Each quarter HP’s security experts highlight notable malware campaigns, trends and techniques identified by HP Wolf Security. By isolating threats that have evaded detection tools and made it to endpoints, HP Wolf Security gives an insight into the latest techniques used by cybercriminals, equipping security teams with the knowledge to combat emerging threats and improve their security postures [1]. Here are some of the key findings.

Social engineering attacks

Social engineering attacks, especially cybercriminals targeting enterprises with fake overdue invoices, continued to be a big endpoint threat in Q1. This lure is a perennial one, but still represents a large risk since many organizations send and pay invoices through email attachments. Typically, the campaigns targeted enterprises rather than individuals, where attackers’ potential return on investment is higher – for example, through fleet-wide ransomware and data extortion attacks.

WikiLoader malware

In campaigns delivering WikiLoader malware [2], attackers combined a series of tricks to evade network and endpoint detection, including redirecting victims to malicious websites using open redirect vulnerabilities (CWE-601) [3], obfuscated JavaScript (T1027.013) [4], hosting malware on legitimate cloud services (T1102) [5], and sideloading the malware via a legitimate application (T1574.002) [6].

Living-off-the-land techniques

Many malware campaigns relied on living-off-the-land (LOTL) techniques to help attackers remain undetected by blending in with legitimate system admin activity [7]. For example, we observed numerous abuses of the Windows Background Intelligent Transfer Service (BITS) (T1197) – a tool built into Windows used by administrators to transfer files between web servers and file shares [8].

About the HP Wolf Security Threat Insights Report

Enterprises are most vulnerable from users opening email attachments, clicking on hyperlinks in emails, and downloading files from the web. HP Wolf Security protects the enterprise by isolating risky activity in micro-VMs, ensuring that malware cannot infect the host computer or spread onto the corporate network. HP Wolf Security uses introspection to collect rich forensic data to help our customers understand threats facing their networks and harden their infrastructure. The HP Wolf Security Threat Insights Report highlights notable malware campaigns analyzed by our threat research team so that our customers are aware of emerging threats and can take action to protect their environments.

HP Wolf Security

HP Wolf Security is a new breed of endpoint security. HP’s portfolio of hardware-enforced security and endpoint-focused security services are designed to help organizations safeguard PCs, printers, and people from circling cyber predators. HP Wolf Security provides comprehensive endpoint protection and resiliency that starts at the hardware level and extends across software and services.

[1] https://hp.com/wolf

[2] WikiLoader (Malware Family) (fraunhofer.de)

[3] CWE - CWE-601: URL Redirection to Untrusted Site ('Open Redirect') (4.15) (mitre.org)

[4] Obfuscated Files or Information: Encrypted/Encoded File, Sub-technique T1027.013 - Enterprise | MITRE ATT&CK®

[5] Web Service, Technique T1102 - Enterprise | MITRE ATT&CK®

[6] Hijack Execution Flow: DLL Side-Loading, Sub-technique T1574.002 - Enterprise | MITRE ATT&CK®

[7] LOLBAS (lolbas-project.github.io)

[8] BITS Jobs, Technique T1197 - Enterprise | MITRE ATT&CK®

------------