Summer dip in malware attacks credited to World Cup drama

July's drop in TrickBot malware likely due to criminals being distracted by the football, experts say

Football may not have come home, but it did at least reduce the number of malware attacks while the drama was unfolding.

That's one possibility floated by Cofense Intelligence, which has produced some research which demonstrates a marked drop in TrickBot malware attacks in July, after a sustained increase throughout April and June.

It wasn't just the number of attacks dropping either. Cofense noted that while TrickBot phishing lures are typically sufficiently authentic looking to fool victims into handing over banking information, the samples captured in July were "incredibly simplistic."

Analysis of all Trickbot campaigns between May and September found that around 10.5% of attacks took place in June compared to 51% of campaigns taking place in July, falling sharply to 10.5% again in August. It's believed Trickbot campaign activity fell by as much as 41% during June and August.

The lulls coincided with a noticeable decline in the sophistication of attacks, deviating from the elaborate emails that normally try to masquerade as legitimate notes from banking institutions. The belief is that Trickbot's resources may have been spread thin during this time, and that criminals may have been reliant on low-skilled freelance hackers.

It may seem odd to think of malware operators in the same way we think of employees in other sectors, but Cofense thinks that these phoned-in efforts could well be the result of the World Cup and summer holiday season distracting the usually fastidious TrickBot operatives. Certainly, activity picked up again towards the end of the month after the tournament came to an end.

Other possibilities mooted include fewer people doing the distribution work, and TrickBot operators using the summer to curate other flavours of malware.

Elsewhere, Cofense Intelligence noted an increase in the Emotet/Geodo Trojan from mid-July through to August, a resurgence in the AZORult malware, and an updated version of the Hermes ransomware. The new version's distribution method "bears a striking similarity" to Sigma and GrandCrab, leaving Cofense wondering whether the same hacking groups may be responsible for this update.

"Our findings highlight the crucial need for incident responders and network defenders to devise an appropriate response plan for high-impact phishing campaigns," said Aaron Higbee, CTO of Cofense. "By empowering and educating users to recognise and report suspicious emails, organisations and enterprises can avoid falling victim to attacks on their infrastructure."  

Featured Resources

Security analytics for your multi-cloud deployments

IBM Security QRadar SIEM solution brief

Download now

Five reasons to move to the cloud

Join the enterprises moving their workloads to the cloud

Download now

Architecting hybrid IT and edge for digital advantage

Why business leaders should consider a hybrid IT strategy

Download now

Six reasons to accelerate remote asset monitoring with AI

How to optimise resources, increase productivity, and grow profit margins with AI

Download now

Recommended

Lazarus APT hacking group is targeting the defense industry
Security

Lazarus APT hacking group is targeting the defense industry

26 Feb 2021
Microsoft open sources CodeQL queries used in Solorigate inquiry
Security

Microsoft open sources CodeQL queries used in Solorigate inquiry

26 Feb 2021
CISA warns of ongoing Accellion File Transfer Appliance attacks
hacking

CISA warns of ongoing Accellion File Transfer Appliance attacks

25 Feb 2021
What is a Trojan?
Security

What is a Trojan?

25 Feb 2021

Most Popular

How to build a CMS with React and Google Sheets
content management system (CMS)

How to build a CMS with React and Google Sheets

24 Feb 2021
Oxford University COVID lab falls victim to hackers
hacking

Oxford University COVID lab falls victim to hackers

26 Feb 2021
Npower shuts down app after hackers steal user data
hacking

Npower shuts down app after hackers steal user data

25 Feb 2021