Cybercriminals chaining different attack combinations together to evade detection: HP report

Cybercriminals are chaining different combinations of attacks together to sneak past detection tools, according to HP Inc.'s quarterly HP Wolf Security Threat Insights Report.

The report, based on data gathered from millions of endpoints running HP Wolf Security, reveals several key findings:

• Cyber attackers are employing formulaic attack chains but adding creative twists to evade detection.QakBot campaigns, in particular, displayed uniqueness, with 32% of analyzed infection chains in Q2 being distinctive. Threat actors switched up file types and techniques to bypass detection tools and security policies.
• Attackers behind the Aggah campaign concealed malicious code within the popular blogging platform Blogspot. This tactic makes it difficult for defenders to tell if users are reading blogs or launching attacks. Attackers leveraged knowledge of Windows systems to disable anti-malware capabilities, deploying XWorm or the AgentTesla Remote Access Trojan (RAT) to steal sensitive information.
• Aggah attacks leveraged a DNS TXT record query to deliver the AgentTesla RAT. Knowing that the DNS protocol is not often monitored or protected by security teams renders this attack highly challenging to detect.
• Recent campaigns employed multiple programming languages to evade detection. A crypter written in Go was used to encrypt the payload, evading anti-malware scanning. It then switched to C++ to interact with the victim’s OS, running .NET malware in memory, leaving minimal traces.

Further, the HP Wolf Security Threat Insights Report details the diversification of attack methods by cybercriminal groups to evade detection and bypass security policies. Notable findings include:

• Archives continue to remain the most popular malware delivery method, accounting for 44% of cases analyzed by HP
• Q2 witnessed a 23% increase in HTML threats thwarted by HP Wolf Security compared to Q1.
• The top threat vectors in Q2 were email (79%) and browser downloads (12%).

"Today's attackers are becoming better organized and more knowledgeable. They research and analyze operating system internals, making it much easier for them to exploit the gaps. By knowing which doors to push, they can navigate internal systems with ease, using relatively simple techniques in very effective ways – without sounding the alarm," said Patrick Schläpfer, Senior Malware Analyst at the HP Wolf Security threat research team.