QBot, Emotet, and Formbook are currently the most prevalent malware threats according to new data from Check Point, all of which are mostly distributed using spam emails. Email is still one of the most common methods of malware distribution, and even Microsoft’s efforts to prevent the malicious use of macros have not changed that.

Last year, Microsoft disabled macros by default in Internet-delivered documents, and while this was a blow to cybercriminals who have relied on macros for their infection process, they simply changed tactics and used other methods for malware delivery. Macros were easy to abuse, as victims just needed to be tricked into enabling macros in documents and ignoring security warnings. Now that macros are disabled, cybercriminals have had to adopt new tactics for distributing malware via email, such as sending malicious links or using alternative attachments, such as OneNote files. The latter has been used to distribute Emotet, which has helped the malware return to the top of Check Point’s most wanted malware list.

OneNote files have proven popular for malware distribution as they allow scripts to be embedded and masked with overlays. The user is instructed to double-click a button in the OneNote file as they are told that the document is protected, when what they are actually doing is double-clicking an executable file embedded under the overlay, thus executing the script and triggering the downloading of a malicious payload. Microsoft has announced that this security issue will be tackled by May, but until then OneNote will continue to be used for malware delivery.

The top three malware variants share some of the same functionality but offer specialized features. QBot, also known as QakBot, was primarily a banking Trojan used to steal banking credentials but is now capable of stealing other credentials due to its keylogging capabilities. It has been in use since 2008 and is one of the oldest malware families currently in use.

Emotet has long been at the top of the most common malware variants and has survived a recent law enforcement takedown. Emotet started life as a banking Trojan but has evolved over the years and is now primarily used as a distributor of other malicious payloads under the malware-as-a-service model. Like QBot, Emotet is also extensively distributed via email, helped by its self-propagating capabilities, which allow it to hijack message threads and send copies of itself to the victims’ contacts.

FormBook has been used since at least 2016 and is an information stealer that is also marketed under the malware-as-a-service model. FormBook primarily harvests credentials from web browsers, but also logs keystrokes, collects screenshots, and can deliver additional files to infected devices. It is one of the most widely distributed malware due to its capabilities, relatively low cost, and strong evasion techniques.

These three malware variants have had a huge impact globally, with QBot infections detected at 10% of organizations worldwide and Emotet and FormBook each affecting 4% of organizations worldwide. Preventing infections requires a defense-in-depth approach involving multiple layers of protection, with one of the most important layers provided by a spam filter.

All three of these malware families are extensively spread via spam email, so blocking the initial attack vector is by far the best defense. SpamTitan incorporates several layers of protection against malicious emails, including emails with malicious attachments such as OneNote files and malicious links. SpamTitan performs a multitude of front-line checks including message headers and reputation checks and has dual anti-virus engines for detecting malware and sandboxing for behavioral analysis of email attachments. SpamTitan also scans links and uses machine learning algorithms to identify emails that deviate from the genuine emails typically received by businesses.

While a spam filter and endpoint protection solutions such as antivirus software were once sufficient, the speed at which new malware variants are being released and the evasion methods they use mean additional layers of protection are now required. TitanHQ recommends also deploying a web filter to block Internet-based threats. A web filter such as WebTitan augments the spam filter by blocking malware delivery via the Internet and improves protection against non-email-based threats, such as malicious links in text messages and instant messaging platforms.

Threats will occasionally bypass these protections, so it is important to provide security awareness training to the workforce. By educating the workforce on cyber threats, if one is encountered it can be recognized and avoided. Security awareness training allows businesses to train employees on security best practices and eradicate the risky behaviors that are often exploited by cybercriminals. SafeTitan is a comprehensive training platform covering all aspects of security and includes a phishing simulation platform for testing how employees respond to phishing threats and providing targeted training where it is needed.

For more information on these solutions and improving your security posture in the most cost-effective way, give the TitanHQ team a call today.