McAfee Labs Threat Report Identifies New Mobile Banking, Macro, and Fileless Malware Developments

The cyber threat landscape often combines something old, something new, something blundered, and something “you.” The third quarter of 2015 provides examples of old threat types repackaged with new social engineering approaches, new fileless malware families that can evade traditional detection methods, and the exploitation of poor mobile app cloud security coding practices.

Today’s release of Intel Security’s McAfee Labs Threats Report: November 2015 complements our usual quarterly assessment of cyber threats with new developments combining each of these approaches:

  • McAfee Labs researchers illustrate how poor coding practices for mobile app cloud security, including the failure to follow back-end service provider guidance, can lead to the exposure of user data in the cloud. This analysis uses mobile banking Trojans to illustrate the point.
  • The report investigates new, stealthy macro malware that uses social engineering to gain traction within enterprises—a development fueling the resurgence of macro malware from a multiyear decline to a six-year high in Q3. Macro malware increased from fewer than 10,000 new attacks in Q3 2015 to almost 45,000 this past quarter, a level we have not seen since 2009.
  • Finally, the report details how a new breed of fileless malware trumps traditional threat detection by hiding in the Microsoft Windows registry and deleting all traces of its infection from the file system.

The third quarter of 2015 reminds us that we must always innovate to stay ahead of the threat technology curve, we must never neglect common sense solutions such as best practices to avoid coding blunders, and that ongoing user education is imperative to counter attackers’ tactics such as social engineering.


Back-end mobile app coding practices

A two-month analysis of more than two million legitimate mobile apps and nearly 300,000 mobile malware apps illustrates how developers often do not follow sound cloud security coding practices. The point is exemplified through the analysis of two mobile banking Trojans that attacked thousands of bank accounts during the study period. Taking advantage of two mobile Trojans’ poor cloud security coding practices, researchers were able to show how the Trojans operated, what was exposed, and the number of accounts that were compromised.

Mobile apps often rely on back-end services for secure data storage and communications. Nonetheless, mobile app developers are responsible for integrating their mobile apps with these back-end services. User data can be exposed if app developers fail to follow the back-end providers’ security coding guidelines—a possibility that is now more likely based on the increasing amount of personal and professional business conducted in the mobile cloud.

McAfee Labs found that the two mobile banking Trojans used poor cloud security coding practices, allowing researchers to examine how they work. These mobile banking Trojans abused root privileges to silently install malicious code and enabled an SMS message scheme to steal credit card numbers and execute fraudulent transactions. McAfee Labs’ partners in this investigation notified the back-end service provider, which blocked access from these Trojans to their back-end services.

Intel Security recommends that users download mobile apps only from well-known sources and install security technology on all mobile devices. Click this link for more information on the mobile app banking scheme.


New, stealthy macro malware rides social engineering to six-year high

McAfee Labs also registered a fourfold increase in macro malware detection during the last year, collecting the category’s highest number of new samples since 2009. The return to prominence has been enabled by social engineering campaigns designed to fool enterprise users into opening macro malware–bearing email attachments. These new families of macro malware also exhibit an ability to remain hidden even after they have downloaded their malicious payloads.

Such malicious macros were the bane of users in the 1990s but declined in number after application providers such as Microsoft took action to reprogram default settings to stop automatic macro execution.

Although earlier macro campaigns focused on users of every description, the new macro malware activity is primarily focused on large organizations accustomed to using macros as easy-to-build programs for repetitive needs. Emails are socially engineered to appear legitimate to the context of the organization’s business so that users will thoughtlessly enable the macro to run.

In addition to improving user awareness of social engineering, Intel Security recommends that organizations adjust application macro security settings to “high” and configure email gateways to specifically filter for attachments containing macros. Click this link for more information on the macro malware surge.


Fileless malware innovations

McAfee Labs captured 74,471 samples of fileless attacks in the first three quarters of 2015. The three most common fileless malware types load their payload directly into the legitimate memory space of an application, hide behind a kernel-level API, or hide within the operating system’s registry.

Most fileless malware leaves some type of file artifact on a system, which can be detected, analyzed, and convicted by security technology. New fileless malware, such as Kovter, Powelike, and XswKit, have been designed to take advantage of operating system platform services to get into the registry while leaving no artifacts on disk.

Intel Security recommends safe browsing and email practices, combined with email and web protections to block the attack vectors. Behavior-based protection technology can also stop many fileless malware attacks.


Q3 2015 Threat Statistics 

  • Overall threat activity. The McAfee Global Threat Intelligence (GTI) network detected an average of 327 new threats every minute, or more than five every second. The network also detected:
    • More than 7.4 million attempts to entice our customers into connecting to risky URLs (via emails, browser searches, etc.).
    • More than 3.5 million infected files exposed to our customers’ networks.
    • An additional 7.4 million potentially unwanted programs attempting to install or launch.
    • 2 million attempts made by our customers to connect to risky IP addresses, or those addresses attempted to connect to customers’ networks.
  • Mobile malware. The total number of mobile malware samples grew 16% from Q2 to Q3. The total number of mobile malware samples grew 81% during the past year. New mobile malware has risen for five consecutive quarters, but infections haven’t kept pace, likely due to improvements in OS defenses.
  • MacOS Malware. Malware authors have increasingly turned their attention to the Mac platform. Four times as much Mac OS malware was registered in Q3 than in Q2. Most of the increase came from a single threat.
  • The number of new ransomware samples grew 18% from Q2 to Q3. The total number of ransomware samples in McAfee Labs’ malware “zoo” grew 155% over the past year.
  • Rootkits decline. New rootkit malware dropped 65%, the category’s lowest rate since 2008. The decline is likely due to diminished returns for attackers. With 64-bit Windows, Microsoft enforces driver signing and includes Patch Guard, which makes kernel hooking significantly more challenging for attackers.
  • Malicious signed binaries. New malicious signed binaries have trended down for 3 quarters.
  • Botnet activity. The Kelihos botnet reclaimed the top rank for spam-sending botnets in Q3. Botnet-powered campaigns for counterfeit consumer goods and phony pharmaceuticals had been somewhat dormant for the previous two quarters.

For more information on these focus topics, or more threat landscape statistics for Q3 2015, please visit for the full story.


The post McAfee Labs Threat Report Identifies New Mobile Banking, Macro, and Fileless Malware Developments appeared first on McAfee.