Just as the COVID-19 pandemic changed the way we live and work, malware operators changed the way they attack enterprise targets. Last year businesses saw Windows malware detections drop and Mac detections rise as criminals tossed old tactics and focused on targeted attacks.
In the "2020 State of Malware" report, Malwarebytes researchers explore how attack techniques changed among criminals who sought to steal information and prey on victims' fears with more advanced threats. Windows malware detections dropped 24% for businesses and 11% among consumers. Mac malware detections went up 31% for companies but down 40% for consumers.
The most obvious attack pattern across Windows, Mac, and Android came down to data theft, says Adam Kujawa, director of Malwarebytes Labs. COVID-19 changed so much about the way businesses operate; in doing so, it created a new target profile many criminals never considered: people working from home, accessing corporate resources from corporate laptops.
"So the bad guys now had to target folks who aren't where they are 'supposed to be,'" Kujawa explains. Employees are no longer falling for spear-phishing attacks from their office machines.
"When chaos and confusion rise in the cybercrime world, they tend to both lean on what works and do what they can to prepare for the next stage of attack," he continues.
To prepare for this shift, attackers deployed malware aimed at gathering information, specifically financial data and cryptocurrency wallets. They joined systems to botnets and created backdoors for future access, getting a sense of what people had access to and how vulnerable they were to attack.
These information stealers, spyware, backdoors, and remote access Trojans (RATs) helped criminals figure out how to attack employees in their new environments, which drove the decline in malware detections in the first half of 2020. In the second half, researchers saw the return of big attackers like Trickbot and Emotet; however, they weren't using the same tactics.
Attackers spent the second half of 2020 "experimenting," launching campaigns with less concern about being stopped and greater confidence in their ability to quickly compromise networks. Researchers noticed upgrades, new exploits added, new tools being utilized, and a new trend of Remote Desktop Protocol brute-forcing that results in manual infection, he says.
"I think these groups are empowered by limited security staff protecting corporate endpoints," Kujawa adds, noting that "less users on endpoints in an office reduces eyes that might notice something odd happening on the network."
A Window Into Windows
The top detections for business Windows machines included Dridex, a banking and information stealing Trojan that spiked 973% in detections between 2019 and 2020. Farfli, a backdoor bot that gives criminals an entry point they can use or sell, went up 566%. The research also reflects increases in BitCoinMiner and KMS, a detection meant to identify software that enables people to use Microsoft software illegally. Detections of KMS spiked 2,251% in 2020, the report states.
"This suggests, along with the rest of our data, that the disruption from COVID-19 affected both victims and attackers, as many popular forms of malware used in 2019 were benched in favor of either new malware families or re-investment in existing and older malware families," the researchers explain in their report.
Hacking tools, which went up 173%, and information stealers "really took the crown" last year for enterprise threats targeting Windows, Kujawa says, noting that hacking tools were most concerning given how often researchers saw detections used for intrusion and attack. Mimikatz has appeared more often over the past couple of years but spiked in 2020, along with detections for tools like Cobalt Strike, which can aid attackers in quickly exploring and infecting a network.
Ransomware has continued to threaten Windows, though not in the usual ways. He points to "a big push" by attackers to steal data they can leak or sell online, a move called "double extortion" that has reportedly earned attackers more money than encrypting files alone.
"This new tactic in ransomware activity means that the confidence the criminals would attempt to establish with the victim is no longer needed," Kujawa says. "This erodes the victim's ability to negotiate with the actor and leaves them in a far worse place than if only their files were encrypted."
Mac Attacks: What's New and Different
Mac malware detections fell from the all-time high Malwarebytes reported in 2019, primarily due to a drop in detections of adware and potentially unwanted programs (PUPs). However, Mac threats targeting businesses increased 31% between 2019 and 2020, and the detections for consumer and enterprise Macs were quite different.
In consumer products, PUPs made up more than 75% of all detections and adware made up the rest. For midsize to large businesses, PUPs only made up one-third of detections, while adware accounted for nearly two-thirds. Smaller businesses saw similar numbers to consumer devices, with more PUP detections. Business machines saw far more malware as well, researchers say.
The data indicates the main threats to enterprise environments are malware and adware. Of all malware detections on macOS, the top 10 malware families made up more than 99% of the total. Families like ThiefQuest, the most unusual malware researchers saw in 2020, experienced a major spike. ThiefQuest spread through seemingly legitimate installers found on torrent sites; these installers dropped malware in addition to the expected software, researchers explain. Infected Macs would start to see files getting encrypted.
Most non-adware malware activity on macOS has come from targeted attacks, much of which is from nation-state attackers such as North Korea or China, Malwarebytes reports. While there was non-targeted Mac malware in 2020, it was "relatively limited."
Last year's increase in enterprise Mac threats may be linked to a greater intent by malware authors to use Macs as a stepping stone onto the corporate network, Kujawa suggests. Alternatively, the shift to work-from-home by employees using corporate Mac laptops could be causing them to face more threats due to the lack of IT security umbrella.
Picking a Target: Mac vs. Windows
Attacks targeting Windows and Mac devices usually differ for one of two reasons: Attacks only work on a specific OS or the profile of the target behind the machine, Kujawa says.
"Windows tends to give attackers the most capability in attacking a system," Kujawa says. "The ecosystem for Windows allows for all kinds of apps, from all types of developers, with very little [if any] oversight by Microsoft in what becomes available for the operating system."
This makes Windows a better business option, as they have more freedom and customization available, but it could also lead to more vulnerabilities, exploits, and flaws being abused by cybercriminals, he says.
Macs, alternatively, are harder to target because Apple's limitations on the App Store limit what users and applications are able to do and modify within the OS. This may reduce the usefulness of the OS in some cases, but it makes the Mac a more difficult target compared with Windows, technically speaking, Kujawa explains. Attackers targeting each of these operating systems tend to differ because a single malware family won't work on both – unless it's designed to do so, which he says "is very rare and very hard."
"A Mac attack might require additional social engineering of the victims," he explains. "We see a lot of Mac infections occur because of torrent downloads and/or misleading information about an app that the user installs."
The same goes for Android, which has locked down its operating system to the extent that it's almost entirely up to social engineering, or a lack of monitoring for Google's app store, for a successful malware infection. For this reason, Kujawa says, most Android infections come from third-party app stores. Android users have the freedom to download and install software from wherever they choose; however, this additional freedom may contribute to additional risk.
What to Watch in 2021
Businesses should continue to be concerned about internal hacking tools such as Cobalt Strike and local administrator tools, as researchers notice a spike in "living off the land" attacks. IT security teams should lock down which applications are allowed to run and who is allowed to run them. Many of these tools are seen as legitimate and won't raise an alert until it's too late.
Ransomware will also continue to pose a threat, says Kujawa, who notes researchers observed attackers switching tactics and the emergence of big ransomware families such as Maze and Egregor. The rise of "double extortion" attacks, combined with an increase in malware that can spread laterally, will pose a threat to businesses in the year ahead.
Spyware and backdoors should also be top of mind, he notes. Much of the malware distributed toward the start of the pandemic was designed to provide data and/or access to future attackers, and many of these infections were distributed using a COVID-19-related lure. Kujawa advises businesses to take the time to clean out their systems and check for backdoors that could be used to launch a ransomware attack or other operation when an attacker sees fit.