the same time, we observed mobile exploit kits and mobile zero-days beginning to fill the void left by declining desktop EKs. Mobile and social threats related to popular phenomena like Pokémon GO and the Rio Olympics also made headlines.
Below are key takeaways from the third quarter of 2016.
Key Takeaways
- The volume of malicious email that used JavaScript attachments rose 69% compared to Q2 to their highest levels ever. New campaigns bearing varied attachment types broke volume records set in Q2, peaking at hundreds of millions of messages per day. JavaScript attachments continued to lead these very large email campaigns, with Locky ransomware actors also introducing new file attachment types.
- Most emails with malicious documents attached featured the popular ransomware strain Locky. Among the billions of messages that used malicious document attachments, 97% featured Locky ransomware, up 28% from Q2 and 64% from Q1, when Locky was discovered.
- The variety of new ransomware variants grew tenfold over Q4 2015. The variety of ransomware continued to increase, especially strains delivered by exploit kits. Among these EK-distributed variants, and in smaller email campaigns, CryptXXX remained the dominant ransomware payload, even appearing in a spam campaign.
- Cyber criminals continue to hone their techniques in BEC attacks. In BEC attacks, impostors pose as a high-ranking executive to trick his or her colleagues into wiring money. “Reply-to” spoofing has fallen roughly 30% since early 2016, while “display name” spoofing rose, making up about a third of all BEC attacks. The shift shows that attackers continue to evolve and adjust their techniques. None of this has displaced “ordinary” credential phishing, which continues to get more sophisticated.
- Banking Trojans diversified and actors personalized attacks. After a period of relative quiet, the popular banking Trojan Dridex reemerged in targeted campaigns that were larger than those of Q2 but still far smaller than the massive (at the time) campaigns of 2015. Other banking Trojans such as Ursnif also appeared in highly personalized campaigns totaling tens to hundreds of thousands of messages, a trend that began in Q2 and continued into Q3. At the same time, a wide range of banking Trojans were observed in malvertising campaigns as well.
- Exploit kit activity held steady but remains far below the peaks of 2015. Total observed EK activity fell 65% in Q3 from Q2 and is down 93% from its 2016 high in January, though the slide appears to have leveled off. With once-popular Angler gone, Neutrino gave way to RIG as the dominant EK over the course of Q3.
- Pokémon GO-related malware spawned malicious counterfeits. Malware in the form of malicious side-loaded clone apps, dangerous add-ons, and other risky apps grew out of the game’s popularity. Users can download apps from anywhere, and even the major app stores offer only limited screening of apps and updates.
- Mobile exploit kits and zero-day attacks targeted iOS and Android. Most mobile devices today have 10-20 exploitable zero-days. Roughly 30% of those are serious and could allow attackers to run malicious code on infected devices.
- Negative social media content is up. Negative or potentially damaging content such as spam, adult language, and pornography rose 50% over Q2.
- Social phishing has doubled since Q2. Social media is a breeding ground for credential and financial phishing, where attackers trick social media users into handing over account credentials. Fraudulent accounts—used for a type of attack we call angler phishing—led the way.
- Cross-pollination between mobile and social takes off. High-profile phenomena such as the Rio Olympics and Pokémon GO created openings to spread mobile malware, including mobile zero-day exploits, over social media.
Click here to read the full Proofpoint Q3 Threat Summary.