HP Report Details Tactics Used to Evade Detection Tools – Source: securityboulevard.com

HP Inc. today published a report detailing how the tactics and techniques being used by cybercriminals to evade detection tools are evolving.

Based on data collected by the HP Wolf Security from April through June 2023, researchers found cybercriminals are now combining well-known types of attacks in different ways to bypass detection tools and security policies.

For example, one attack used multiple programming languages to bypass defenses. The payload was encrypted using Go to disable anti-malware scanning but then switched languages to C++ to interact with the operating system to run .NET malware in memory.

The report also identified a cyberattack delivered using a DNS TXT record query to deliver the AgentTesla remote access Trojan (RAT).

Finally, the report noted that malicious code is now hidden in platforms such as Blogspot, which is a service that hosts blogs for individuals who don’t want to create and maintain their own website.

Overall, the report noted the top threat vectors were email (79%) and browser downloads (12%). At least 12% of email threats identified bypassed one or more email gateway scanners.

Archives were the most popular malware delivery type for the fifth quarter running, used in 44% of cases analyzed, the report noted.

There was also a 23% rise in HTML threats stopped by HP Wolf Security quarter over quarter and a 4% increase in executables, mainly driven by the use of a PDFpower.exe file to attempt to hijack a browser.

Finally, there was a 6% drop in spreadsheet malware in the first quarter of 2023, attributed mainly to cybercriminals moving away from Office formats that now make it more difficult to run macros.

Patrick Schläpfer, senior malware analyst for the HP Wolf Security threat research team, said none of these attacks are especially sophisticated, but they do show how cybercriminals are shifting their attack techniques by combining techniques in different ways to evade detection.

Many of these attacks are also aimed at end users—many of whom are still working from home due to the COVID-19 pandemic—and whose systems might not be as secure as those behind a corporate firewall, he added. Once compromised, however, those systems then provide an opportunity for malware to move laterally to systems that those machines are remotely accessing.

There are, of course, innumerable vulnerabilities that cybercriminals could exploit, but the HP report makes it clear that most attacks are leveraging exploits that are not especially complicated. There is simply not much incentive for cybercriminals to go to the trouble of creating a complex exploit that requires a lot of skill when existing ones can be modified and easily launched, noted Schläpfer.

Cybersecurity professionals, of course, need to remain vigilant as the tactics and techniques used by their adversaries continue to evolve. The challenge is that, by the time those shifts are identified, the damage could be considerable. As always, time is not on the side of the defenders.