300% increase in endpoint malware detections

The third quarter of 2024 saw a dramatic shift in the types of malware detected at network perimeters, according to a new WatchGuard report.

The report’s key findings include a 300% increase quarter over quarter of endpoint malware detections, highlighted by growing threats that exploit legitimate websites or documents for malicious purposes as threat actors turn to more social engineering tactics to execute their attacks.

While Microsoft documents like Word and Excel have long been targets for deceiving users into downloading malicious software, strict anti-macro protections on Word, Excel, and PowerPoint Office files have led attackers to now use OneNote files to deliver Qbot (a remote access botnet trojan).

Another top threat that exploits legitimate services includes new attacks on WordPress plug-in vulnerabilities. Threat actors exploit these vulnerabilities to gain control over websites and leverage their reputation to host malicious downloads like SocGholish, which deceives users with false prompts to update their browsers and then execute malware. WordPress hosts more than 488.6 million websites worldwide, which comprises 43% of all websites on the Internet.

Researchers also observed a rise in threat actors utilizing cryptominers this quarter, many of which were capable of additional malicious behaviors. Cryptominers are malware that hides on the user’s device and steals its computing resources to mine for online currencies such as Bitcoin. As cryptocurrency rises again in value and popularity, cryptomining malware is also regaining popularity.

“Organizations of all sizes should consider adopting AI-powered threat detection to spot unexpected traffic patterns and reduce dwell time, ultimately reducing the cost of a breach but also maintaining their traditional antimalware controls too,” said Corey Nachreiner, CSO at WatchGuard Technologies.

Threat actors are turning to social engineering tactics

This quarter, signature-based detections increased by 40% as threat actors turned to more social engineering tactics to execute their attacks. This growth underscores the rising prevalence of traditional malware as attackers refine their strategies to exploit legacy systems or widespread vulnerabilities.

EMEA accounted for 53% of all malware attacks by volume, doubling from the previous quarter. Meanwhile, the Asia Pacific region accounted for the most network attack detections, with 59% targeting the area.

Malware attacks declined by 15% from the previous quarter. The findings also demonstrate that attackers created less new or unique malware than in prior quarters but are using a wider breadth of malware techniques instead to infect devices.

Only 20% of malware detections evaded signature-based detection methods. This was a significant departure from normal for what we call “zero-day malware,” which requires more proactive techniques to catch.

While ransomware continued to trend downward in recent quarters, The data shows more ransomware operators this quarter than in Q2 of 2024. Threat actors used a wider range of existing tactics to deliver ransomware rather than creating new attack avenues.