Security Market Segment LS
Friday, 01 June 2018 12:43

Banks hit as trojans displace ransomware as top malware: Proofpoint


A new banking trojan, dubbed “DanaBot”, has been discovered targeting users in Australia via emails containing malicious URLs, according to security firm Proofpoint.

Written in Delphi, Proofpoint says in its quarterly threat report for Q1 2018 that the malware is still under active development and, to date, it has only observed it in use by a single threat actor.

“However, it remains to be seen if distribution and use becomes more widespread given that the actor is known for purchasing banking Trojans from other developers and operators,” Proofpoint cautions.

“We also found additional samples in malware repositories other than those we observed in the wild, potentially suggesting distribution by other actors.”

Proofpoint says it first observed DanaBot as the payload of an Australia-targeted email campaign on 6 May, and the messages used the subject "Your E-Toll account statement" and contained URLs redirecting to Microsoft Word documents hosted on another site.

The discovery of the new banking trojan comes as banking trojans displaced ransomware as the top malware in email, accounting for almost 59% of all malicious email payloads in the first quarter this year.

And credential stealers and downloaders made up the bulk of the remaining malicious payloads, comprising 19% and 18% of malicious email, respectively.

Proofpoint warns that 2018 has seen a marked shift away from high-volume, immediately destructive ransomware campaigns, to distribution of banking trojans, information stealers and downloaders.

The security firm also says a lull in ransomware and generally lower volumes of malicious mail in Q1 appear to be associated with a disruption in the Necurs botnet, but have been accompanied by more diverse payloads including remote access trojans, backdoors, and more.

The report reveals that Emotet was the most widely distributed banking trojan, accounting for 57% of all bankers and 33% of all malicious payloads – while 40% of organisations targeted by email fraud received between 10 and 50 attacks in Q1 2018, and the number of companies receiving more than 50 attacks rose 20% compared to the last quarter of 2017.

Proofpoint says exploit exploit kit traffic continued to decline, falling 71% from the previous quarter, and roughly 95% of web-based attacks now redirect into social engineering schemes instead of such kits.

Social media support fraud, or “angler phishing”, exploded in Q1 2018, increasing 200% from the previous quarter, Proofpoint says, while 30% of bitcoin-related domain registrations were suspicious, but new registrations fell off sharply as the value of Bitcoin continued to fall through Q1.

“As in past quarters, we observed another pendulum swing in malicious message delivery. While high-volume campaigns delivering malware via a variety of attachments predominated in Q4 2017, the first quarter of 2018 was characterised by lower-volume campaigns that used links to hosted malware,” Proofpoint observes.

“In part, this was due to only sporadic activity from a single actor, TA505, who is usually responsible for the highest volume attachment campaigns we see on a daily basis. Even TA505, though, sent two large, uncharacteristic spam campaigns linking to suspicious pharmaceutical sales landing pages this quarter.

“The slowdown in TA505 activity allows us to more closely examine trends and payloads that might otherwise be drowned out by massive message volume from a single actor. Moreover, many of the other relatively prolific actors have historically used URLs in their malicious spam, further reinforcing the predominance of URL-based messages.

“Overall, URL messages outnumbered those with malicious attached documents by a 4-to-1 ratio in Q1.

“The relative mix of payloads in these messages, whether delivered by attachment or URL, also saw a significant shake-up in Q1. For the first time since Q2 2016, banking trojans displaced ransomware as the most common payload by message volume.”


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Peter Dinham

Peter Dinham is a co-founder of iTWire and a 35-year veteran journalist and corporate communications consultant. He has worked as a journalist in all forms of media – newspapers/magazines, radio, television, press agency and now, online – including with the Canberra Times, The Examiner (Tasmania), the ABC and AAP-Reuters. As a freelance journalist he also had articles published in Australian and overseas magazines. He worked in the corporate communications/public relations sector, in-house with an airline, and as a senior executive in Australia of the world’s largest communications consultancy, Burson-Marsteller. He also ran his own communications consultancy and was a co-founder in Australia of the global photographic agency, the Image Bank (now Getty Images).



Recent Comments