An Analysis of Malware Trends in Enterprise Networks

TL;DR

This paper provides a large-scale empirical analysis of enterprise malware from 2017-2018, revealing limitations of AV solutions, attack patterns, and malware delivery timings in enterprise networks.

Contribution

It offers a detailed, recent analysis of enterprise malware trends, focusing on detection gaps, attack vectors, and temporal patterns, which are less explored in prior studies.

Findings

40% of malware samples are undetected by AVs upon first appearance

Documents are the primary transfer medium for malware in enterprises

93% of malware is delivered during weekdays, often during off-hours

Abstract

We present an empirical and large-scale analysis of malware samples captured from two different enterprises from 2017 to early 2018. Particularly, we perform threat vector, social-engineering, vulnerability and time-series analysis on our dataset. Unlike existing malware studies, our analysis is specifically focused on the recent enterprise malware samples. First of all, based on our analysis on the combined datasets of two enterprises, our results confirm the general consensus that AV-only solutions are not enough for real-time defenses in enterprise settings because on average 40% of the malware samples, when first appeared, are not detected by most AVs on VirusTotal or not uploaded to VT at all (i.e., never seen in the wild yet). Moreover, our analysis also shows that enterprise users transfer documents more than executables and other types of files. Therefore, attackers embed malicious codes into documents to download and install the actual malicious payload instead of sending malicious payload directly or using vulnerability exploits. Moreover, we also found that financial matters (e.g., purchase orders and invoices) are still the most common subject seen in Business Email Compromise (BEC) scams that aim to trick employees. Finally, based on our analysis on the timestamps of captured malware samples, we found that 93% of the malware samples were delivered on weekdays. Our further analysis also showed that while the malware samples that require user interaction such as macro-based malware samples have been captured during the working hours of the employees, the massive malware attacks are triggered during the off-times of the employees to be able to silently spread over the networks.