Emotet’s comeback continues as threat actors target SCADA systems. And it is that, at the moment, there is a decrease in the volume of malware, an increase in encrypted malware, as well as actively exploited Office vulnerabilities. All of this is highlighted in WatchGuard Technologies’ Internet Security By report, which also details the top trends in malware and network security threats in Q2 2022. “Although overall malware attacks in Q2 were down from all-time highs seen in previous quarters, more than 81% of detections occurred over encrypted TLS connections, continuing a worrying upward trend,” said Corey Nachreiner, CSO, WatchGuard.

Malware and network security threats

Key takeaways from the data include a decline in overall malware detections from spikes seen in the first half of 2021, an increase in threats to Chrome and Microsoft Office, a resurgence of the Emotet botnet, and more. Other important findings from the Second Quarter Internet Security Report include the following: Office exploits continue to spread more than any other category of malware. In fact, the biggest incident of the quarter was the Follina Office exploit (CVE-2022-30190), which was first reported in April and was not patched until the end of May. Distributed via a malicious document, Follina was able to bypass Windows Protected View and Windows Defender and has been actively exploited by threat actors, including nation-states. Three other Office exploits (CVE-2018-0802, RTF-ObfsObjDat.Gen, and CVE-2017-11882) were widely detected in Germany and Greece.

WatchGuard Threat Lab Reports Declining Malware Volume, Encrypted Malware Rising, and Actively Exploited Office Vulnerabilities

Endpoint malware detections were down overall, but not to the same extent. Despite a 20% drop in total endpoint malware detections, malware exploiting browsers collectively increased by 23%, with Chrome up 50%. One possible reason for the increase in Chrome detections is the persistence of various zero-day exploits. Scripts continued to account for the largest share of endpoint detections (87%) in Q2. The Top 10 signatures accounted for more than 75% of network attack detections. This quarter has seen an increase in attacks on ICS and SCADA systems that control industrial equipment and processes, including new signatures (WEB Directory Traversal -7 and WEB Directory Traversal -8). The two signatures are very similar; the former exploits a vulnerability first discovered in 2012 in specific SCADA interface software, while the latter is the most frequently detected in Germany. The resurgence of Emotet is noticeable. Although Emotet volume has decreased since last quarter, Emotet remains one of the biggest threats to network security. XLM.Trojan.abracadabra, a Win code injector that spreads the Emotet botnet, was one of the top 10 most detected malware of the quarter and one of the top 5 most encrypted.