Browser And Email: Top Attack Channels For Malware Delivery

We at F-Secure Labs continuously monitor the prevalent threats that customers commonly encounter. Observing the threat landscape, we investigate the infection vectors that cyber criminals use, and we try to find effective ways to protect customers from such attacks.

Below are our top 10 detections that protect our users, and the top two pertains to Exploit Kits and Spam.

top10_worldmap_20160428

First, let’s look at the highest-ranking detection.

Browser Attack: Angler Exploit Kit

Our detection Exploit:JS/AnglerEK.D for Angler EK (currently the most active exploit kit) is usually one of the top in our world map statistics.

In the last 24 hours, it looks like it has launched an aggressive campaign again.

AnglerEK_hits_20160428

Users usually get infected by visiting a compromised website with injected redirector scripts or malicious ads (malvertising). In this campaign, the hits were coming from compromised websites, and there were also some coming via the OpenX ad platform.

angler_adplatform_blur

Angler EK continues to deliver Bedep which is known to install a click-fraud trojan, and recently also installs the CryptXXX ransomware.

angler_saz_20160427_blur

Email Attack: JavaScript Downloader

The second highest in our statistics is our detection for JavaScript downloaders: Trojan:JS/Kavala.D. These JavaScript downloaders usually arrive through spam as an attachment inside a ZIP archive. Below are email samples of the current spam campaign that caused the spike in our telemetry.

locky_spam1

locky_spam2

For months, we have seen an increase in the use of JavaScripts as downloaders in spam campaigns to deliver malware like Locky, TeslaCrypt, Dridex, GootKit, Kovter, Boaxxe, and Gamarue. The usual spam arrives with various themes such as “Invoice”, “photo sharing”, “payment/order”, “resume”, “scanned image”, “Visa rewards”, “DHL notification”, “insurance”,  and “Amazon order” as attackers attempt to cast a wider net to increase victim coverage.

Here are some examples of the filenames used by the JavaScript downloaders:

0061705_006774.js
CAN0000013502.js
20160403_914618_resized.js
01c4b975.js
details.jse
63e0f3bc.js
2016 Sales Invoice 700422016.pdf.js
bill.js
copy.js
ADCWYuEi.js
dino kennedy.js

In this particular campaign, the JavaScript downloader attempts to deliver the Locky ransomware.

locky_blur

Locky Ransom Message

These two detections on our world map indicate browser and email as top attack channels in delivering malware.

As a reminder, we advise customers to always update their browser to the latest version, and plugins such as Flash Player and Silverlight – we also recommend disabling them when not in use. As for spam, we advise users to be wary of email attachments.



Articles with similar Tags