Some of the key takeaways from March’s Latest Intelligence, and the threat landscape in general, include the number of blocked web attacks reaching highest level since July 2016, Symantec blocks almost two million malicious emails from the Necurs botnet on its first day back in action, and further evidence linking the Lazarus group to attacks on Polish banks discovered.
Web attacks
The number of web attacks blocked by Symantec in March increased to 584,000 per day, up from 394,000 the previous month. March saw the highest level of web attacks blocked since July 2016.
[click_to_tweet:1]
In terms of exploit kits, the top three kits remained the same as last month with RIG (13.6 percent of all exploit kit activity), SunDown (3.1 percent), and Magnitude (1.5 percent) taking first, second, and third place respectively.
Figure 1. Web attacks blocked by Symantec increased to 584,000 in March
RIG was observed delivering the Gootkit financial malware (Trojan.Gootkit) in March as part of a campaign known as EITEST—a malware campaign first identified in 2014 which uses large numbers of compromised websites to redirect victims to the campaign’s exploit kit of choice. In March, RIG was also noted as distributing a new ransomware called PyCL. However, the malware was not fully functional and was distributed for only one day, leading researchers to believe it was a test run for a future campaign. Symantec detected the samples as Ransom.Cerber and Trojan.Gen.2 and continues to monitor for PyCL activity.
Malware
While the number of new malware variants detected in March (77.5 million) is down from the previous month (94.1 million), it remains significantly higher than the beginning of the year (32.9 million). The higher number of malware variants detected this year is likely caused by increased levels of activity from the Kotver family of threats (Trojan.Kotver).
Figure 2. Number of new malware variants remains significantly higher than the beginning of the year
At 1 in 668 emails, the email malware rate for March is down slightly from February (1 in 635 emails). This year so far has seen email malware rates much lower than the previous year, with 1 in 98 emails in December containing malware. However, the recent return of the Necurs botnet (Backdoor.Necurs), following a three-month hiatus, could well see next month’s email malware rate increase. Upon Necur’s return near the end of March, Symantec blocked almost two million malicious emails on the first day alone, and has been regularly blocking in excess of 100,000 emails per hour during the hours the botnet is active.
March also saw Symantec continue its investigation into the attack group known as Lazarus. The group was responsible for attacks against Polish banks in March and Symantec found further evidence linking Lazarus to those attacks.
Spam
There was a slight increase in the global spam rate in March, up 0.1 percentage points to 53.8 percent. However, as previously mentioned, the return of Necurs has brought with it a new wave of spam campaigns which could see this figure increase next month.
Figure 3. Spam rate increased slightly in March
March also saw Symantec researchers release two blogs on interesting spam campaigns they discovered. The first involved spammers targeting financial institutions and using social engineering to trick employees into installing fake security software, which turned out to be an information stealing Trojan (W32.Difobot). The second blog involved a campaign targeting users in Germany. The emails used detailed personal information of its victims to enhance the messages’ credibility. Victims of the campaign were infected with the banking Trojan Trojan.Nymaim.B.
This is just a snapshot of the news for the month. Check out the Latest Intelligence for the big picture of the threat landscape with more charts, tables, and analysis.