Attackers are constantly reinventing themselves, HP concludes in a research report. Malware campaigns are redirected to legitimate advertising platforms to measure the number of clicks on malicious links.

HP publishes an analysis of data from its Wolf Security software for business laptops every three months. The latest report highlights some striking trends. Today, hackers work like professional marketers, using advertising analytics to measure which tricks work and which don’t.

Measure per click

To do this, they use the “Darkgate” malware, which has recently appeared frequently in Microsoft Office applications, such as Microsoft Teams. DarkGate allows cybercriminals to gain backdoor access to networks. One attack pattern HP often sees is the malware hiding behind OneDrive error messages. They look realistic and trick unwary users into clicking on a download link.

Sounds like a typical cyber attack, but it isn’t. Victims are first redirected to sponsored content hosted on a popular advertising network. By using advertising services, attackers can analyze which lures generate clicks and infect the most users, thereby optimizing their campaigns for maximum impact. Just like marketing agencies use analytics to measure the success of email campaigns.

Pelle Aardewerk, Cyber ​​Security Consultancy Lead EMEA at HP, explains: “Cybercriminals use the same tools a company would use to manage a marketing campaign to optimize their malware campaigns, increasing the likelihood that the user will fall for the bait “To protect against well-equipped threat actors, organizations must follow zero trust principles and isolate and contain risky activities such as opening email attachments, clicking on links, and downloading in the browser.”

Macros aren’t worn out yet

It’s by no means the only notable trend HP describes in the report. Since Microsoft started restricting Office macros, they have become increasingly rare, but there are still campaigns that use this old classic. Nevertheless, it is primarily Office exploits and PDFs that are considered interesting access for attackers. Eleven percent of the malware analyzed was hidden behind a PDF file.

Finally, attackers are becoming increasingly successful at evading detection tools. At least 14 percent of email threats bypassed one or more email gateway scanners. CAPTCHAs are also a popular disguise for hiding malware from sandboxes. Attackers also use legitimate file-sharing websites (like Discord) and text to host malicious files. Organizations often trust these websites, which allows them to bypass anti-malware scanners and gives attackers a greater chance of remaining undetected.