Proofpoint Q3 2019 Threat Report Shows Increase in RAT and Banking Trojan Activity
The Proofpoint Q3 2019 Threat Report has been released. The report provides insights into the main threats in Q3, 2019 and reveals the changing tactics, techniques, and procedures used by cybercriminals.
The data for the report comes from an analysis of more than 5 billion email messages, hundreds of millions of social media posts, and over 250 million captured malware samples.
The report reveals scammers now favor embedded hyperlinks over attachments for spreading malware. 88% of malicious emails that were used to install malware used malicious URLs. This tactic is preferred as it makes it easier to bypass email security defenses.
Proofpoint notes that ransomware still poses a significant threat, but it was noticeably absent from most email campaigns. Proofpoint suggests that the fall in the value of cryptocurrencies is making it harder for threat actors to monetize their ransomware campaigns. Greater rewards can be gained through other types of malware, such as remote access Trojans (RATs) and banking Trojans.
RATs and banking Trojans were the main malware threats in Q3, 2019, accounting for 15% and 45% of all malware attacks, up from 6% and 23% respectively from the previous quarter. The most common banking Trojans were The Trick (37%), IcedID (26%), Ursnif (20%) and Dridex (14%). The most commonly used RATs were FlawedAmmyy (45%), FlawedGrace (30%), NanoCore RAT (12%), and LimeRAT (5%).
In contrast to ransomware, these malware variants are much quieter, have persistence, and can be used for extended periods to steal data, send spam email, and mine cryptocurrencies. Downloaders accounted for 13% of the total malicious payloads, followed by botnets (12%), and keyloggers (7%) and credential stealers (7%).
The change in spam stats can be attributed, in the main, to the disappearance of the Emotet botnet in May. Spamming activity did not recommence until the third week in September, which was the main reason why the total volume of malicious messages fell by 39% in Q3, 2019. Despite being absent for most of the quarter, the Emotet botnet still accounted for almost 12% of malicious payloads for the entire quarter.
Q3, 2019 saw an increase in web-based threats and malvertising redirects to exploit kits such as RIG and Fallout. A high percentage of traffic to the exploit kits came through the Keitaro traffic distribution system (TDS). Proofpoint notes that Keitaro abuse is driving the increase in exploit kit activity. It can also intelligently route traffic to legitimate websites if sandbox signals are detected to prevent the detection of malicious redirects. Confirming that HTTPS does not mean a website is genuine, 26% of malicious domains had valid SSL certificates, up from 20% in Q1, 2019.
Sextortion scams are still widely used. While these scams use social engineering techniques to scare people into making a payment, Proofpoint notes the emergence of malware that is capable of recording users’ online activities, which suggests that future campaigns may feature actual evidence of adult activity> That would greatly increase the attackers’ success rate.
One malware variant that has been tooled for this is PsiBot. PsiBot has had a new PornModule added. This module contains a list of words associated with adult content and monitors the open window titles in browsers. When there is a match, audio and video via the microphone and webcam are recorded and saved in an AVI file that is exfiltrated to the attacker’s C2.