Hackers are relying substantially more on malicious URLs than email attachments in the course of committing crimes, according to ProofPoint’s Quarterly Threat Report for Q4 2018, published Thursday. Despite that trend, Q4 2018 saw a jump in malicious attachments as well, particularly in late October, with a decline in URLs at the same time.
For Q4 2018, Remote Access Trojans (RATs) increased to 8.4% of all malicious payloads, accounting for 5.2% for the whole year–a substantial increase over the 0.04% observed in Q4 2017. “RATs are noteworthy for their power and versatility for threat actors who can use them as everything from simple downloaders to tools for completely controlling and exfiltrating all of the data from a device,” the report states. For comparison, frequency of ransomware dropped to background noise levels by Q4 2018.
Further meaningful conclusions are difficult to draw from the report, as the categorization of malware conflates attack targets with attack methods. This, perhaps, was done to generate headline-grabbing statistics like “56% of malware in Q4 2018 targeted banking,” which diagrams in the report imply strongly.
The problem is how this is defined in the report: “Banking Trojans are increasingly versatile tools employed by threat actors for delivering secondary payloads, mining cryptocurrency, and collecting a range of user data beyond the banking credentials often associated with this type of malware.”
Trying to conflate cryptomining attacks with stealing banking credentials is–generously speaking–wrong. Worse, credential stealers are a completely different category in ProofPoint’s report, comprising 17% of message volume in Q4 2018.
Malware attacks tend to collect data indiscriminately. This is by design. What cybercriminal motivated by financial gain is only going to steal account credentials for one particular bank? Even if collecting other data is not useful in the immediate term, having it on hand for future illicit access could come in handy. Or, attackers could sell account credentials they have no personal interest in on the Dark Web. That’s actually very common.
The most popular banking trojan cited by ProofPoint, Emotet, is actually a problem. Emotet was designed with a two-cluster command and control server, which makes it more challenging to take down. ZDNet’s Catalin Cimpanu notes that “the Emotet malware operation, formerly a banking trojan but now repurposed into a malware downloader, has been one of 2018’s most active malware threats,” and also notes that Emotet is now mass-harvesting email in Outlook, “something not seen in other malware droppers or banking trojans.”
ProofPoint cites Emotet as comprising 76% of all banking trojan attacks in 2018. Malware downloaders, which more accurately describes Emotet in its current incarnation, comprised 17% of all malware attacks in Q4 2018, according to ProofPoint.
For a comprehensive look into email security, check out TechRepublic’s cheat sheet for phishing and spearphishing.