With half a year passed from the outbreak of COVID-19, the world is now trying to come to terms with the new normal. But even with the initial panic settled, and many countries easing up on their lockdown restrictions, cyberattacks exploiting the pandemic showed no sign of slowing down in Q2 2020, according to new ESET Threat Report Q2 2020.
LNK/Agent is a detection name for malware utilizing Windows LNK shortcut files to execute other files on the system. Shortcut files have been gaining popularity among attackers, as they are typically considered benign and less likely to raise suspicion. LNK/Agent files don’t contain any payload and are usually parts of other, more complex malware. They are often used to achieve persistence of the main malicious files on the system or as a part of the compromise vector.
2. VBA/TrojanDownloader.Agent trojan Q1 2020: 2 ↔ Q2 2020: 2
VBA/TrojanDownloader.Agent is a detection typically covering maliciously crafted Microsoft
Office files that try to manipulate users into enabling the execution of malicious macros. Upon execution, the enclosed malicious macro typically downloads and executes additional malware. The malicious documents are usually sent as email attachments, disguised as important information relevant to the recipient.
3. Win/Exploit.CVE-2017-11882 trojan Q1 2020: 3 ↔ Q2 2020: 3
This detection name stands for specially crafted documents exploiting the CVE-2017- 11882  vulnerability found in the Microsoft Equation Editor, a component of Microsoft Office. The exploit is publicly available and usually used as the first stage of compromise. When the user opens the malicious document, the exploit is triggered and its shellcode
executed. Additional malware is then downloaded onto the computer to perform arbitrary malicious actions.
4. DOC/TrojanDownloader.Agent trojan Q1 2020: 13 ↑ Q2 2020: 4
This classification represents malicious Microsoft Word documents that download further malware from the internet. The documents are often disguised as invoices, forms, legal documents, or other seemingly important information. They may rely on malicious macros, embedded Packager (and other) objects, or even serve as decoy documents to distract the recipient while malware is downloaded in the background.
5. HTML/Fraud trojan Q1 2020: 14 ↑ Q2 2020: 5
HTML/Fraud detections cover various types of fraudulent, HTML-based content, distributed with the aim of gaining money or other profit from the victim’s involvement. This includes scam websites, as well as HMTL-based emails and email attachments. In such an email, recipients may be tricked into believing they have won a lottery prize and are then
HTML/Phishing.Agent is a detection name for malicious HTML code often used in a phishing email’s attachment. Attackers tend to use it instead of other file types, since executable attachments are usually automatically blocked or more likely to raise suspicion. When such an attachment is opened, a phishing site is opened in the web browser, posing as an official banking, payment service or social networking website. The website requests credentials or other sensitive information, which is then sent to the attacker.
The detection name Win32/HackTool.Equation covers tools attributed to the United States National Security Agency (NSA) and made public by the hacking group Shadow Brokers. Soon after the leak, these tools became widely used by cybercriminals. The detection also includes malware derived from these leaked tools or threats using the same techniques.
9. Win/Bundpil worm Q1 2020: 4 ↓ Q1 2020: 9