Review of Regional Malware Trends in EMEA: Part 1


Category: Malware, Unit 42

Tags: , ,


As we head towards the end of the year it’s common to reflect on the year almost behind us and to predict what the new year approaching will bring in terms of security challenges. This blog is part of a series that describe malware trends seen in the EMEA (Europe Middle East and Africa) region over the last six months of 2016.

Not long after joining Palo Alto Networks and the Unit 42 Threat Research team I was tasked with authoring and publishing monthly regional threat reports for internal use that focused on the EMEA region using data from our AutoFocus Threat Intelligence Service. The report contents and structure are fluid but some constants exist too, such as tips, take-aways and tools described for readers to learn and act upon to improve their security posture. We are working towards making the reports themselves public, meanwhile, this blog, and future blogs in the series, serve to publish summary information from each of the reports. This blog refers to data extracted from the June and July reports.

EMEA is the largest region on earth in terms of land mass spanning 4 continents from Greenland in the North and West, to the Cape of Good Hope in the South of Africa and as far as Iran in the East but location is pretty much where the commonality ends. The EMEA region is incredibly diverse with more countries than other regions, more languages, arguably more ethnicities and vastly contrasting GDP (Gross Domestic Product) figures as well as population sizes. Despite EMEA accounting for approximately one third of the world’s GDP, per capita, it also includes both the richest and poorest countries. All this amounts to the region being a great place to conduct business however, unfortunately, cyber criminals also believe the same and find it a lucrative market. The malware seen here is not necessarily unique to the region but like the region it is diverse!

Breaking-down the EMEA region into sub-regions is necessary to create digestible threat reports with meaningful data, however even that is not simple due to disparate cybersecurity postures and policies, maturity levels and, indeed, social and economic aspects of each country. That being said, the reports thus far cover segments of the region that are somewhat similar in terms of most of those aspects. For example, the first report covers countries in western Europe with similar GDP (Gross Domestic Product) amount. The second report covers some countries that are located in the Middle East region and are considered as emerging markets.

United Kingdom, Germany and France

These three countries top the GDP list for the EMEA region and thus the European sub-region as well with most of their wealth coming from the services sector.


  • Information stealing Trojans are rife in all three countries most likely due to their large service sectors with companies that store and process customer data.
  • Low-points in malware sessions were around Brexit referendum voting time.
  • Higher than usual H1N1 downloader Trojan activity

trend_1 The United Kingdom had the highest amount of malicious sessions of all three countries, as seen in our next-generation security platform and, as the three-month** trend shows, much of this traffic trend_2

was during April and May, peaking on May 27th. Most of this peak consisted of Locky ransomware campaigns but also included more than one hundred samples in over 7,000 sessions affecting Government and Higher Education.

** The regional threat reports are monthly but often it’s useful to review information and trends especially over a wider period for more context.

trend_3 Germany showed a similar peak to the trend_4

United Kingdom and also consisted mostly of Locky ransomware campaigns. However Germany saw fewer samples but over double the number of sessions. In contrast to the United Kingdom, the majority were seen in the Healthcare and High Tech industries. Locky, like many other variants of ransomware, is victim-agnostic because of the nature of the adversary’s attack and delivery method that uses weaponized documents, containing macros to drop and execute the payload, attached to emails sent out in very large, wide-spread malspam campaigns a la Dridex. The evolution of Locky ransomware since early 2016 has seen various changes not only in the payload behavior but also the distribution methods switching between various Exploit Kits (EKs) and campaigns to infect users browsing compromised websites. Locky is ubiquitous: so much so other cybercriminals have copied its traits, while using their often-recoverable malware to infect and encrypt as if it were Locky, probably to social engineer the victim into a quicker response and payment.

During the spike of Locky-related activity on May 27th just under a quarter of samples seen in the United Kingdom contained a unique feature not present in any samples seen in Germany during the same activity. AutoFocus additionally tagged those samples as having a behavior indicating the malware queried the system BIOS (Basic Input Output System) information during execution in our WildFire™ cloud sandbox. The “BiosDiscovery” tag represents a method commonly used by malware to determine whether running in a virtual machine or not, which could indicate execution in a sandbox environment.

