Proofpoint Threat Report Reveals Growing RAT and Banking Trojan Activities in Q3 2019

The recently released Proofpoint Q3 2019 Threat Report provides information regarding the major threats in Q3 of 2019 and shows the evolving strategies, techniques, and procedures that cybercriminals used.

The information contained in the report was from the results of analyzing over 5 billion email messages, hundred thousand social media content, and more than 250 million captured samples of malware.

The report shows that scammers today prefer to use embedded hyperlinks more than email attachments to spread malware. 88% of malicious email messages used malicious URLs to install malware. This strategy is desired because it can easily circumvent email security defenses.

Proofpoint remarks that ransomware continues to pose a substantial threat, however, it was significantly lacking from a lot of email campaigns. Proofpoint hints that the lower cryptocurrency value is making it difficult for threat actors to earn from their ransomware campaigns. The profit is more lucrative when using other kinds of malware, like remote access Trojans (RATs) and banking Trojans, which were the major malware threats in Q3 of 2019

Of all malware attacks, 15% used RATs and 45% used banking Trojans. These figures were 6% and 23% higher from the last quarter. The most popular banking Trojans were Dridex (14%), Ursnif (20%), IcedID (26%) and The Trick (37%) . The most often used RATs were LimeRAT (5%), NanoCore RAT (12%), FlawedGrace (30%) and FlawedAmmyy (45%),

As opposed to ransomware, these malware variants are quieter, persistent and are effective for extended time periods to steal information, mine cryptocurrencies and send spam email messages. Downloaders accounted for 13% of the total malicious payloads, followed by botnets (12%), and keyloggers (7%) and credential stealers (7%).

The change in statistics of spam is attributable to the Emotet botnet disappearance in May. Spamming campaigns did not start again until week 3 of September That is why there was a 39% drop in the overall volume of malicious messages in Q3 of 2019. In spite of the fact that Emotet botnet was gone for almost all of the quarter, it was still responsible for about 12% of malicious payloads during Q3.

Q3 of 2019 had more net-based threats and malvertising reroutes to exploit kits like RIG and Fallout. The traffic to exploit kits mostly came via the Keitaro traffic distribution system (TDS). Proofpoint remarks that Keitaro abuse caused the growth in exploit kit activity. It could likewise smartly redirect traffic to legit websites in case the sandbox signals are recognized to avoid the recognition of malicious redirects. Validating the HTTPS of a website doesn’t mean it is legitimate. 26% of malicious websites got valid SSL certificates in Q3, it was only 20% in Q1 of 2019.

Many threat actors still use sextortion scams. Although these scams make use of social engineering methods to frighten people into paying, Proofpoint takes note of the occurrence of malware that is able to record the online activities of users, which indicates that future campaigns might include actual proof of adult activity, thus increasing the success rate of attackers.

PsiBot is one malware variant that is being prepared for this purpose. PsiBot now includes a PornModule. This module is made up of a listing of words linked with adult content and tracks the open window titles in web browsers. If there is a match, the recording of the audio and video using the microphone and webcam are saved in an AVI file and later exfiltrated to the C2 of the attacker.