Malware targeting Microsoft Office soared last year, according to the Malwarebytes State of Malware report. Infections involving the Microsoft Office software cracker, KMS, jumped by 2,251%. It wasn’t alone. Banking malware Dridex was up 973%, and new malware strains emerged.
Other attacks such as applications monitoring user activity (up 565%) and spyware (1,055%) also showed a dramatic increase. However, not everything is bad. Despite these headline increases, Malwarebytes says overall, malware detections on Windows and Mac computers decreased in 2020.
“This past year has taught us that cybercriminals are increasingly formidable, planning long-term, strategic, and focused attacks that are sometimes years in the making. 2020 continued to show us that no company is immune, and there is no such thing as ‘safe enough,’” said Marcin Kleczynski, CEO of Malwarebytes.
“The COVID-19 pandemic compounded this with new challenges in securing remote workforces, making it essential that we quickly become more adaptable and learn how to better protect workers in any environment. While our total detections are down this year, we must remain vigilant. The threats we are seeing are more refined and damaging than ever before.”
Employers and cybercriminals using spyware
2020 say many businesses pivot to support remote workers. While business IT struggled initially to put the right systems in place, cybercriminals did not. They were quick to pivot their attacks to take advantage of a remote workforce with new attacks. What isn’t clear from this report is how many attacks were masked by the changes to working practice.
Take monitoring and spyware, for example. 2020 saw employers deploy apps to monitor their newly remote workforce. In July, Avast reported a surge in the deployment of such software. This was followed by the UK ICO investigating Barclays Plc over its use of tracking software from Sapience.
The question here is, how many of the detections from Malwarebytes were company software and how many were down to cybercriminals?
Use of HackTools also jumped
The deployment of HackTools also saw a significant increase on both consumer (+147%) and business devices (+173%). Malwarebytes reports 15.88 million detections on consumer devices and over 2.5 million in business machines. It believes that these are the start of a multi-stage attack process. The first sees information about users gathered from local devices, and the second is to use that data to compromise businesses.
Importantly, Malwarebytes highlights that this is not just about cybercriminals. The report states: “HackTools surged in detections against businesses as well, which is represented by the increase in use of commercially developed and offered ‘hacking tools’ to launch attacks or compromise systems.” This increase in commercial tools is a significant cause for concern.
One HackTool that has been seen is the KMS software cracker for Microsoft Office. It is used to allow people to bypass the Microsoft licence agreement. What is not clear is how many of the uses are confined to small businesses compared to mid-sized or larger enterprises. Most uses are likely to be on personal devices rather than business machines.
Using these tools is about more than just software theft. Many of these tools require antivirus software on the local machine to be disabled. This allows malware writers to add new “features” to the HackTool. It allows the tool to steal user credentials from online banking, social media and enterprise systems.
In addition to KMS, Malwarebytes has seen spikes in other HackTools such as Equation, MimiKatz and Cain.
Greater focus and industry initiatives reducing some attacks
There have been industry-led initiatives to takedown some of the most aggressive malware in the past year. Trickbot and Emotet have both been disrupted, albeit for short periods. The impact of those actions is one of the reasons Malwarebytes is reporting a significant fall in detections, Emotet down 89% and Trickbot down 68%. Both have shown an ability to recover after attempts to take them offline.
However, this is not all about coordinated action against these operations. Malwarebytes believes that another factor is more sophisticated and targeted malware use. The old days of spray and pray are disappearing as it gives researchers access to campaigns and indicators of compromise.
Instead, Malwarebytes reports: “What we see with Emotet today is that the groups are pickier about who they target. This should result in a greater success rate, and, as an added bonus for the attacker, if the distribution attack fails, the malware could still be used against another victim without fear of detection.”
Enterprise Times: What does this mean?
There is a lot in this report which, at 94 pages, is not a quick read. Not covered here but mentioned in the report is an increase in ransomware, the emergence of new malware families and a new attack against Mac computers.
What is concerning is that users, potentially with the tacit approval of employers and IT teams, use HackTools tools that negatively impact security. At the same time, employers are masking surveillance attacks against users through their own use of monitor and spyware to make sure employees are at their home office desks.
It will be interesting to see how many of the changes that 2020 brought are continued through 2021. Remote working on a big scale is here to stay, which is good news for cybercriminals. The question that remains is, can employers do a better job of securing their employees’ computers?