Bolster your defenses:

Locky certainly is a formidable force with its aggressive distribution methods and sheer prevalence, which raises the probability of would be victims getting infected, however there are numerous points during the kill chain or attack lifecycle at which both an exploit delivering Locky or the Locky malware itself can be disrupted preventing its end game of encrypting your data. Interrupting network communications based on source and destination domain names, command & control traffic and unknown TCP; on the end point exploit-related behavior in various applications can be blocked and further methods include detecting DLL and thread injection routines as well as suspicious static file attributes, such as lack of digital signatures.

Malware, including Ransomware, is often distributed by attackers using email but sometimes the method of delivery can differ. Many include the malware as a raw executable file (.EXE, .SCR, .CPL or other file types) as an attachment, which is quite a primitive technique but sadly one that still results in successful infections. Less amateurish are those attackers who obscure their payloads inside other file formats, such as documents containing macros capable of unpacking and executing the executable file embedded inside or downloaded from a remote host; using JavaScript attachments (either directly attached or masquerading inside an archive ZIP attachment) leads to similar results. Some file attachments include exploits capable of exploiting vulnerable applications or systems, or contain URLs pointing to sites hosting Exploit Kits that use more advanced and automated means to deploy the same exploits, however end-point protection with exploit prevention can stop these methods.

trend_5 Based on this information it’s possible to stop many of the low-hanging fruit malware attacks on your network and end-points. Start doing something different tomorrow - Block email file attachments such as document files containing macros, ZIP files containing JavaScript code (or JavaScript full stop,) and other suspicious file types. If you can’t block exclusively, at least reduce who in the company can receive such email attachments to reduce the attack surface.

trend_6 The landscape trend_7in France was a little different over the same time period with the peak volume occurring very early on comparatively. April 7th saw over two hundred samples in more than 27,000 sessions using various applications including email-based and web-browsing, predominately affecting Government, High Tech and Service Provider sectors. Rockloader – an intermediary downloader Trojan – made up most of the malware samples, together with subsequent payloads including Kegotip and Pony Trojans capable of harvesting credentials or other data from victim systems as well as installing further payloads, such as Locky ransomware.

Brexit Disrupts Malware Volume

After 3 months of pretty consistent malware volume, different peak dates and malware campaigns it’s very interesting to note that all three countries had their troughs in the same week, if not the same day, at the at the end of June. No, not early summer holidays for these countries or their attackers, but instead, a very significant political event so-called Brexit (“British Exit”) whereby British citizens voted to leave the European Union during a referendum held on Thursday 23rd June. The decision, which came as a shock to many around the world, became known the day after. This whole event was significant and I strongly believe it was no coincidence that typical traffic patterns were affected. Perhaps attackers were waiting for the media to report the result with predictions for the future, largely revolving around economic uncertainty and Britain slipping back into recession, before launching their “post-Brexit” phishing attacks using topical news, as reported the week after.

In the month of June, PredatorPain, an information stealing Trojan capable of capturing passwords, keystrokes, screenshots and other sensitive information, was extremely prevalent in the United Kingdom. Germany had a mixture of malware each constituting significant volume including Vawtrak, another type of information stealing malware forming a botnet primarily focused on gaining unauthorized access to bank accounts through online banking websites, H1N1, and a single variant of the Andromeda downloader Trojan that alone was the most prevalent sample of the month. France also saw significant volume of the H1N1 Trojan downloader, which is capable of receiving remote commands from a command and control (C2) server in order to download and execute further malicious payloads.

Turkey, Saudi Arabia and United Arab Emirates

These three countries form part of the Middle East region and the emerging markets of the world. Turkey’s economic growth relies primarily on services, much like the European countries in the first regional threat report, however Saudi Arabia and United Arab Emirates (UAE) are extremely reliant on their oil and industrial sectors, although the UAE is diversifying into services and other sectors. The diversity of these countries, not to mention the greater Middle East region, their natural resources and foreign policies makes for a very interesting cyber attack landscape, an example of which, dubbed the OilRig campaign,  describes some targeted attacks, against various industries and countries.

