Legacy AV defenceless against onslaught of evasive malware

The volume of evasive malware – malware that can easily get round signature-based antivirus systems – grew to record levels in the final months of 2019, with two-thirds of samples detected by WatchGuard Technologies’ Firebox appliances during the fourth quarter now able to do this – a dramatic increase from the 2019 average of 35%.

This not only suggests that obfuscated or evasive malware is becoming the rule, rather than the exception, but highlights that many popular security products are now losing significant utility and are in danger of becoming legacy services in the face of the always-evolving cyber criminal underworld.

“Our findings from Q4 2019 show that threat actors are always evolving their attack methods,” said Corey Nachreiner, chief technology officer at WatchGuard.

“With over two-thirds of malware in the wild obfuscated to sneak past signature-based defences, and innovations like Mac adware on the rise, businesses of all sizes need to invest in multiple layers of security.”

Nachreiner added: “Advanced AI or behavioural-based anti-malware technology and robust phishing protection like DNS filtering will be especially crucial.”

In a new report released today, WatchGuard said it was seeing a number of emergent trends around malware, including a jump in popularity in adware targeting macOS environments. One of the top compromised websites found by WatchGuard hosted an adware called Bundlore that poses as an update to Adobe Flash. This tallies with other observations, notably a February 2020 study conducted by Malwarebytes.

WatchGuard also found widespread phishing campaigns exploiting a Microsoft Excel vulnerability that was first disclosed in 2017. This exploit, widely seen in the UK, enables the download of a number of different types of malware onto the victim device, including a keylogger called Agent Tesla, which was one of the earliest malware strains to exploit the Covid-19 coronavirus outbreak before it became a global emergency.

Elsewhere, WatchGuard found that SQL injection attacks became the top network attack in 2019, spiking by 8,000% in just one year, as well as a tendency among cyber criminals to use automated malware distribution. It said many attacks were hitting between 70% and 80% of all Firebox appliances in a single country, which suggests threat actors are automating their attacks much more often than before.

WatchGuard draws its data from anonymised Firebox Feeds on active unified threat management (UTM) appliances whose owners have opted into data sharing to support security research. It has about 40,000 appliances in the programme, which during the final quarter of 2019 collectively blocked almost 35 million malware variants at the rate of 860 samples per appliance, and 1.9 million network attacks at the rate of 47 attacks per appliance.

The full WatchGuard Internet security report Q4 2019 can be downloaded from the supplier’s website.