Exploit kit activity slows down dramatically

Oct 16, 2016 21:40 GMT  ·  By

If you've received spam emails bearing a file attachment in the last three months, it's very likely that the file contained a version of the Locky ransomware, according to Proofpoint's Quarterly Threat Summary for Q3 2016.

A previous report from Cisco said that spam numbers returned to record levels seen last time in the early 2010s. That report included all spam categories, such as pharma, dating, and pump-and-dump campaigns.

According to Proofpoint, the number of spam emails spreading malware-laced files reached all-time high numbers in Q3 2016.

Locky reigns supreme

King among all malware families that leveraged spam campaigns to spread was the Locky ransomware, found in 96.8 percent of all malicious spam file attachments.

In a vast majority of cases, this manifested as a ZIP file containing a JavaScript file inside, but crooks also leveraged Office documents that contained malicious macro scripts, HTA (HTML executable) files, and WSF (Windows Script) files.

The rest of the Top 5 most spammed malware includes the Pony infostealer, the Vawtrack banking trojan, the Tordal (Hancitor) malware dropper, and the Panda Banker banking trojan.

Besides Locky, other ransomware variants spread via spam campaigns in larger numbers included CryptFile2, MarsJoke, and Cerber.

Exploit kit activity slows down

The same Proofpoint quarterly report also highlights a continuous evolution of banking trojans, which, even if they were spread in far fewer numbers than in 2015, continued to be a constant threat thanks to a series of anti-detection features they added in order to avoid security software.

The good news from Q3 2016 is that exploit kit activity has gone down 65 percent compared to Q2 and 93 percent compared to the start of 2016.

This downfall can be attributed to the shutdown of the Angler and Nuclear exploit kits this past spring, but also to the Neutrino exploit kit entering a so-called "private mode." Nevertheless, actors such as the RIG exploit kit were quick to fill most of the gap left open.

Top exploit kit activity in Q3 2016
Top exploit kit activity in Q3 2016

Proofpoint findings (3 Images)

Top malware payloads distributed via email attachments in Q3 2016
Top exploit kit activity in Q3 2016Exploit kit activity trends in Q3 2016
Open gallery