Malware Trends and Tactics: 3 Things Companies Need To Do

Posted by Hugh Docherty on Fri, Aug 28, '15

Gary Warner, Malcovery's Chief Technologist, recently presented findings from our 2015 Q2 Malware Trends and Tactics report. The second quarter is notable for the diversity of campaigns that were observed. It's clear that there are more actors in the space, and many are experimenting with various crime tools in a variety of short-lived campaigns.

ChecklistMalcovery produced 540 reports during the second quarter related to email-based malware and phishing attacks. In each case, Malcovery's analyst team dissected the campaign to uncover how it was designed to penetrate your network perimeter. Every report contains a confirmed set of domains, hosts, and artifacts associated with the campaign. Given the variety of payload malware and downloaded applications observed and the number of new hosts and domains supporting the malware attack, it is more important than ever to act quickly on indicators provided by threat intelligence services.

There are 3 things that companies need to do based on this analysis.

  1. Automate consumption of threat intelligence.
  2. Beware of Microsoft Office attachments.
  3. Review how your team is using third party file sharing services.

More Automation. Faster Response. Better Protection.

A major theme of our recent report was the long tail that has evolved during 2015. The long tail of malware has evolved because of the use of new malware and droppers. Gary described significant experimentation among cyber criminals as they explore new ways to deliver their malware inside of the firewall. The chart below shows 143 “other" and unnamed malware campaigns observed during Q2 while only 62 were confirmed during Q1.

2015 Q2 Malware Distribution
2015 Q2 Malware Distribution

These campaigns used a mix of short lived and longer duration hosts to deliver and support malware. Using vetted indicators of compromise (IoCs) in your SIEM and other security appliances is an important part of your cyber defense program. Automating the consumption of a threat intelligence service that is high-signal and formatted for your security applications provides protection from mainstream and long tail malware families.

To achieve the necessary confidence for automation, all indicators need to be verified before being distributed to policy enforcement devices and applications. This is a key differentiator between threat data and threat intelligence. See Malcovery’s blog post about Deriving Malware Context for more information about our approach. 

View Webinar Now

Beware Microsoft Office Documents

Cyber criminals continue to use Microsoft Office documents and bypass controls InfoSec teams have in place to protect employees from malicious macros. Malcovery observed a 62% increase in the use of Office macros to download malware during Q2. This is the largest increase of any malware or loader. Furthermore, Office macros were delivering a variety of malware during this period, expanding on successful Dridex campaigns executed over recent months. 

Change in malware families and downloaders seen during 2015 Q2.

Office macros use the HTTP GET command to download malware. For a given malware campaign using this tactic, it’s relatively easy to change the hash of the infected Office document and the email subject line. However, there are relative few download sites and URLs used in support of the attack. Once the macros are analyzed, blocking and alerting rules can be implemented to prevent the malware from landing on your corporate devices even though the original email and attachment evaded your spam filter and endpoint controls.

You should also review your internal policies regarding the use of Office macros. If you cannot restrict macros using Group Policies or Trusted Locations, it's all the more important to block the malicious URLs and prevent the macro from downloading its payload.  

Sharing Sites or Snaring Sites?

The use of file sharing websites continues to grow as do the dangers associated with them. Companies should not whitelist consumer versions of these websites. Instead, extra caution should be taken and corporate editions should be implemented whenever possible. Corporate accounts have security controls such as encryption, IP-based access, and central management. URLs and hostnames also typically include your company name so policies can be written to allow communication with corporate file sharing sites while the risky consumer versions of the same services are blocked.

This past April, we detected a malware campaign using a clever combination of a consumer file sharing site and an Office macro. The campaign used a redirect feature of to send the victim to Dropbox which downloaded a Word document containing a macro which then used an HTTP GET command to download the malware payload. Malcovery customers can see another example of this kind of attack by referencing threat ID 4138. If you’re responsible for network security at your company and you would like a copy of this report, please email info at

Example: Office Macro with Dropbox Direct Link
File Sharing Example

The webinar and malware report also provides updates on the botnet infrastructure we saw during Q2 and the continued use of massively distributed malware to get a foothold inside of enterprises. We'll post more about this later. In the mean time, you can watch the webinar or download the full report for all the details.

Topics: Malware Intelligence, Protect Your Network

View Webinar Now