Overview

2019 is now behind us, but its effects in the infosec realm are going to be felt long after the empty champagne bottles have been brought to the recycling center. The rise in popularity of the Remote Access Trojan, or RAT, among financially motivated threat actors tracked by Proofpoint researchers, was a key highlight in 2019 that is still asserting itself well into the new year.

Actors that gained an affinity for RATs in 2019 include the highly prolific TA505, which introduced the FlawedGrace RAT along with a new backdoor, ServHelper, in early January last year and continued distributing RATs using two new downloaders, AndroMut and Get2, as well as a new RAT, SDBbot, over the summer. TA516, who can be viewed as a barometer for threat actor trends given the diversity of their malware payloads, spent a large portion of Q2 and Q3 2019 distributing Remcos RAT campaigns and ended its year with a new Remcos campaign on December 31. 

Q1 2019

TA505 started off a very active year in early January with a new backdoor, ServHelper, which was used to distribute the FlawedGrace RAT among other types of malware. In February, Proofpoint researchers reported on phishing lures that mimicked job opportunities being used to distribute the More_eggs backdoor, which in turn, often downloaded RATs and other Trojans and stealers as secondary payloads. In March, Proofpoint researchers reverse-engineered the configuration of Nymaim, an evolving downloader which has been used by numerous threat actors to download secondary payloads and to install its own modules for additional functionality. Additionally, in March, Proofpoint researchers revealed the nature of the server-side components of Danabot, a popular banking Trojan that is offered as a “Malware-as-a-Service.”

• ServHelper and FlawedGrace - New malware introduced by TA505
• Fake Jobs: Campaigns Delivering More_eggs Backdoor via Fake Job Offers
• Nymaim config decoded
• DanaBot control panel revealed

Q2 2019

While traditional tried and true methods of creative phishing lures, credential dumps, and exploiting legacy email protocols and APIs proved to continue to be effective TTPs for threat actors in Q2 of 2019, malware continued to evolve as well. RATs such as Netwire were used in tax-themed phishing email campaigns targeting financial organizations, and stealers such as KPOT continued to evolve with new features such as zero-persistence and in-memory execution to silently exfiltrate user credentials.

• Threat actors leverage credential dumps, phishing, and legacy email protocols to bypass MFA and breach cloud accounts worldwide
• Tax-themed Email Campaigns Target 2019 Filers
• Threat actors abuse GitHub service to host a variety of phishing kits
• 2019: The Return of Retefe
• New KPOT v2.0 stealer brings zero persistence and in-memory features to silently steal credentials
• Threat Actor Profile: TA542, From Banker to Malware Distribution Service
• Beyond “North America” - Threat actors target Canada specifically
• URLZone top malware in Japan, while Emotet and LINE Phishing round out the landscape

Q3 2019

The third quarter of 2019 was a particularly busy one, especially for the distribution of RATs and sophisticated multi-function, modular malware. In early July, TA505 returned with a new loader, AndroMut, in order to distribute the FlawedAmmy RAT. In July and August, Proofpoint researchers observed the Chinese APT group, “Operation LagTime IT” targeting government IT agencies with the Cotx RAT, while another actor group used the so-called LookBack malware was used to target the utilities vertical in the United States. Lookback features a RAT module among other multi-function capabilities. In September, PsixBot appeared with new sextortion capabilities, including the ability to capture on-screen video of a victim’s desktop based on keyword triggers, such as those used by adult content sites.

• BrushaLoader still sweeping up victims one year later
• TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States
• Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
• Threat Actor Profile: TA544 targets geographies from Italy to Japan with a range of malware
• SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits
• LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards
• LookBack Forges Ahead: Continued Targeting of the United States’ Utilities Sector Reveals Additional Adversary TTPs
• Phishing Actor Using XOR Obfuscation Graduates to Enterprise Cloud Storage on AWS
• Seems Phishy: Back to School Lures Target University Students and Staff
• PsiXBot Now Using Google DNS over HTTPS and Possible New Sexploitation Module
• New WhiteShadow downloader uses Microsoft SQL to retrieve malware

Q4 2019

In October, TA505 doubled down on RAT distribution, with the introduction of SDBbot, which was paired with Get2, a new downloader that was also used in September to distribute the FlawedAmmy and FlawedGrace RATs. In November, TA2101, a new threat actor on Proofpoint’s radar, was observed using stolen branding of German, Italian, and US government organizations in order to distribute Cobalt Strike, penetration testing software that is frequently abused as multifunction malware. In December, Buer, a new downloader, appeared in an underground marketplace for sale to Russian-speaking threat actors, with a broad feature set that includes containerized installation and a user-friendly control panel. 

• TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader
• Threat Actor Profile: TA407, The Silent Librarian
• TA 2101 plays government imposter to distribute malware to German, Italian, and US organizations
• Buer, a new loader emerges in the underground marketplace

Conclusion

In 2019, tactics, techniques, and procedures (TTPs) that exploited the Human Factor such as phishing lures and other forms of social engineering continued to be the primary threat to organizations worldwide. Robust malware such as banking Trojans like Ursnif and modular bots like Emotet were still the overall volume leaders among malware tracked by Proofpoint researchers. However, based on activity observed throughout the past year, even more, full-featured malware like RATs and backdoors are becoming increasingly common, leaving the threat landscape dominated by multipurpose malware that provides threat actors future flexibility, whether they want to keep stealing credentials, drop ransomware, capture desktop video for extortion, or profile a network.