Cyberattackers are combining attacks to bypass detection

11 Oct 2023

Image: © blankstock/

HP’s Patrick Schläpfer discusses the new ways cyberattackers are trying to sneak past defences and how most attacks begin with human error.

Cyberattackers are constantly updating their tactics to breach defences and a recent HP Ireland report highlights the fast-changing nature of this landscape.

The company’s quarterly HP Wolf Security Threat Insights Report claims cyberattackers are chaining combinations of attacks together “like toy bricks” in order to sneak past threat detection tools.

HP said QakBot was one of the most active forms of malware in the second quarter of this year, as it detected 56 campaigns associated with the malware. In August, a major multinational operation moved to disrupt this notorious botnet and malware infrastructure.

The HP report claims “creative” QakBot campaigns were observed switching up different file types and techniques in order to trick security tools. As a result, 32pc of the QakBot infection chains detected by HP in the second quarter were “unique” chains.

Patrick Schläpfer, a senior malware analyst with the HP Wolf Security threat research team, said this technique isn’t particularly sophisticated, but that it does succeed in making cyberattacks harder to spot.

“The growing number of tools available on cybercrime forums enables threat actors to create more complex infection chains and find new ways to evade detection,” Schläpfer said.

Hard-to-spot tricks

While switching up file types isn’t sophisticated, cyberattackers are deploying other clever tactics to trick their victims and shake up the cybersecurity landscape.

HP said that threat actors behind a campaign called Aggah have evolved their tactics to avoid detection. This campaign was observed deploying malicious code within a popular, legitimate blogging platform, which makes it harder for defenders to tell if a user is reading a blog or launching an attack.

From this blog, the threat actors can then disable some anti-malware capabilities on a victim’s machine and steal sensitive data. Schläpfer said this tactic means organisations can’t rely on “spotting every piece of malicious code they receive”.

“Instead, they need to rely on stronger protection that will isolate risky tasks as they are executed, rendering any malicious code that’s slipped past defenses to be harmless,” Schläpfer said. “Organisations should also ensure that users only install software from trusted sources.”

Other Aggah attacks observed by HP used a DNS TXT record query to deliver a remote access trojan. HP said this record query is typically used to access simple information on domain names and that the DNS protocol is not often monitored or protected by security teams.

“We recommend network defenders understand what’s normal for their environment by focusing on improving their network visibility and working with the data they have,” Schläpfer said. “This includes logging DNS queries and answers and creating detections to catch abnormal activity that indicate an attack is in progress.”

Reducing the attack surface

Despite the constant upgrades cyberattackers deploy to their malware and tactics, the most common reason these attacks are successful appears to be human error.

Earlier this year, an Interpol-led operation shut down a notorious ‘phishing-as-a-service’ platform called 16shop. Interpol said this platform sold hacking tools that compromised more than 70,000 users in 43 countries.

HP’s global head of security for personal systems, Dr Ian Pratt, said the method of initiation for infection chains “inevitably comes down to the user clicking on something”.

The top vectors for delivering malware to endpoints in the second quarter of 2023 were emails and browser downloads. Together, these made up 91pc of threats identified by HP Wolf Security.

“Though attacker tradecraft changes over time, most threats rely on tricking users into opening malicious email attachments, clicking on links or downloading files,” Schläpfer said. “Ensuring these risky activities are secure should be paramount for organisations looking to protect themselves against new attack methods.”

Schläpfer said that educating users is important to reduce the risk of an attack, but added that organisations should ensure they have a safety net in place that can stop the attacks that make it through.

“Hardware-enforced isolation is a useful tool for achieving this, helping organisations to isolate and contain risky activities such as opening email attachments, clicking on links and browser downloads,” he said.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic