A report published this week by Proofpoint shines some light on how big an impact a single botnet can have on the cybersecurity landscape.
Last May, the Emotet bot went offline for reasons that are still unknown, resulting in a 40% year-over-year decline in global combined malicious URL and attachment message volume. In September, the Emotet botnet came back online, accounting for 11% of all malicious mail in the third quarter.
Chris Dawson, threat intelligence lead for Proofpoint, said most of these attacks consist of malicious URLs because after years of user awareness campaigns, attachments are not as effective a means of malware distribution as they once were. Malicious URL messages made up 88% of global combined malicious URL and attachment message volume in the third quarter.
The Proofpoint report also notes cybercriminals are leveraging the Keitaro Traffic Direction System (TDS) in both malvertising and URL-based email attacks to hide their activities and exploit multiple vectors. Over 26% of fraudulent domains are now using SSL certificates, the report also finds.
Surprisingly, ransomware remained virtually absent as a primary payload in malicious emails, except for smaller campaigns distributed via Troldesh and Sodinokibi botnets. However, the report says there has been a notable evolution in sextortion. Instead of relying on social engineering techniques to blackmail victims, cybercriminals have started to record browser sessions to capture actual evidence of adult activity to provide victims with an additional incentive to make Bitcoin payments, said Dawson.
The Proofpoint report finds there has been an increase in the volume of banking Trojans (18%) and remote access Trojans RATs (55%) in the third quarter compared to the previous second quarter. Dawson described these trojans as the equivalent of “Swiss army knives” that are employed to distribute multiple types of malware.
Dawson noted that not only are cybercriminals launching more sophisticated attacks, but they also appear to be exercising more patience, with malware tending to remain longer before being activated. Now that the Emotet botnet is back online, there is also concern that the volume of these attacks will increase as well.
Unfortunately, in addition to having to hunt for dormant malware, many cybersecurity teams may not be able to remediate a malware issue for several months because of the time it takes to find, test and deliver the required patch to an application.
Dawson said it also appears that cybercriminals are starting to mine the data they collect to better target their attacks. It’s only a matter of time before they start employing machine and deep learning algorithms. Right now, it’s not clear to what degree cybersecurity professionals will have the skills and resources required to thwart increasingly sophisticated attacks. However, like it or not, the cybersecurity community is about to discover whether they are up to the challenge.