With half a year passed from the outbreak of COVID-19, the world is now trying to come to terms with the new normal. But even with the initial panic settled, and many countries easing up on their lockdown restrictions, cyberattacks exploiting the pandemic showed no sign of slowing down in Q2 2020, according to new ESET Threat Report Q2 2020.
ESET specialists saw a continued influx of COVID-19 lures in web and email attacks, with fraudsters trying to make the most out of the crisis. ESET telemetry also showed a spike in phishing emails targeting online shoppers by impersonating one of the world’s leading package delivery services — a tenfold increase compared to Q1. The rise in attacks targeting Remote Desktop Protocol (RDP) — the security of which still often remains neglected — continued in Q2, with persistent attempts to establish RDP connections more than doubling since the beginning of the year.
One of the most rapidly developing areas in Q2 was the ransomware scene, with some operators abandoning the — still quite new — trend of doxing and random data leaking, and moving to auctioning the stolen data on dedicated underground sites, and even forming “cartels” to attract more buyers.
Ransomware also made an appearance on the Android platform, targeting Canada under the guise of a COVID-19 tracing app. ESET researchers quickly put a halt to this campaign and provided a decryptor for victims. Among many other findings, researchers: uncovered Operation In(ter)ception, which targeted high-profile aerospace and military companies; revealed the modus operandi of the elusive InvisiMole group; and dissected Ramsay, a cyberespionage toolkit targeting air‑gapped networks. Besides offering recaps of these findings, this report also brings exclusive, previously unpublished ESET research updates, with a special focus on APT group operations.
According to ESET telemetry, the top 10 malware detections in Q2 2020:
1. LNK/Agent trojan Q1 2020: 1 ↔ Q2 2020: 1
LNK/Agent is a detection name for malware utilizing Windows LNK shortcut files to execute other files on the system. Shortcut files have been gaining popularity among attackers, as they are typically considered benign and less likely to raise suspicion. LNK/Agent files don’t contain any payload and are usually parts of other, more complex malware. They are often used to achieve persistence of the main malicious files on the system or as a part of the compromise vector.
LNK/Agent is a detection name for malware utilizing Windows LNK shortcut files to execute other files on the system. Shortcut files have been gaining popularity among attackers, as they are typically considered benign and less likely to raise suspicion. LNK/Agent files don’t contain any payload and are usually parts of other, more complex malware. They are often used to achieve persistence of the main malicious files on the system or as a part of the compromise vector.
2. VBA/TrojanDownloader.Agent trojan Q1 2020: 2 ↔ Q2 2020: 2
VBA/TrojanDownloader.Agent is a detection typically covering maliciously crafted Microsoft
Office files that try to manipulate users into enabling the execution of malicious macros. Upon execution, the enclosed malicious macro typically downloads and executes additional malware. The malicious documents are usually sent as email attachments, disguised as important information relevant to the recipient.
3. Win/Exploit.CVE-2017-11882 trojan Q1 2020: 3 ↔ Q2 2020: 3
This detection name stands for specially crafted documents exploiting the CVE-2017- 11882 [49] vulnerability found in the Microsoft Equation Editor, a component of Microsoft Office. The exploit is publicly available and usually used as the first stage of compromise. When the user opens the malicious document, the exploit is triggered and its shellcode
executed. Additional malware is then downloaded onto the computer to perform arbitrary malicious actions.
4. DOC/TrojanDownloader.Agent trojan Q1 2020: 13 ↑ Q2 2020: 4
This classification represents malicious Microsoft Word documents that download further malware from the internet. The documents are often disguised as invoices, forms, legal documents, or other seemingly important information. They may rely on malicious macros, embedded Packager (and other) objects, or even serve as decoy documents to distract the recipient while malware is downloaded in the background.
5. HTML/Fraud trojan Q1 2020: 14 ↑ Q2 2020: 5
HTML/Fraud detections cover various types of fraudulent, HTML-based content, distributed with the aim of gaining money or other profit from the victim’s involvement. This includes scam websites, as well as HMTL-based emails and email attachments. In such an email, recipients may be tricked into believing they have won a lottery prize and are then
requested to provide personal details. Another common case is the so-called advance fee scam, such as the notorious Nigerian Prince Scam aka “419 scam”.
6. HTML/Phishing.Agent trojan Q1 2020: 6 ↔ Q2 2020: 6
HTML/Phishing.Agent is a detection name for malicious HTML code often used in a phishing email’s attachment. Attackers tend to use it instead of other file types, since executable attachments are usually automatically blocked or more likely to raise suspicion. When such an attachment is opened, a phishing site is opened in the web browser, posing as an official banking, payment service or social networking website. The website requests credentials or other sensitive information, which is then sent to the attacker.
HTML/Phishing.Agent is a detection name for malicious HTML code often used in a phishing email’s attachment. Attackers tend to use it instead of other file types, since executable attachments are usually automatically blocked or more likely to raise suspicion. When such an attachment is opened, a phishing site is opened in the web browser, posing as an official banking, payment service or social networking website. The website requests credentials or other sensitive information, which is then sent to the attacker.
7. JS/Agent trojan Q1 2020: 9 ↑ Q2 2020: 7
This detection name covers various malicious JavaScript files. These are often obfuscated to avoid static detections. They are typically placed onto compromised but otherwise legitimate websites, with the aim of achieving drive-by compromise of visitors.
This detection name covers various malicious JavaScript files. These are often obfuscated to avoid static detections. They are typically placed onto compromised but otherwise legitimate websites, with the aim of achieving drive-by compromise of visitors.
8. Win/HackTool.Equation trojan Q1 2020: 8 ↔ Q2 2020: 8
The detection name Win32/HackTool.Equation covers tools attributed to the United States National Security Agency (NSA) and made public by the hacking group Shadow Brokers. Soon after the leak, these tools became widely used by cybercriminals. The detection also includes malware derived from these leaked tools or threats using the same techniques.
The detection name Win32/HackTool.Equation covers tools attributed to the United States National Security Agency (NSA) and made public by the hacking group Shadow Brokers. Soon after the leak, these tools became widely used by cybercriminals. The detection also includes malware derived from these leaked tools or threats using the same techniques.
9. Win/Bundpil worm Q1 2020: 4 ↓ Q1 2020: 9
Win32/Bundpil is a worm capable of spreading via removable media. It is a part of Wauchos, one of the largest botnet families, also known as Gamarue or Andromeda. Bundpil was designed to enhance the persistence of Wauchos and to make it harder to perform a global takedown of its network. As part of this, it contains a domain generation algorithm and can alter DNS requests.
10. JS/Danger.ScriptAttachment trojan Q1 2020: 15 ↑ Q2 2020: 10
JS/Danger.ScriptAttachment is a generic detection name for malicious scripts included in email attachments. The main purpose of these malicious attachments is to download further malware to the affected computer. JS/Danger.ScriptAttachment has fueled many large-scale malspam campaigns, most notably those that distribute TrickBot, and often ransomware, as their final payloads.
For more information, visit https://www.eset.com/us/
