Malicious URL messages, the resurgence of Emotet and misuse of TDS platform make up the cyber threat landscape in Q3 2019
- Trickbot, IceID and Ursnif malware strains made up 83% of banking trojan payloads in Q3.
- FlawedAmmy and FlawedGrace which accounted for 75% of all RAT payloads in Q3.
Proofpoint has released its quarterly cyber threat report which highlights the increase in attacks due to web-based threats, Emotet trojans and more.
The report has been created after analyzing 5 billion email messages, hundreds of millions of social media posts and more than 250 million malware samples. Below are the key takeaways from the third quarter of 2019.
A rise in malicious URL messages
Dangerous URL messages accounted for 88% of the total malicious URL and attachment message volumes detected between July and September 2019. A majority of these malicious messages were used to distribute malicious payloads such as banking trojans (46%) and remote access trojans (15%).
The notorious Emotet trojan returned in mid-September, grabbing almost 12% of all malicious emails in Q3. The trojan was absent for the first 10 weeks of the quarter. The campaigns were resumed on September 16 by the TA542 threat actor group using malicious document attachments or links.
Volumes of banking trojans and RATs increases
Trickbot, IceID and Ursnif malware strains made up 83% of banking trojan payloads in Q3. While TA556 and TA544 threat actor groups were responsible for large Ursnif campaigns in the third quarter of 2019, TA516 was behind the IceID trojan distributed throughout the quarter.
The Q3 2019 saw major attacks from the TA505 cybercrime group. The group was observed using FlawedAmmy and FlawedGrace which accounted for 75% of all RAT payloads in Q3.
Malicious use of Keitaro TDS climbs
Several malicious email campaigns that ultimately lead to the distribution of a wide range of malware, leveraged the Keitaro Traffic Director System (TDS) and various exploit kits to evade detection.
Once users clicked links to Keitaro sites in malicious emails, they were redirected to:
- Sites with malvertising that lead to infection via exploit kit;
- Legitimate sites.
In August, Keitaro redirected users to either Fallout or RIG EKs. These EKs were used to distribute several malware strains such as AZORult, KPOT, SystemBC, Osiris, Vidar Stealer, Amadey downloader and Chthonic.
Fraudulent domains go up
Over 26% of fraudulent domains used SSL certificates. This contributed to a rise in social engineering around these domains. The top-level domains (TLDs) used for fraudulent sites mostly relied on .com.