European businesses are being targeted by Trojans as shift to cloud continues

Attackers are increasingly abusing cloud apps as a malware delivery channel in Europe with an increase from 33% to 53% in the past year.

  • Wednesday, 1st March 2023 Posted 1 year ago in by Phil Alsop

Netskope Threat Labs has published new research exploring the active cyber threats facing enterprise businesses in Europe. The report finds that as enterprises have shifted to the cloud, attackers have followed, with more than half (53%) of all malware now delivered via cloud apps. Trojans - commonly used by attackers to gain an initial foothold in an enterprise’s cloud infrastructure in order to deliver other types of malware, such as infostealers, backdoors, and ransomware - were the most popular malware in Europe, representing 78% of all malware detected. 

 

45% of Command & Control (C2) communications detected in Europe came from Remcos malware, a remote access trojan which was originally a commercial tool that was subsequently weaponised by threat actors. Originally created in Germany, Remcos has many capabilities that makes it attractive to threat actors, including numerous remote access options and a straightforward administrator GUI. In second place was Ursnif, a banking trojan (also known as “Gozi”), which again originated in Europe. Ursnif was 7.5x more common in Europe than in the  rest of the world. Recent trends have also seen Ursnif evolve for use as a ransomware backdoor.

 

Ray Canzanese, Threat Research Director, Netskope Threat Labs said:

 

“The popularity of trojans among attackers targetting European organisations fits into a broader threat trend as they look to gain access to enterprise cloud infrastructure to profit from either ransomware attacks or by selling access to third parties. ”

 

“There are three things enterprises should be doing to counter these threats. Firstly, inspect all web and cloud traffic including HTTP and HTTPS downloads and all ‘at risk’ file types to prevent malware infiltrating the network. Secondly, configure policies to block all downloads and uploads from apps not officially approved for use by your organisation to reduce your risk surface. Finally, use an Intrusion Prevention System (IPS) to identify and block malicious traffic patterns and help prevent further damage by limiting the ability for attackers to perform additional functions.” 

 

The Threat Labs team also found that: 

 

Cloud adoption in Europe increased by 29% over the past year

53% of European users regularly upload data to, and 92% of European users regularly download data from cloud apps

Microsoft OneDrive is the most common cloud source of malware in Europe, as the source of 26% of all cloud malware downloads, with Google Drive in a close second place

Google Workspace components are more popular with European users than they are in the rest of the world

The average European user interacts with 18 different cloud apps per month with the top 1% of users interacting with 79 apps per month