Professional Documents
Culture Documents
RP Quarterly Threats Mar 2018
RP Quarterly Threats Mar 2018
McAfee Labs
Threats Report
March 2018
THREATS STATISTICS
Malware
Incidents
Web and Network Threats
The McAfee Labs count of new malware in Q4 This report was researched
and written by:
Some cybercriminals are still developing botnets exploiting the Internet of Things and
borrowing and developing new code. For now, we see these botnets mostly used for denial
Follow
of service attacks. The challenge to the security industry will be to adequately defend
against such attacks as they increase in bandwidth and frequency. Share
Key trends: Cybercriminals pivot, taking on new Cryptocurrency mining: Online currency fuels
strategies and tactics much of cybercrime, including malware purchases and
In Q4 of 2017, McAfee Labs recorded on average eight ransomware payments. Cybercriminals would rather
new malware samples per second—an increase from find outside computing power instead of using their
four new samples per second in Q3. Overall, the quarter own equipment because the price of a dedicated mining
was characterized by newer tools and schemes, such as machine could exceed $5,000. In Q4 McAfee Advanced
PowerShell malware and cryptocurrency mining, which Threat Research team analysts reported on this growth
surged along with the value of Bitcoin. industry, explaining how cybercriminals often seek to
maliciously introduce malware that will either use a
PowerShell: In 2017, McAfee Labs saw PowerShell victim’s computing power to mine for coins or simply
malware grow by 267% in Q4, and by 432% year over locate and steal the user’s cryptocurrency.
year, as the threat category increasingly became a go-to
toolbox for cybercriminals. The scripting language was Ransomware: In 2017, McAfee Labs observed 59%
irresistible, as attackers sought to use it within Microsoft increase in ransomware year over year, including
Office files to execute the first stage of attacks. 35% growth in Q4 alone. This activity included new
creative tactics from cybercriminals, who pushed the
In December, Operation Gold Dragon, a malware category past its typical objective of extorting money to
campaign targeting the 2018 Winter Olympics, disruption within corporate networks. Actors devised
was uncovered. The campaign is an exemplary strategies to create “smoke and mirrors” by distracting
implementation of PowerShell malware in an attack. defenders from actual attacks, such as the emergence
of pseudoransomware, seen in NotPetya and a Taiwan
bank heist.
Follow
Share
Key campaigns: Asymmetrical cyberwarfare To stay up to date with our research, check out our
continues to escalate social media channel—Twitter @McAfee_Labs—where
At the beginning of 2017, McAfee analysts predicted we provide analysis into new campaigns, as well as
the hard-to-solve challenges the cybersecurity industry describe new tools that you can use to better protect
would face in the coming year, naming the asymmetry your environment.
of information as a major hurdle. In short, adversaries —Raj Samani, Chief Scientist and McAfee Fellow, Advanced
have the luxury of access to research done by the Threat Research Team
technical community, and can download and use open-
source tools to support their campaigns, while the Twitter @Raj_Samani
defenders’ level of insight into cybercriminal activities
is considerably more limited, and identifying evolving
tactics often must take place after malicious campaigns
have begun. Major attacks in Q4 demonstrated that
growing asymmetrical cyberwarfare is in full effect.
Follow
Share
Threats Statistics
7 Malware
14 Incidents
Malware
0 0
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
2016 2017 2016 2017
New Mac malware Total Mac malware Two common forms of Mac
800,000 malware this quarter were
Flashback, which grabs
350,000 700,000
passwords and other data
300,000 600,000
through browsers, and
250,000 500,000 Longage, which can give a
200,000 400,000
hacker control of a system.
150,000 300,000
100,000 200,000
50,000 100,000
0 0 Follow
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
2016 2017 2016 2017
Share
New mobile malware Total mobile malware The growth of Android screen-
3,000,000 locking ransomware declined
significantly this quarter. (See
2,500,000 25,000,000
separate charts on page 9.)
2,000,000 20,000,000
The Piom Trojan dropper also
1,500,000 15,000,000 slowed markedly.
1,000,000 10,000,000
500,000 5,000,000
0 0
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
2016 2017 2016 2017
Regional mobile malware infection rates Global mobile malware infection rates
(Percentage of mobile customers reporting infections) (Percentage of mobile customers reporting infections)
Global infection rates have
14%
declined slightly during the
12% last three quarters, even as
25%
10% percentages have increased in
20%
Australia and the Americas.
8%
15%
6%
10%
4%
5%
2%
0%
Africa Asia Australia Europe North South
0%
America America Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
Q1 2017 Q2 2017 Q3 2017 Q4 2017 2016 2017
Share
12,000,000
2,500,000 10,000,000
2,000,000 8,000,000
1,500,000 6,000,000
1,000,000 4,000,000
500,000 2,000,000
0 0
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
2016 2017 2016 2017
New Android lockscreen malware Total Android lockscreen malware This form of ransomware
1,000,000 2,000,000 started slowly in 2016, but
burst into prominence last
800,000 1,600,000
year.
