Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.
  • 25 March 2020 09:25

New Security Report from WatchGuard Technologies Shows Explosion in Evasive Malware in Q4 2019

Report finds macOS adware and a 2017 Excel exploit running rampant, and includes an analysis of keylogger malware used in coronavirus-related phishing attacks.

SEATTLE – March 24, 2020 –WatchGuard® Technologies, a global leader in network security and intelligence, secure Wi-Fi and multi-factor authentication, today announced the release of its Internet Security Report for Q4 2019. It found that evasive malware grew to record high levels; over two-thirds of malware detected by WatchGuard’s Firebox security appliances in Q4 2019 evaded signature-based antivirus solutions. Obfuscated or evasive malware is becoming the rule, not the exception, and companies of all sizes desperately need to deploy advanced anti-malware solutions that can detect and block these attacks.

In addition, WatchGuard found widespread phishing campaigns exploiting a Microsoft Excel vulnerability from 2017. This ‘dropper’ malware downloads several other types of malware onto victims’ systems, including a keylogger named Agent Tesla that was also used in phishing attacks in February 2020 that preyed on fears of a coronavirus outbreak.

“Our findings from Q4 show that threat actors are always evolving their attack methods,” said Corey Nachreiner, chief technology officer at WatchGuard. “With over two-thirds of malware in the wild obfuscated to sneak past signature-based defenses, and innovations like Mac adware on the rise, businesses of all sizes need to invest in multiple layers of security. Advanced AI or behavioral-based anti-malware technology and robust phishing protection like DNS filtering will be especially crucial.”

WatchGuard’s Internet Security Report prepares businesses, service providers and end users with the data, trends, research and best practices they need to defend against today’s security threats. Here are the key findings from the Q4 2019 report:

- Evasive malware made up 68% of total malware in Q4 2019 – This is a dramatic increase from the year-long average of 35% for 2019. WatchGuard UTM appliances have three anti-malware services; a signature-based antivirus, an machine learning detection engine called Intelligent AV and a behavioural-based solution called APT Blocker. Malware is considered to be evasive when it makes it through the signature-based AV but is caught by one of the other two.

- Microsoft Excel exploit still being heavily used – A vulnerability from 2017, this exploit was number seven on WatchGuard’s top ten malware list, and targeted Great Britain, Germany and New Zealand heavily. It is delivered via a phishing attack and exploits macros to download and install other types of malware including keyloggers like Agent Tesla and trojans like Razy.

- Analysis of the Agent Tesla keylogger used in coronavirus phishing attacks – WatchGuard’s report includes an analysis of the Agent Tesla keylogger used in phishing attacks in February 2020 that aimed to manipulate fears around the coronavirus. Agent Tesla is one of several pieces of malware delivered via the aforementioned Microsoft Excel dropper malware.

- Mac adware jumps in popularity in Q4 – One of the top compromised websites WatchGuard detected in Q4 2019 hosts a macOS adware called Bundlore that masquerades as an Adobe Flash update. This lines up with a Malwarebytes report from February 2020 that showed a rise in Mac malware, particularly adware.

- SQL injection attacks became the top network attack in 2019 – SQL injection attacks rose an enormous 8000% in total between 2018 and 2019, becoming the most common network attack of the year by a significant margin.

- Hackers increasingly using automated malware distribution – Many attacks hit 70 to 80 percent of all Fireboxes in a single country, suggesting attackers are automating their attacks more frequently.

The findings included in WatchGuard’s Internet Security Report are drawn from anonymised Firebox Feed data from active WatchGuard UTM appliances whose owners have opted in to share data to support the Threat Lab’s research efforts. Today, over 40,000 appliances worldwide contribute threat intelligence data to the report. In Q4 2019, they blocked over 34,500,000 malware variants in total (859.5 samples per device) and approximately 1,879,000 network attacks (47 attacks per device).

The complete report also includes key defensive best practices that organizations of all sizes can use to protect themselves in today’s threat landscape and a detailed analysis the MageCart JavaScript malware used in the Macy’s payment card data breach in October 2019.

For more information, download the full report here: https://www.watchguard.com/wgrd-resource-center/security-report-q4-2019

About WatchGuard Technologies, Inc.

WatchGuard® Technologies, Inc. is a global leader in network security, secure Wi-Fi, multi-factor authentication and network intelligence. The company’s award-winning products and services are trusted around the world by nearly 10,000 security resellers and service providers to protect more than 80,000 customers. WatchGuard’s mission is to make enterprise-grade security accessible to companies of all types and sizes through simplicity, making WatchGuard an ideal solution for midmarket businesses and distributed enterprises. The company is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.

For additional information, promotions and updates, follow WatchGuard on Twitter @ WatchGuard on Facebook (https://www.facebook.com/watchguardtechnologies) or on the LinkedinCompany page (https://www.linkedin.com/company/watchguard-technologies) page Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at: www.secplicity.org

WatchGuard is a registered trademark of WatchGuard Technologies, Inc. All other marks are property of their respective owners.

Submit a media release