A new report from Proofpoint has confirmed Emotet was the biggest email-based threat in the first quarter of 2019.
The popularity of the malware is not surprising. While Emotet was once just a banking Trojan, it can now be used to deliver other malware variants and can even distribute itself automatically by sending copies of itself via spam email on a compromised device. Emotet is now classed as a botnet, as it is being used to create a network of machines that can be used to perform a range of malicious tasks.
Proofpoint telemetry data shows botnets made up the highest percentage of malicious payloads and distributed in 61% of malicious messages, all of which were detected as Emotet. The next biggest category of malicious payload is banking Trojans, which accounted for 21% of all malicious payloads. The most commonly used banking Trojans were IcedID (44%), The Trick (24%), Qbot (18%), and Ursnif (9%). Around one in five malicious emails attempt to deliver banking Trojans – Half the level of this time last year. Even so, banking Trojans are still a major threat and are often downloaded as a secondary payload by Emotet.
Credential stealers account for 9% of malicious payloads and 6% are downloaders. RATs, keyloggers, and backdoors account for 1% each, while ransomware accounted for less than 1% of malicious payloads. It should also be noted that ransomware is often delivered as a secondary payload by Emotet (Ryuk ransomware for example) and is deployed following brute force attacks on RDP.
While email attachments are commonly used to deliver malware, Proofpoint notes there has been an increase in the use of embedded URLs in recent months. Those URLs direct users to sites that download the malware payloads. In Q1, malicious URLs outnumbered malicious attachments by around 5 to 1, are up 21% on the previous quarter, and up 180% on the same period last year.
URLs are a more effective way of delivering malware. Not only are URLs less likely to be detected as malicious by email security solutions than email attachments, there is also a higher percentage that an end user will click the link compared to opening an attachment and enabling a malicious macro. The rise in the use of malicious URLs is also due, in part, to an increase in Emotet botnet activity, according to Proofpoint.