sb-nz logo
Story image

Surge in encrypted malware prompts warning about detection strategies

29 Jun 2020

WatchGuard Technologies’ Q1 2020 Internet Security Report has shown a massive surge in malware delivery over encrypted connections, highlighting what could become the next most common attack vector after phishing emails.

According to the report, 67% of all malware in the quarter was delivered by HTTPS encrypted connections.  Furthermore, 72% of the malware is zero-day malware, meaning there is no identifiable signature that can be detected by signature-based security platforms.

“If you are not decrypting and scanning your secure web connections, you are likely missing a large majority of malware,” the report states.

The Flawed-Ammyy and Cryxos malware variants took top spots on WatchGuard’s top five encrypted malware list. Cryxos is delivered as an email attachment disguised as an invoice and will ask the user to enter their email and password, which it then stores. 

The report states, “Filling out the form doesn’t lead you to any file or page, but it does send the username and password to a compromised WordPress site where the attacking server stores the input.”

Flawed-Ammyy is a support scam where the attacker uses the Ammyy Admin support software to gain remote access to the victim’s computer.        

The report states, “As always, never download files from an untrusted source. Also, know what a Microsoft scam looks like. Microsoft will never call you first and will never give a phone number to call with an error.”

Other top malware variants include Lnkr, an encrypted malware that places ads on websites and hides from Chrome.

“Some organisations are reluctant to set up HTTPS inspection due to the extra work involved, but our threat data clearly shows that a majority of malware is delivered through encrypted connections and that letting traffic go uninspected is simply no longer an option,” comments WatchGuard’s chief technology officer, Corey Nachreiner. 

“As malware continues to become more advanced and evasive, the only reliable approach to defense is implementing a set of layered security services, including advanced threat detection methods and HTTPS inspection.”

Findings are taken from anonymised Firebox Feed data from active WatchGuard appliances whose owners have opted in to share data to support the Threat Lab’s research efforts. 

WatchGuard says that today, more than 44,000 appliances worldwide contribute threat intelligence data to the report. In Q1 2020, the appliances collectively blocked more than 32,148,519 malware variants in total (730 samples per device) and more than 1,660,000 network attacks (38 attacks per device).