29 January 23, 10:15
Quote:Continue Reading
One of our goals is sharing with the security community as much as we learn from VirusTotal’s data to help stop, monitor and mitigate malicious activity. When looking back to 2022 we observe different interesting trends; we decided to go deeper into the three most interesting ones: evolution of distribution vectors, trending malware artifacts and toolsets, and threat landscape evolution.
Distribution vector evolution
During 2022 we detected changes in the way malware is distributed. First, the number of URLs used in phishing attacks has doubled since 2021, and the number of emails distributing any kind of malware increased from 11.4% in 2021 to 26.5% in 2022, that is a 132% increase.
This seems to correlate with the huge increase (almost doubled compared to 2021) of malicious PDF files hosted in phishing URLs. Probably this combination was one of the main distribution vectors of fraudulent content in 2022.
At the same time, the number of emails attaching malware files increased, mostly due to spam campaigns distributing common malware (like lovgate and noon).
We observed a high peak of formbook and AgentTesla samples in January 2022:
Additionally, the adoption of exploits keeps its growing trend for the last five years, however at a lower rate than it did in 2021. Indeed, in 2021 we observed a peak in the number of different CVEs exploited by new malware samples.
Total of
CVEs exploited by new samples per year Overall, the count of new malware samples exploiting CVEs hasn't changed much during the last three years. Only 5% of the CVEs tagged in 2022 were related to vulnerabilities published the same year, compared to a 7.8% in 2021. The following graph shows the 2022's top ten exploited CVEs by number of samples.
CVE-2022-30190 (aka Follina) was the most exploited CVE in 2022. This vulnerability affects the Microsoft Windows Support Tool and allows attackers to remotely execute code in the compromised machine. We wrote about this vulnerability some months ago in our blog.
Additionally, we observed an increase in the number of email, android, javascript and xml file types exploiting vulnerabilities. Some of the most popular CVEs for these file types in 2022 were CVE-2017-11882 (20 year old MS Office vulnerability patched in 2017), CVE-2017-0199 (MS Office/WordPad RCE vulnerability) and the most recent CVE-2022-30190 (aka Follina). This might indicate the adoption of Follina into kits used to weaponize attachments that would still keep the old exploits.
...
![[Image: Logo_VT_Horizontal.png]](https://1.bp.blogspot.com/-eNrJ344ipwk/XlaW63OVy9I/AAAAAAAAAF8/anLh0cnZwE8cYShNrki1m_Qm9Jx8Hw-5ACK4BGAYYCw/s1600/Logo_VT_Horizontal.png){kind=logo}
![[Image: NyRtapHq1WJ9x3zVla4S9Foh_JZdQ43ensH-5rZU...chw=s16000]](https://lh3.googleusercontent.com/NyRtapHq1WJ9x3zVla4S9Foh_JZdQ43ensH-5rZUNjRZi0Z4IqmrbNHq6-2Uvr1v6zC7W-79jSKVfpGgdb7Ht4QeOJFGKz3zOvtOzJ5COFXx0YqcsJx4dnWYwJqw3mIaApePerqs3K4cQuWfTYndf1GUj899b1_0tyMA4qoyPRhJ6zAO3duRC48HtfoJchw=s16000)
![[Image: rohOeHD7Af0HalP2Y6FkEtp8U5PDeHI8wVP5a7fh...-6M=s16000]](https://lh6.googleusercontent.com/rohOeHD7Af0HalP2Y6FkEtp8U5PDeHI8wVP5a7fhQjM_GjO0lcpuuk6zpPBGlj2NmTVtj8xp8MH0lav09VwkHqKD3GVUdWMXQZFRK2dsTjyuRCyLPHNqjTHRb98ncDS5MaXg_E3BhG0wKJGh6hSZ0ijLpKFknLcs7e0pm7aNiznxDrPFUWffKidQEq-1-6M=s16000)
![[Image: XiXrVp99L89aq18Uqksuluduzj0Ys-QIFzQpkSjL...U9E=s16000]](https://lh6.googleusercontent.com/XiXrVp99L89aq18Uqksuluduzj0Ys-QIFzQpkSjLp3xbStIwMs8w6ozF2PL8eVA-BD1eQXd1jNv9UaA7dWOZ9KMcK3tG1a321RBzVmbu09pKhzfVrbbtew3kqZgE635Jqm4XPoP6Zojzi08U5F2Bgk8WVUH86WAMkCHtt4SBTXZdA6SNOhMO-R3O75swU9E=s16000)