Latest Security Intelligence for November 2016


Author: Ben Nahorney

Email malware nearly doubles to one in 85 emails and spam rate rises for third month in a row.

Some of the key takeaways from November’s Latest Intelligence, and the threat landscape in general, include an increase in phishing emails, a drop in the number of new malware variants, the return of an aggressive disk-wiping malware, and the continuing saga of the Mirai botnet.


The email malware rate increased to one in 85 emails in November, compared to one in 158 emails the previous month.

Figure 1. Email malware rate for November increased to one in 85 emails

The number of new malware variants dropped last month, down to 71.2 million from the previous month’s 96.1 million. As with last month’s figures, a significant number of new malware variants can still be attributed to the Kotver family of threats (Trojan.Kotver), which has seen increased growth in activity since early August.

The infamous disk-wiping malware Shamoon (W32.Disttrack) made a comeback last month with a new variant (W32.Disttrack.B). Shamoon was used in attacks against Saudi energy companies in 2012 and the new variant used in the latest attacks still focuses on targets in Saudi Arabia.

The Mirai botnet (Linux.Mirai) continued to make headlines in November, with a new variant denying internet access to over 900,000 home users in Germany when it exploited a weakness found in routers widely used throughout the country.

November also saw malicious actors advertise a Mirai botnet for rent. Since the Mirai source code was released back in October, multiple Mirai botnets have appeared but none as large as the 400,000 device strong botnet the hackers claim to have available.


The global spam rate for November increased for the third month in a row, to 54.3 percent, reaching the highest rate seen since March 2015.


Spammers exploiting popular events to lure recipients into opening email is nothing new and last month stayed true to form with Black Friday and Cyber Monday spam doing the rounds. Online shoppers were warned about a campaign that sent malicious emails saying online purchases had been sent out for delivery. However, the email contained the JS.Nemucod​ malware which downloaded the Locky ransomware (Ransom.Locky).

Web attacks

Although the number of web attacks blocked by Symantec decreased in November to 291,000 per day, new attacks have continued to emerge. November saw reports of a newly discovered vulnerability being actively used to target users of Firefox and the Tor Browser (which is a repackaged version of Firefox). The memory corruption flaw, which has since been patched, allowed attackers to execute malicious code on vulnerable computers and de-anonymize Tor Browser users.

Last month also saw a slight shakeup in the exploit kit rankings. While RIG retained the number one spot for the third month in a row with 39.7 percent of all activity, Fiesta (3.9 percent) jumped from fifth to second place, knocking Magnitude (2.6 percent) down to third place.


The phishing rate increased in November to one in 2,621 emails, compared to one in 5,313 emails in October. The threat posed by phishing has not gone unnoticed by US security officials, with one official at a security event in New York last month calling it “the biggest threat we face.”

Figure 3. Phishing rate for November increased to one in 2,621 emails

Last month Symantec warned about business email compromise (BEC) scammers employing new tactics in their efforts to improve their success rate. Rather than sending emails with wire transfer or payment instructions at the beginning of a scam, BEC fraudsters are now exchanging emails with victims to gradually build trust.


While there were no new Android malware families discovered in November, the number of variants per family increased to 58. Symantec found that new versions of Android.Fakebank.B had been updated to circumvent Doze, a power-saving feature in Android 6.0 Marshmallow. The threat does this to stay active in the background. The threat uses social engineering to trick the user into adding the threat to the Battery Optimization Exceptions whitelist. The malware is then able to stay active and connected to the attacker’s command and control (C&C) servers even when the device is inactive.

Social media

Reports of the Locky ransomware being spread via Facebook messenger emerged in November. A security researcher blogged about a .svg image file being sent over the messaging service. In some instances, the file contained the JS.Nemucod​ downloader which downloaded Locky.

This is just a snapshot of the news for the month. Check out the Latest Intelligence for the big picture of the threat landscape with more charts, tables, and analysis.

Originally published: 


Scroll to Top