ISR endpoint malware surge Q3 2024| WatchGuard Blog

While malware growth is something we have been experiencing over the past few years, the increase observed by WatchGuard's threat lab team in Q3 2024 was the highest to date. Q3 saw astronomical growth in total endpoint malware threats, reaching 300.48% with 420,304 threats.

The previous high was recorded in Q1 2024, when there was an 81.77% rise, almost double the previous quarter. However, Q3 almost quadrupled the figure for Q2 2024 when 104,951 threats were detected.

Why are these threats on the rise?

Given the surge in the number of total security threats, you would expect new threat growth would be to blame. However, not only was this not the case but there was also an atypical decrease (74%) in the number of new risks detected, with only 36 new threats identified in this quarter.

The massive increase in the total volume of malware and a drop in new threats means that attackers are recycling existing malware rather than developing new variants. This suggests malware-as-a-service (MaaS) is being used, where less experienced cybercriminals can buy or rent malware without the need to create their own code. In this modus operandi, MaaS actors distribute malware to multiple buyers, who then customize it minimally and deploy it in various campaigns.

In contrast, there was a substantial increase (773%) in behavioral and machine learning-based detections, and our endpoint security solution shot up by 5199.71%. This tells us that this malware wave had already infiltrated systems but was only detected once it reached devices, without other technologies even getting the chance to analyze it.

The boost in machine learning and behavioral detections means that the modified malware deploys patterns advanced tools can recognize. This can be explained by the fact that MaaS entails purchasing malware and access to tools for malware creation and customization, without the need for expertise. Nonetheless, these kits often include functions that allow malware to be automatically modified to evade detection.

Top 10 most prevalent malware in Q3 2024

Protecting yourself from cyber threats also depends on knowing what you are up against. We provide a list of the top 10 malware issues observed over this period to help this process:

Trj/Agent.OOW (Malicious Cryptominer): this malware was observed in 1,440 detections. It acts as a malicious cryptocurrency miner, exploiting the infected system’s resources without the user's knowledge.
Trj/WLT.A (Conficker): detected 556 times this quarter. This worm has been active since 2008, spreading through USB devices and vulnerable networks to compromise systems.
Trj/Chgt.AD (Unknown Malware): detected 398 times. This threat is still under analysis and its anomalous behavior has been detected without an exact classification.
HackingTool/AutoKMS (Malicious KMSTool - SECOPatcher): this malware scored 344 detections. It is a tool used to activate unlicensed software, which can also be exploited for malicious activities.
Trj/RnkBend.A (Glupteba): this modular malware, detected 241 times, operates as a botnet, facilitating data theft and unauthorized use of resources for cryptocurrency mining.
Trj/CI.A (Downloader): there were 178 detections of this trojan. It acts as a downloader for other threats, spreading infection with additional malware on affected systems.
PUP/Conduit.A (Malicious Toolbar Installer): is a potentially unwanted program that installs invasive toolbars and can modify browser settings. It was detected 159 times this quarter.
Trj/CI.A (Trojanized SLOW-PCfighter): There were 140 detections of this variant of optimization software, which works by hiding a trojan to perform malicious actions on the system.
Trj/Agent.OOW (Malicious Cryptominer): another variant of cryptocurrency mining malware. It is designed to operate in the background and exploit the processing power of the infected computer and was detected in 123 cases.
PUP/Conduit.A (Malicious Toolbar Installer): similar to the other detected variant. This software installs unwanted toolbars and collects user information without permission. It was detected 121 times.