Browser And Email: Top Attack Channels For Malware Delivery

We at F-Secure Labs continuously monitor the prevalent threats that customers commonly encounter. Observing the threat landscape, we investigate the infection vectors that cyber criminals use, and we try to find effective ways to protect customers from such attacks.

Below are our top 10 detections that protect our users, and the top two pertains to Exploit Kits and Spam.


First, let’s look at the highest-ranking detection.

Browser Attack: Angler Exploit Kit

Our detection Exploit:JS/AnglerEK.D for Angler EK (currently the most active exploit kit) is usually one of the top in our world map statistics.

In the last 24 hours, it looks like it has launched an aggressive campaign again.


Users usually get infected by visiting a compromised website with injected redirector scripts or malicious ads (malvertising). In this campaign, the hits were coming from compromised websites, and there were also some coming via the OpenX ad platform.


Angler EK continues to deliver Bedep which is known to install a click-fraud trojan, and recently also installs the CryptXXX ransomware.


Email Attack: JavaScript Downloader

The second highest in our statistics is our detection for JavaScript downloaders: Trojan:JS/Kavala.D. These JavaScript downloaders usually arrive through spam as an attachment inside a ZIP archive. Below are email samples of the current spam campaign that caused the spike in our telemetry.



For months, we have seen an increase in the use of JavaScripts as downloaders in spam campaigns to deliver malware like Locky, TeslaCrypt, Dridex, GootKit, Kovter, Boaxxe, and Gamarue. The usual spam arrives with various themes such as “Invoice”, “photo sharing”, “payment/order”, “resume”, “scanned image”, “Visa rewards”, “DHL notification”, “insurance”,  and “Amazon order” as attackers attempt to cast a wider net to increase victim coverage.

Here are some examples of the filenames used by the JavaScript downloaders:

2016 Sales Invoice 700422016.pdf.js
dino kennedy.js

In this particular campaign, the JavaScript downloader attempts to deliver the Locky ransomware.


Locky Ransom Message

These two detections on our world map indicate browser and email as top attack channels in delivering malware.

As a reminder, we advise customers to always update their browser to the latest version, and plugins such as Flash Player and Silverlight – we also recommend disabling them when not in use. As for spam, we advise users to be wary of email attachments.

Articles with similar Tags