600,000 1,200,000
400,000 800,000
200,000 400,000
0 0
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
2016 2017 2016 2017
Follow
Share
20,000,000
20,000,000
1,600,000
15,000,000
1,200,000
10,000,000
800,000
400,000 5,000,000
0 0
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
2016 2017 2016 2017
Follow
Share
1,200,000 14,000,000
12,000,000
1,000,000
10,000,000
800,000
8,000,000
600,000
6,000,000
400,000
4,000,000
200,000 2,000,000
0 0
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
2016 2017 2016 2017
Follow
Share
50,000 200,000
0 0
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
2016 2017 2016 2017
2,400,000
15,000,000
1,800,000
10,000,000
1,200,000
5,000,000
600,000
0 0 Follow
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
2016 2017 2016 2017
Share
Source: McAfee Labs, 2018. Source: McAfee Labs, 2018.
6,000 12,000
3,000 6,000
0 0
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
2016 2017 2016 2017
6,000,000
5,000,000 50,000,000
4,000,000 40,000,000
3,000,000 30,000,000
2,000,000 20,000,000
1,000,000 10,000,000
0 0
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
2016 2017 2016 2017 Follow
Incidents
Publicly disclosed security incidents by region Top 10 attack vectors in 2016–2017 Security incidents data
(Number of publicly disclosed incidents) (Number of publicly disclosed incidents)
is compiled from several
350 700 sources, including
300 600 hackmageddon.com,
privacyrights.org/data-
250 500
breaches, haveibeenpwned.
200 400
com, and databreaches.net.
150 300
100 200
50 100
0 0
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
Unkown
Malware
Hijacking
Account
Leak
DDoS
Code Injection
Defacement
Vulnerability
W-2 Scam
Access
Unauthorized
2016 2017 The majority of attack vectors
Africa Asia Multiple are either not known or not
Americas Europe Oceania
publicly reported.
Follow
Share
80
70 350
60 300
50 250
40 200
30 150
20 100
10 50
0 0
Public
Individuals
Health Care
Education
Finance
Multiple
Services
Online
Retail
Entertainment
Development
Software
Health Care
Public
Education
Finance
Technology
Retail
Entertainment
Hospitality
Online Services
Individuals
Follow
Share
15,000,000 10,000,000
12,000,000 8,000,000
9,000,000 6,000,000
6,000,000 4,000,000
3,000,000 2,000,000
0 0
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
2016 2017 2016 2017
The McAfee® TrustedSource™ Web Database contains Malicious sites deploy code designed to hijack a
URLs (web pages) organized into categories, based on computer’s settings or activity. This category includes
web reputation, to use with filtering policies to manage self-installing applications (“drive-by” executable files),
web access. Suspect URLs are the total number of sites Trojans, and other malware that exploit vulnerabilities in
that earn High Risk or Medium Risk scores. browsers or other applications.
Follow
Share
3,500,000 700,000
3,000,000 600,000
2,500,000 500,000
2,000,000 400,000
1,500,000 300,000
1,000,000 200,000
500,000 100,000
0 0
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
2016 2017 2016 2017
Malicious downloads come from sites that allow a user Phishing URLs are web pages that typically arrive in hoax
to inadvertently download code that is harmful or emails to steal user account information. These sites
annoying. This category includes screensavers, toolbars, falsely represent themselves and appear as legitimate
and file-sharing programs that contain adware, spyware, company web pages to deceive and obtain user data for
viruses, and other malicious code. Sometimes, the perpetrating fraud or theft.
malware is added without users’ knowledge, as when
they click “Yes” or “I agree” without reading the full
terms and conditions. The effects can include slower
performance, theft of passwords, and the loss or
damage of personal files.
Follow
Share
Top malware connecting to control servers in Q4 Spam botnet prevalence by volume in Q4 Necurs—a recent purveyor of
1% 1% 1% “lonely girl” spam, pump and
dump stock spam, and Locky
ransomware downloaders—
Wapomi
21% and Gamut—sending job
Ramnit Necurs
offer–themed phishing
OnionDuke Gamut
(and possible money mule
3% China Chopper 37% Lethic
51% recruitment), in English,
3% Muieblackcat Darkmailer
German, and Italian— were
5% Mirai 60% Others
responsible for 97% of spam
5% Maazben
botnet traffic in Q4.
5% Others
7%
McAfee is one of the world’s leading independent McAfee Labs, led by McAfee Advanced Threat Research,
cybersecurity companies. Inspired by the power is one of the world’s leading sources for threat
of working together, McAfee creates business and research, threat intelligence, and cybersecurity thought
consumer solutions that make the world a safer place. leadership. With data from millions of sensors across
By building solutions that work with other companies’ key threats vectors—file, web, message, and network—
products, McAfee helps businesses orchestrate McAfee Labs and McAfee Advanced Threat Research
cyber environments that are truly integrated, where deliver real-time threat intelligence, critical analysis, and
protection, detection, and correction of threats happen expert thinking to improve protection and reduce risks.
simultaneously and collaboratively. By protecting
www.mcafee.com/us/mcafee-labs.aspx.
consumers across all their devices, McAfee secures their
digital lifestyle at home and away. By working with other
security players, McAfee is leading the effort to unite
against cybercriminals for the benefit of all.
www.mcafee.com.
2821 Mission College Blvd. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries.
Santa Clara, CA 95054 Other marks and brands may be claimed as the property of others. Copyright © 2018 McAfee LLC. 3780_0318
888.847.8766 MARCH 2018
www.mcafee.com