While the fourth quarter of 2019 saw a decrease in total malware volume, a key global trend also unfolding within the period was the use of macro-enabled documents for malware delivery.
This is according to Cofense, the leading provider of intelligent phishing defence solutions, which recently released its Q4 2019 Malware Trends Report, giving insight into the malware families, delivery methods and campaigns that were prominent globally during the past quarter. Cofense is distributed throughout sub-Saharan Africa by value-added distributor Networks Unlimited Africa.
Stefan van de Giessen, General Manager: Cybersecurity at Networks Unlimited Africa, notes: “The intention of a macro is to assist with automating repetitive tasks. Macros can be found in Microsoft Office documents such as Word, Excel and PowerPoint, containing embedded code written in a programming language known as Visual Basic for Applications (VBA).
“However, threat actors can write VBA code to create macros that do harmful things and are embedded in documents that are then distributed online. Despite awareness and security efforts, macro-enabled documents continue to find their way into users’ inboxes. These documents are an initial intrusion vector for several malware families, such as the Emotet trojan. Few companies can completely disable macros, as they provide a valuable function in many environments.”
Emotet is a banking trojan and botnet that distributes malicious emails to harvest financial information by injecting computer code into the networking stack of an infected Microsoft Windows computer, allowing sensitive data to be stolen via transmission. The Cofense Report notes the prominence of Emotet in the last quarter of 2019, continuing a rise from Q3’s reporting, and with this a corresponding sharp rise from the third quarter in macro-enabled documents as a malware delivery mechanism.
Emotet’s disguises in distributing malicious e-mails during Q4 2019 included the delivery of fake financial invoices and invitations to a Christmas party, as well as other phishing bait. The Cofense report notes that other malware families were not as prolific, decreasing in volume as the quarter went on.
“As the report notes, Emotet is one of a number of threats currently facing organisations,” comments Van de Giessen, “and so it is imperative to understand the current phishing landscape, as well as its future evolutions, to help organisations protect themselves from security breaches.”
According to the Cofense report, Emotet is likely to continue its infections into 2020, also noting: “On the malware front, Windows 7’s end-of-life will probably lead to the creation of new malware and look for targeted ransomware to continue growing. 2020’s election season may bring about more phishing, while geopolitical events can result in more cyber threats.”
The report also fingered the information stealer, Loki Bot, which took the top spot as the most prevalent non-Emotet malware, with the Agent Tesla keylogger in second place. It is possible that less-experienced threat actors have preferred Loki Bot over its competition because of its easy deployment and low maintenance, enabling more distribution with less effort.
“This report is another example of the invaluable information that comes from Cofense Intelligence, as well as the range of factual data that it is able to provide,” comments Van de Giessen, “and underscores the increasingly sophisticated world of threat actors.”
“This all goes to emphasise, once again, that technology alone is not enough when we try to assist both individuals and organisations to fight against cybercrime. The consistent ethos behind Cofense’s solutions is to unite people with technology, offering human-focused phishing defence solutions which enable people to identify, report, and mitigate such threats as spear phishing and malware,” he concludes.