Netskope Threat Labs Quarterly Stats for October 2024

Netskope Threat Labs publishes a quarterly summary blog post of the top threats we track on the Netskope platform. This post aims to provide strategic, actionable intelligence on active threats against enterprise users worldwide.

Summary

• GitHub and OneDrive were on the top of the list of top cloud apps used for malware downloads. While GitHub is mostly used to download post-exploitation tools, OneDrive is used to deliver the malware itself.
• The top malware families active in the past quarter included the Infostealer AgentTesla and the Remcos RAT.

Cloud Malware Delivery

Attackers attempt to fly under the radar by delivering malicious content via popular cloud apps. Abusing cloud apps for malware delivery enables attackers to evade security controls that rely primarily on domain block lists and URL filtering or don’t inspect cloud traffic.

Attackers achieve the most success in reaching enterprise users when they abuse cloud apps that are already popular in the enterprise. Although Microsoft OneDrive and GitHub have the same percentage points, we observe slightly different behavior in each app. While GitHub is mostly used to download post-exploitation tools (such as Mimikatz and Impacket), OneDrive is primarily used to deliver the malware payload itself (such as Bumblebee Loader).

Webflow, in fourth place, is noteworthy because in addition to malware downloads, we have also recently observed an increase in phishing pages created using the app.

The top 10 list below reflects attacker tactics, user behavior, and company policy.

Top Malware Families

The following list contains the top malware families blocked by Netskope between July 1 and October 1:

• Infostealer.AgentTesla is a .NET-based remote access Trojan with many capabilities, such as stealing browsers’ passwords, capturing keystrokes, clipboard, etc.
• RAT.NjRAT (a.k.a. Bladabindi) is a remote access Trojan with many capabilities, including logging keystrokes, stealing credentials from browsers, accessing the victim’s camera, and managing files.
• RAT.Remcos is a remote access Trojan that provides an extensive list of features to remotely control devices, and it’s popularly abused by many attackers.

Recommendations

Attackers have always sought to evade detection and avoid suspicion in delivering malware. Netskope Threat Labs recommends that you review your security posture to ensure that you are adequately protected against both of these trends:

• Inspect all HTTP and HTTPS downloads, including all web and cloud traffic, to prevent malware from infiltrating your network. Netskope customers can configure their Netskope NG-SWG with a Threat Protection policy that applies to downloads from all categories and applies to all file types.
• Ensure that your security controls recursively inspect the content of popular archive files, such as ZIP files, for malicious content. Netskope Advanced Threat Protection recursively inspects the contents of archives, including ISO, TAR, RAR, 7Z, and ZIP.
• Ensure that high-risk file types like executables and archives are inspected using both static and dynamic analysis before being downloaded. Netskope Advanced Threat Protection customers can use a Patient Zero Prevention Policy to hold downloads until they have been fully inspected.
• Configure policies to block downloads from apps that are not used in your organization to reduce your risk surface to only those apps and instances that are necessary for the business.
• Configure policies to block download of known post-exploitation tools that are not used in your organization and generate a high risk alert if an unauthorized tool is downloaded since this one might indicate the later phases of an attack.
• Block downloads of all risky file types from newly registered domains and newly observed domains.

In addition to the recommendations above, Remote Browser Isolation (RBI) technology can provide additional protection when there is a need to visit websites that fall into categories that present higher risk, such as Newly Observed and Newly Registered Domains.

About This Report

Netskope provides threat and data protection to millions of users worldwide. Information presented in this report is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization. This report contains information about detections raised by Netskope’s Next Generation Secure Web Gateway (SWG), not considering the significance of the impact of each threat. Stats in this report are based on the period starting July 1, 2024 through October 1, 2024. Stats reflect attacker tactics, user behavior, and organization policy.