Email Malware Grows At Alarming Rate Globally: Symantec

by CXOtoday News Desk    Aug 08, 2017

email malware

The cyber security landscape is getting increasingly complex in recent months. According to a recent study by security firm Symantec, email malware rate continues to increase and threats WannaCry, Petya inspire other threats to add self-spreading components or functionality in the month of July, when the research was conducted.

According to July’s Latest Intelligence, the email malware rate in July increased to one in 359 emails, up from one in 451 the previous month. This marks the highest rate seen in the past seven months.  

Email malware rateFigure 1. The email malware rate in July increased to one in 359 emails, the highest rate seen since December

This trend in malware being distributed through email seems to be catching on, with several infamous malware families recently adding functionality that allows them to spread via spam email.

Following the success of WannaCry and Petya, the banking Trojans Emotet and TrickBot  have both added support for self-spreading components. Emotet now has the capability to steal email credentials from infected computers and then use them to send out spam in order to spread itself. TrickBot takes advantage of SMB to spread to computers on the same network as the original host and also spreads itself via spam posing as invoices from a financial organization. However, TrickBot’s new module doesn’t appear to be fully implemented yet, according to the researchers that discovered it.

It’s not just banking malware that are working to bring worm-like functionality back in vogue. The ransomware Reyptson was discovered in July using stolen Thunderbird email client credentials to send out spam containing malicious links that ultimately lead to Reyptson being downloaded onto the recipient’s computer.

Researchers comment on another trend in the world of malware, so-called “living off the land” tactics. Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory. This allows them to minimize the risk of their attacks being discovered and blocked by traditional security tools. June’s Petya outbreak is a good example of an attack using living off the land tactics, with its use of system commands and legitimate tools such as PsExec and wmic.exe.


The global spam rate for July was the highest seen since March 2015, increasing 0.6 percentage points to 54.9 percent. As already discussed, several malware families were discovered in July to have added functionality that allowed them to send out spam containing copies of themselves. However, it’s not just malware authors that contribute to the world’s spam problem. A popular price comparison site was fined £80,000 (US$104,000) in July for spamming more than 7 million of its customers after they had specifically requested not to receive direct marketing emails from the company.


The phishing rate also increased slightly in July, up to one in 1,968 emails, making it the highest rate seen for the past 12 months.

The threat posed by phishing attacks prompted one U.S. senator to take it upon himself to urge federal agencies to better protect themselves. U.S. Senator Ron Wyden sent a letter to the Department of Homeland Security in July calling for stricter controls when it comes to their email. Wyden’s letter called for agencies to use the email protocol called Domain-based Message Authentication, Reporting and Conformance (DMARC), in order to reduce the risk of phishing attacks involving spoofed email addresses.

Web attacks

July saw a small decrease in the number of web attacks blocked by Symantec per day. Although the number dropped from 1,159,398 per day to 1,158,985 per day, July is the fourth consecutive month with elevated web attack activity. 2. July marks four months of elevated web attack activity

Researchers in the report also note a new type of attack that targets fresh installations of WordPress. Attackers are scanning for a specific setup URL that new installations of the content management system use. The presence of this URL indicates that WordPress has recently been installed on a server but has yet to be configured, making it relatively easy for the attackers to not only take over the WordPress site but also the hosting account and all other sites on that account. Click here for more information on the report.