Threat Insight 2019 in Review: Year of the RAT

Share with your network!


2019 is now behind us, but its effects in the infosec realm are going to be felt long after the empty champagne bottles have been brought to the recycling center. The rise in popularity of the Remote Access Trojan, or RAT, among financially motivated threat actors tracked by Proofpoint researchers, was a key highlight in 2019 that is still asserting itself well into the new year.

Actors that gained an affinity for RATs in 2019 include the highly prolific TA505, which introduced the FlawedGrace RAT along with a new backdoor, ServHelper, in early January last year and continued distributing RATs using two new downloaders, AndroMut and Get2, as well as a new RAT, SDBbot, over the summer. TA516, who can be viewed as a barometer for threat actor trends given the diversity of their malware payloads, spent a large portion of Q2 and Q3 2019 distributing Remcos RAT campaigns and ended its year with a new Remcos campaign on December 31. 

Q1 2019

TA505 started off a very active year in early January with a new backdoor, ServHelper, which was used to distribute the FlawedGrace RAT among other types of malware. In February, Proofpoint researchers reported on phishing lures that mimicked job opportunities being used to distribute the More_eggs backdoor, which in turn, often downloaded RATs and other Trojans and stealers as secondary payloads. In March, Proofpoint researchers reverse-engineered the configuration of Nymaim, an evolving downloader which has been used by numerous threat actors to download secondary payloads and to install its own modules for additional functionality. Additionally, in March, Proofpoint researchers revealed the nature of the server-side components of Danabot, a popular banking Trojan that is offered as a “Malware-as-a-Service.”

Q2 2019

While traditional tried and true methods of creative phishing lures, credential dumps, and exploiting legacy email protocols and APIs proved to continue to be effective TTPs for threat actors in Q2 of 2019, malware continued to evolve as well. RATs such as Netwire were used in tax-themed phishing email campaigns targeting financial organizations, and stealers such as KPOT continued to evolve with new features such as zero-persistence and in-memory execution to silently exfiltrate user credentials.

Q3 2019

The third quarter of 2019 was a particularly busy one, especially for the distribution of RATs and sophisticated multi-function, modular malware. In early July, TA505 returned with a new loader, AndroMut, in order to distribute the FlawedAmmy RAT. In July and August, Proofpoint researchers observed the Chinese APT group, “Operation LagTime IT” targeting government IT agencies with the Cotx RAT, while another actor group used the so-called LookBack malware was used to target the utilities vertical in the United States. Lookback features a RAT module among other multi-function capabilities. In September, PsixBot appeared with new sextortion capabilities, including the ability to capture on-screen video of a victim’s desktop based on keyword triggers, such as those used by adult content sites.

Q4 2019

In October, TA505 doubled down on RAT distribution, with the introduction of SDBbot, which was paired with Get2, a new downloader that was also used in September to distribute the FlawedAmmy and FlawedGrace RATs. In November, TA2101, a new threat actor on Proofpoint’s radar, was observed using stolen branding of German, Italian, and US government organizations in order to distribute Cobalt Strike, penetration testing software that is frequently abused as multifunction malware. In December, Buer, a new downloader, appeared in an underground marketplace for sale to Russian-speaking threat actors, with a broad feature set that includes containerized installation and a user-friendly control panel. 


In 2019, tactics, techniques, and procedures (TTPs) that exploited the Human Factor such as phishing lures and other forms of social engineering continued to be the primary threat to organizations worldwide. Robust malware such as banking Trojans like Ursnif and modular bots like Emotet were still the overall volume leaders among malware tracked by Proofpoint researchers. However, based on activity observed throughout the past year, even more, full-featured malware like RATs and backdoors are becoming increasingly common, leaving the threat landscape dominated by multipurpose malware that provides threat actors future flexibility, whether they want to keep stealing credentials, drop ransomware, capture desktop video for extortion, or profile a network.