Malware kits helping attackers evade detection tools and breach organizations

Thriving cybercriminal marketplaces are offering low-level attackers all the ingredients to bypass detection, making it easier for them to breach organizations and steal sensitive data, according to HP's quarterly Wolf Security Threat Insights Report.

The report, based on data from millions of endpoints running HP Wolf Security, reveals that a new campaign targeted organizations with fake shipping documents concealing Vjw0rm JavaScript malware, allowing it to slip past email defenses and reach endpoints. The attack analyzed by HP delivered Houdini, a 10-year-old VBScript RAT.

"With the right pre-packaged tools from cybercrime marketplaces, hackers can still use vintage malware effectively by abusing the scripting features built into operating systems," the report says.

Secondly, a "Parallax RAT" campaign was caught launching two threads - Jekyll and Hyde - when a user opened a malicious scanned invoice designed to trick users. The Jekyll thread opens a decoy invoice copied from a legitimate online template while Hyde runs the malware in the background. This attack would be easy for cybercriminals to carry out as pre-packaged Parallax kits have been advertised on hacking forums for USD 65 per month.

Attackers are also hosting fake malware-building kits on code-sharing platforms like GitHub to trick wannabe threat actors into infecting their own machines. One popular malware kit, XWorm, is advertised on underground markets for as much as USD 500.

According to the report, attacks using exploits in Excel (91%) and Word (68%) formats increased in Q3. There was a 5%-point rise in PDF threats isolated by HP Wolf Security compared to the previous quarter. The report identified email (80%) and downloads from browsers (11%) as the top threat vectors in Q3.

"While the tools for crafting stealthy attacks are readily available, threat actors still rely on the user clicking. To neutralize the risk of pre-packaged malware kits, businesses should isolate high-risk activities, like opening email attachments, link clicks, and downloads. This significantly minimizes the potential for a breach by reducing the attack surface," said Alex Holland, Senior Malware Analyst in the HP Wolf Security threat research team.