Cloud and Threat Report: Global Cloud and Malware Trends

EXECUTIVE SUMMARY

In this edition of the Cloud Threat Report, we examine the past twelve months of malware downloads from the cloud and web. Trojans accounted for the overwhelming majority of malware downloads, with attackers using a variety of different Trojan families and social engineering techniques to target their victims. The majority of malware downloads were either Windows EXE/DLL files or Microsoft Office documents, as attackers continue to target Microsoft Windows, still the most popular desktop operating system in the enterprise.

We also examine the sources of malware downloads, where 53% come from traditional websites and 47% come from cloud apps. Web malware downloads originate from many different website categories, led by technology sites and content servers. Cloud malware downloads originate from hundreds of different apps, led by popular cloud storage apps. Both web and cloud malware downloads tend to originate from servers located within the same regions as their victims.

Finally, we gain insight into some of the techniques attackers use to deliver malware by examining the most popular referrers of malware downloads. The top referrers include search engines, as attackers use popular SEO techniques to achieve high search engine rankings. Compromised websites and malicious websites designed to mimic benign websites are also popular referrers of malware downloads.

REPORT HIGHLIGHTS

• Trojans account for 77% of all cloud and web malware downloads, used to gain an initial foothold and to deliver a variety of next-stage payloads, including backdoors, infostealers, and ransomware.
• 47% of malware downloads originate from cloud apps compared to 53% from traditional websites, as attackers continue to use a combination of both cloud and web to target their victims.
• Phishing downloads are on the rise, fueled by attackers using SEO techniques to get malicious PDF files ranked highly on popular search engines, including Google and Bing.
• EXE and DLL files account for nearly half of all malware downloads as attackers continue to target Microsoft Windows, while malicious Microsoft Office files are on the decline and have returned to pre-Emotet levels.
• Most malware downloads originate from servers located within the same regions as their victims, as attackers stage their malware throughout the world to evade geofences.