Emotet Conquers the Malware Top Position

In Q1 2022, Emotet climbed 36 places in the threat rankings compared to the last quarter of 2021. This is a finding of the latest global HP Wolf Security Threat Insights Report. It contains analyses of real-world cybersecurity attacks. A large-scale attack campaign targeted Japanese businesses and included hijacking email threads to infect recipients’ PCs. The campaign was largely responsible for an 879 per cent increase in captured .XLSM (Microsoft Excel) malware samples compared to the previous quarter.

Disguised alternatives to malicious Microsoft Office documents are becoming increasingly popular as Microsoft continues to disable macros. Along with this, HP is seeing an increase in non-Office formats compared to last quarter, including malicious Java archive files (+476 percent) and JavaScript files (+42 percent). Such attacks are more difficult for companies to defend against.

HTML smuggling is on the rise

The average file size of HTML threats increased from 3 KB to 12 KB – indicating an increase in HTML smuggling. In this technique, cybercriminals embed malware directly into HTML files – enabling them to bypass email gateways and avoid detection before gaining access and stealing important data. Recent campaigns have targeted Latin American and African banks.

“The data from the first quarter is a clear sign that operators are regrouping, rebuilding their strength and investing in botnet growth. Emotet was once described by CISA as one of the most destructive and costly malware to fix. Its operators often collaborate with ransomware groups – a pattern that is likely to continue. Thus, its resurgence is bad news for enterprises and the public sector alike,” said Alex Holland, senior malware analyst, HP Wolf Security Threat Research Team. “Emotet also continues to favour macro-enabled attacks – perhaps to launch attacks ahead of Microsoft’s April deadline to disable macros, or simply because people still have macros enabled and can be tricked into clicking on the wrong thing. ”

545 Different Malware Families

– Nine percent of the threats were undetected at the time of their isolation. 14 percent of the isolated email malware bypassed at least one email gateway scanner.
– On average, it took over three days (79 hours) to be found by other security tools.
– Forty-five percent of the malware isolated by HP Wolf Security involved Office file formats.
– The threats used 545 different malware families in their attempts to infect businesses – with Emotet, AgentTesla and Nemucod being the top three.
– An exploit for Microsoft Equation Editor (CVE-2017-11882) accounted for 18 per cent of all malicious patterns detected.
– Sixty-nine per cent of the malware detected was spread via email, while web downloads accounted for 18 per cent. The most common attachments used to spread malware were spreadsheets (33 per cent), executables and scripts (29 per cent), archives (22 per cent) and documents (11 per cent).
– The most common phishing lures were business transactions such as “order”, “payment”, “purchase”, “request” and “invoice”.