The Q4, 2019 Threat Report from cybersecurity firm Proofpoint has confirmed Emotet was the biggest malware threat in 2019, accounting for 37% of all malicious payloads in 2019, even though for several months of 2019 Emotet was inactive. Emotet activity is up considerably from 2018, when it accounted for 28% of malicious payloads for the year. In Q4, 2019, Emotet accounted for 31% of all malicious payloads.
Banking Trojans also proved popular, accounting for 29% of malicious payloads in Q4, 2019, followed by downloaders (19%), Remote Access Trojans (9%), credential stealers (8%), keyloggers (3%) and backdoors (1%). Ransomware accounted for 0.1% of all malicious payloads, with ransomware gangs favoring other methods of attack, such as RDP.
Emotet was also seen distributing the banking Trojan TrickBot (aka The Trick) as a secondary payload in Q4. TrickBot accounted for 72% of all banking Trojans in Q4, helped in no small part by Emotet, which was behind 92% of downloads.
For 2019 as a whole, TrickBot accounted for 36% of all banking Trojans, followed by Ursnif (27%), IcedID (22%), Dridex (6%), and Qbot (6%). In Q4, 2019, SDBot was by far the biggest RAT threat, accounting for 85% of RAT volume, with NetWire accounting for 3% and a wide range of others making up the remaining 12%. SDBot was primarily distributed by TA505, the threat group previously associated with distributing Dridex and Locky ransomware via the Necurs botnet.
The favored method of email malware delivery is malicious URLs rather than email attachments. Proofpoint’s analysis revealed 85% of malicious messages used URLs for malware delivery in 2019, up from 75% in 2018. That said, in Q4 there was an increase in the proportion of emails using attachments to deliver malware. In Q4, 2019, 35% of malicious messages involved malicious attachments, which was driven by hybrid campaigns using a combination of malicious URLs and attachments to deliver Emotet.
The use of SSL certificates has also increased, with 40% of malicious domains having an SSL certificate in Q4, 2019, up from 26% inQ4, 2018. Fraudulent sites with both SSL certificates and an active HTTP response increased from 16.2% in Q3, 2019 to 25% in Q4.