Attackers More Successful at Delivering Malware Payloads

Cloud-delivered malware is now more prevalent than web-delivered malware. In 2021, malware downloads originating from cloud apps increased to 66% of all malware downloads when compared to traditional websites, up from 46% at the beginning of 2020.

These were among the findings of Netskope’s latest cloud security report, which is based on anonymized data collected from millions of users worldwide between January 1, 2020 and November 30, 2021.

Based on the findings, Google Drive emerged as the top app responsible for the most malware downloads, with the report indicating Google Drive now accounts for the most malware downloads in 2021, taking over the top spot from Microsoft OneDrive.

However, cloud-delivered malware through Microsoft Office nearly doubled from 2020 to 2021, with malicious Microsoft Office documents increasing to 37% of all malware downloads at the end of 2021, compared to 19% at the beginning of 2020.

The rise in malware occurred as attackers continue to use weaponized Office documents to gain an initial foothold in target systems.

Emotet’s Emergence

The report noted the Emotet malspam campaign in Q2 2020 kicked off a spike in malicious Microsoft Office documents that copycat attackers have sustained over the past six quarters, with no signs of slowing down.

“From my perspective, the most concerning finding was the continuing trend of malicious Office documents and cloud app abuse for malware delivery,” explained Ray Canzanese, threat research director at Netskope. “It is not just that attackers are continuing to deliver malicious content using Office docs and cloud apps, but that they continue to have success in reaching users.”

He pointed out the Netskope report analyzes malware downloads that the company blocked—malware that a user attempted to download.

“Attackers are reaching users through social media, email, compromised websites and through the cloud apps themselves,” he said.

Canzanese said there are three things organizations can do to protect against the rise in Microsoft-targeted malware: First, use a security solution that scans all incoming Office documents for malicious content.

“A combination of signatures, heuristics and a sandbox can accurately detect and block malicious Office documents before users can open them,” he said.

Second, most malicious Office documents require users to click “Enable Content” for the malicious content to execute. An education campaign to remind users to never click “Enable Content” can have a positive impact.

“Third, you can disable macros and other features used by attackers in group policy, preventing your users from ever running any potentially malicious content, whether it turns out to be malicious or not,” Canzanese said.

Insider Threats and Malware

Corporate data exfiltration is also on the rise, according to the report: One out of seven employees takes data with them when they leave their employer, using personal app instances.

Between 2020 and 2021, an average of 29% of departing employees downloaded more files from managed corporate app instances, and 15% of users uploaded more files to personal app instances in their final 30 days.

Canzanese pointed to two types of tools that can help combat data exfiltration: Data loss prevention (DLP) and user behavioral analysis (UBA).

He said DLP can help with real-time alerting or blocking of unwanted data movement and UBA can help identify unusual patterns of data movement and other correlated changes in behavioral patterns.

He added that work-from-home and remote work hasn’t really changed anything in terms of the amount of data exfiltration we see.

“Users are still doing the same things they always did, they are just doing them from a different location,” he explained. “The biggest change we saw was organizations that relied on on-premises security products looked to move to products that could provide the same level of protection whether users are in the office or working from home.”

When it comes to general malware awareness levels among organizations, Canzanese said it varies, explaining that he talks to many organizations that are aware that attackers abuse cloud apps to spread malware, but only attribute that behavior to specific apps.

“They may have read about an attacker using app A to spread malware, so they decided they would mitigate the threat by blocking app A,” he said. “The problem is that it isn’t an app-specific problem. Netskope blocked malware downloads from 230 different apps in 2021. And most organizations use at least one of the apps in the top five.”

Canzanese added a second common thread—many users believe that if their organization sanctions the use of a particular app, then it is “safe”.

“Just because your organization sanctions the use of a particular app doesn’t mean that attackers aren’t going to abuse that same app to deliver malware. They will,” he said. “Zero-trust means not trusting downloads from anywhere, including your sanctioned apps.”

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 243 posts and counting.See all posts by nathan-eddy