You've got malware: Malicious actors are waiting in your inbox

Dangerous URL messages, the resurgence of Emotet, and banking trojans flood the cyberthreat landscape, Proofpoint found.

How the malware landscape is evolving We still have a massive number of hacks and malware coming in through phishing and older "tricks," says Franc Artes, Architect of Security Business at Cisco.

Proofpoint released a report on Thursday outlining the latest cyberthreats targeting organizations. Between the resurfacing of the Emotet botnet, heightened web-based threats, and increased URL-based email threats, companies and users are being attacked in a multitude of ways, the report found. 

Every day, Proofpoint analyzes 5 billion email messages, hundreds of millions of social media posts, and more than 250 million malware samples—all of which contributed to the Q3 2019 Threat Report. The most prominent threat was malicious URL messages, which accounted for 88% of the global combined malicious URL and attachment message volume, the report found. 

SEE: 10 ways to minimize fileless malware infections (free PDF) (TechRepublic)

While the number of malicious URL messages was significant in Q3, the global combined malicious URL and attachment message volume was down by 40% compared to Q2, the report found. 

This decrease is attributed to Emotet's disappearance in Q2; the chatbot didn't resurface again until 10 weeks into Q3. However, Emotet came back with a vengeance. Despite not returning until mid-September, Emotet still made up 11% of all malicious mail in Q3. 

The Emotet effect 

Emotet is "one of today's largest and most dangerous malware botnets," appearing as URLs in fake emails. Once users click the link, a malicious file is downloaded, infecting the computer, and adding the device to the Emotet botnet. Emotet malware enables the download of other threats on infected computers, reported Catalin Cimpanu on ZDNet.

"It is not clear exactly why Emotet went down this year, however, these kinds of disappearances are not uncommon," said Richard Gold, head of security engineering at Digital Shadows, a provider of digital risk protection solutions. "It could be for infrastructure upgrades, law enforcement intervention which can disrupt operator activity, operator vacation or retooling to deliver new capabilities or to perform damage limitation after a code leakage."

During Emotet's absence, other malicious actors made sure to fill the void: Banking Trojans and remote access Trojans (RATs) became the most dominant payloads, occupying 61% of all malicious payloads collectively, the report found. 

"Whether they were stepping in because there's opportunity without Emotet, or they're stepping in because they were just planning to increase their volumes and their reach, we can only speculate," said Chris Dawson, threat intelligence lead at Proofpoint. "It is entirely possible that some folks were taking advantage of the lull in Emotet."

Banking Trojans intercept and steal information used in financial transfers, often disguising themselves as real banking apps or websites. RATs are designed to sit on your computer and allow threat actors to remotely navigate a user's device and do things on the user's half, often stealing credentials, Dawson said.

The actors contributing distributing the highest number of banking Trojans included Trickbot (37%), IcedID (26%), and Ursnif (20%). As for RATs, FlawedAmmyy (45%), FlawedGrace (30%), and NanoCore RAT (12%) has the highest relative message volumes, the report found.

Overall, attackers in Q3 focused on the distribution of versatile malware, designed to live undetected on compromised computers and collect personal information, participate in reconnaissance, and facilitate the distribution of secondary payloads, according to the report. 

"Threat actors are continuing to move away from single-purpose malware, to multipurpose malware. It's the Swiss army knife approach," Dawson said. "That allows them to distribute, whether it's en masse, or in very targeted attacks, really robust malware." 

Ransomware was nowhere to be found in Q3, with RATs and banking Trojans overwhelming the credential-stealing landscape, the report found. 

Once Emotet returned, the chatbot followed the same model it executed prior. The most significant change to Emotet's strategy was its target locations, focusing on Italy, Spain, Japan, Hong Kong, and Singapore, in addition to its previous targets including the US, Canada, UK, Germany, and Australia, the report found. 

Other noteworthy threat vectors 

Other malicious campaigns focused on sextortion. Many of these campaigns came in the form of a PDF email attachment, demanding Bitcoin payments to avoid video or keylogger evidence that revealed potentially embarrassing online activity to the recipient's email and social media contact list, according to the report. 

Cyberattackers also used traffic distribution systems (TDS) as threat vectors for malicious advertisements (malvertisements) and URL-based malicious messages. The most common TDS used was Keitaro, which is a legitimate service used by online advertisers. Malicious actors, however, used the TDS to intercept web traffic for nefarious purposes, redirecting users to sites equipped with exploit kits, the report found.

"The notion of using a TDS is becoming increasingly common," Dawson said. "We think that's part of the reason that we're seeing so many URL-based messages; it allows for threat actors to make sure that you don't understand exactly where they're going. If you're an automated defender, you have automated systems for figuring out what is in an email message, or what's behind the URL. The more hops your threat actor takes, the harder it is for those systems to detect exactly where the threat actors are, and what they're trying to deliver."

Malicious actors are becoming more sophisticated, with 25% of fraudulent domains detected in Q3 using a secure certificate. Many regular users have been conditioned to look for a padlock icon in their search bars, normally indicating the site is safe, but not anymore, according to the report. 

As cybercriminals become smarter, organizations must remain vigilant in their online security practices. 

How to stay protected

The report outlined four recommendations for organizations attempting to keep employees and customers safe. 

1. Assume users will click

Cybercriminals will continue using social engineering methods to launch email attacks and exploit users. Companies should leverage security solutions that identify and quarantine inbound email threats targeting employees and outbound threats targeting customers.

2. Deploy robust layered defenses

One security solution won't cut it anymore. With so many different types of attacks and threat vectors, companies should implement multiple security solutions and a full email authentication protocol.  

3. Protect brand reputation and customers 

Attackers won't single out employees; they will also come for an organization's customers. Companies should search for a comprehensive domain fraud solution which scans the web and reports any suspicious or fraudulent activity. 

4. Partner with a threat intelligence vendor 

Smaller, more focused attacks require more sophisticated threat intelligence strategies. Organizations should leverage a solution that can detect new attack tools, targets, and tactics, and learn from those new strategies. 

Dawson also emphasized the importance of a layered security approach, but "no matter how many layers you have, your users are your final line of defense. The better trained your users are to find [threats] that make it through your defenses, the better," he said. 

If users are well-equipped to handle security issues, these attacks can be eliminated even quicker, benefitting the user and organization, Dawson said. 

For more, check out 5 ways to avoid top malware threats on TechRepublic. 

Also see

Spam notification alert email on mobile phone

Image: iStockphoto/Kritchanut