It’s no surprise to learn that all three countries saw Locky campaigns throughout the month of July but also multiple attacks using the LuminosityLinkRAT (Remote Access Trojan) that has many features including an aggressive key logger that injects its code in almost every running process on the system. Once installed the attacker effectively has full control over the victim’s machine with the ability to retrieve user credentials, record web cameras and more.

trend_8trend_9 Saudi Arabia and UAE saw other common malware families not present in Turkey, such as NetWireRAT, which has shown an uptick trend_10the rise trend_11globally   often using Microsoft Excel documents attached to phishing emails that use macros to launch the malicious payload, whereas in Saudi Arabia and UAE, the emails included the executable files directly implying either different actors behind the attacks or an assumption about targets not filtering such file type attachments. Atmos malware – a polymorphic variant of Citadel (which is based on ZeuS) targeting financial and confidential user data is also trending upwards trend_12in these two countries.

Neutrino point-of-sale (PoS) malware was seen in Turkey and UAE during July. Neutrino attempts to scrape credit card information from memory on the infected system. UAE saw one variant of this malware over twenty one SMTP sessions using blank email subject lines and attachment “Payment TT copy with Invoice.exe” primarily affecting the Energy sector.


Like the United Kingdom, the PredatorPain information stealing Trojan was present in Turkey in July, however on this occasion the malware was delivered through an exploit in a Rich Text Document (RTF) file taking advantage of a 2012 vulnerability causing a buffer overflow in the ListView / TreeView ActiveX controls present in the MSCOMCTL.OCX library. The fact this exploit was so old proves that attackers will often use such techniques as they are still successful, unfortunately.

Patching systems as a security practice is as critical now as it ever has been, if not more so, given the advancements in Exploit Kits largely automating the exploitation and delivery malware but you can prioritize by focusing on vulnerabilities being used by attackers in the wild, followed by vulnerabilities with known exploits and Proofs of Concept.

After Locky, related downloader malware and PredatorPain, the Pony Trojan was the next most prevalent malware in all three countries. Pony is a popular piece of commodity malware capable of downloading further payloads but also comes equipped with a number of plugins to stealing stored credentials for various file transfer clients, web browsers and email applications. Whilst global trends for this malware were trending down slightly during this time the volume seen in the three countries was consistent and at quite high volume, relatively speaking, with Higher Education and Finance sectors being most affected.


EMEA is a socially and economically diverse region with many interesting assets whether they be citizen data, financial information or natural resources and, as such, is a target for cyber criminals the world over.

It’s interesting to consider that information-stealing malware, such as PredatorPain, is prevalent in countries that have a more service-based economy that manage and process plenty of user data and personally identifiable information (PII).

Some of the other countries analyzed that are more reliant on industrial sectors and natural resources seem to have more cyber attacks using RATs providing full control to remote attackers and use of key-logging technologies to harvest data.

Currently on its fourth iteration the regional threat reports have proved useful and, based on feedback, discussions are now ongoing about releasing publicly and expanding beyond the EMEA region as well, so watch this space so you too can get a better understanding of what's going on in different countries, sub-regions and industry verticals around the world.

Cyber Hygiene

The threat landscape is vast and can be complex but you can minimize your risk of infection and enhance the overall health of your network by following some basic cyber hygiene habits:

Patch systems and applications wherever (and as soon as) possible. Alternatively, focus on other security solutions, such as exploit prevention technology to protect those systems and applications from attack or to help manage patching cycles to suit your requirements. Prioritize patching based on known exploits or in-the-wild-attacks. Segment those unpatched/unpatchable devices in the network with additional access controls based on users or application communication to minimize the risk of exploitation. Perform regular vulnerability scans of systems and review changes to spot new devices or changes in active vulnerabilities.

Change the file association for JavaScript to be opened using notepad (or something else benign) rather than the Windows Scripting Host or other shell capable of executing malcode. This can be done per PC or enterprise-wide using Group Policy.

Educate users and employees of the security risks faced by your organization and perform regular training and reminders about these and how they can help the effort. Provide a platform for users to learn about the risks and to report incidents to security-related staff. Create a culture whereby such reporting is important and valued. Monitor effectiveness of training for the purposes of gap analysis and creating dialogue between security teams and users.