Welcome to the Q1 2024 edition of the HP Wolf Security Threat Insights Report. In the report, we review notable malware campaigns, trends and techniques identified from HP Wolf Security’s customer telemetry in calendar Q1 2024.

Key Findings

• Social engineering attacks, especially cybercriminals targeting enterprises with fake overdue invoices, continued to be a big endpoint threat in Q1. This lure is a perennial one, but still represents a large risk since many organizations send and pay invoices through email attachments. Typically, the campaigns targeted enterprises rather than individuals, where attackers’ potential return on investment is higher – for example, through fleet-wide ransomware and data extortion attacks.
• In Q1, archives containing malicious script files continued to be a very common attack pattern for infecting endpoints. Such attacks require around four clicks to infection, which is higher than other methods like macro-enabled documents that were once popular. Despite this, the popularity of this infection method suggests that attackers are successfully tricking users to click.
• In campaigns delivering WikiLoader malware, attackers combined a series of tricks to evade network and endpoint detection, including redirecting victims to malicious websites using open redirect vulnerabilities (CWE-601), obfuscated JavaScript (T1027.013), hosting malware on legitimate cloud services (T1102), and sideloading the malware via a legitimate application (T1574.002).
• Many malware campaigns relied on living-off-the-land (LOTL) techniques to help attackers remain undetected by blending in with legitimate system admin activity. For example, we observed numerous abuses of the Windows Background Intelligent Transfer Service (BITS) (T1197) – a tool built into Windows used by administrators to transfer files between web servers and file shares.

Read the Report

Download the report: HP Wolf Security Threat Insights Report Q1 2024

Download (PDF)

You can download and read our previous Threat Insights Reports here.