In spite of the prevalence of more sophisticated attacks, traditional email continues to be the favored method for malicious actors, accounting for 79% of threats, according to recent research conducted by HP Wolf Security. Although this figure represents a slight decrease from the previous year, it underscores the challenges faced by email administrators. Web browser downloads also experienced a marginal decline of 1%, making up 12% of attack vectors, while removable media attacks increased to 9%.
Researchers have observed that while attack patterns often follow established formulas, threat actors are increasingly combining different components to create unique and harder-to-detect attacks. Notably, HP’s analysis of QakBot infection chains in Q2 identified that 32% of the observed chains were unique.
During Q2 of 2023, QakBot spam activity witnessed a surge, with malware distributors employing diverse file types to infect PCs. Patrick Schläpfer, Senior Malware Analyst at HP Wolf Security, highlighted the team’s observation of continuous and rapid changes across various attack vectors. He emphasized the QakBot campaigns as an example, wherein threat actors altered their initial vectors and techniques within the infection chain.
Schläpfer also acknowledged the impact of Microsoft’s default disabling of macros, which prompted attackers to diversify their methods. He noted that in 2022, attackers experimented with newer techniques such as HTML smuggling, PDF lures, and OneNote documents, which do not rely on macros.
Schläpfer further noted that attacks primarily aimed to gain a foothold in systems rather than targeting specific entities. Statistics collected by HP in Q2 2023 revealed that over half (51.5%) of malicious email attachments were archives, while nearly a quarter (24.4%) were documents. PDFs accounted for 4.2%, and executables made up 1.5%.
The research also highlighted the growing creativity of attackers. In a recent campaign, multiple programming languages were employed to evade detection. The payload was encrypted using Go before switching to C++ to interact with the victim’s operating system, ultimately deploying .NET malware.
Schläpfer emphasized that attackers are becoming increasingly knowledgeable about their target systems, enabling them to exploit gaps and vulnerabilities more effectively. He noted that by identifying the right entry points, they can navigate internal systems effortlessly, employing simple techniques without triggering alarms.
Given the enduring prominence of email as an attack vector, administrators are advised to follow consistent precautions. Dr. Ian Pratt, Global Head of Security for Personal Systems at HP, reiterated that while attack chains may differ, the root cause often remains the same: “It inevitably comes down to the user clicking on something.”
“Rather than attempting to anticipate the entire infection chain, organizations should focus on isolating and containing risky activities, such as opening email attachments, clicking on links, and downloading files through browsers.