Written in Delphi, Proofpoint says in its quarterly threat report for Q1 2018 that the malware is still under active development and, to date, it has only observed it in use by a single threat actor.
“However, it remains to be seen if distribution and use becomes more widespread given that the actor is known for purchasing banking Trojans from other developers and operators,” Proofpoint cautions.
“We also found additional samples in malware repositories other than those we observed in the wild, potentially suggesting distribution by other actors.”
The discovery of the new banking trojan comes as banking trojans displaced ransomware as the top malware in email, accounting for almost 59% of all malicious email payloads in the first quarter this year.
And credential stealers and downloaders made up the bulk of the remaining malicious payloads, comprising 19% and 18% of malicious email, respectively.
Proofpoint warns that 2018 has seen a marked shift away from high-volume, immediately destructive ransomware campaigns, to distribution of banking trojans, information stealers and downloaders.
The security firm also says a lull in ransomware and generally lower volumes of malicious mail in Q1 appear to be associated with a disruption in the Necurs botnet, but have been accompanied by more diverse payloads including remote access trojans, backdoors, and more.
The report reveals that Emotet was the most widely distributed banking trojan, accounting for 57% of all bankers and 33% of all malicious payloads – while 40% of organisations targeted by email fraud received between 10 and 50 attacks in Q1 2018, and the number of companies receiving more than 50 attacks rose 20% compared to the last quarter of 2017.
Proofpoint says exploit exploit kit traffic continued to decline, falling 71% from the previous quarter, and roughly 95% of web-based attacks now redirect into social engineering schemes instead of such kits.
Social media support fraud, or “angler phishing”, exploded in Q1 2018, increasing 200% from the previous quarter, Proofpoint says, while 30% of bitcoin-related domain registrations were suspicious, but new registrations fell off sharply as the value of Bitcoin continued to fall through Q1.
“As in past quarters, we observed another pendulum swing in malicious message delivery. While high-volume campaigns delivering malware via a variety of attachments predominated in Q4 2017, the first quarter of 2018 was characterised by lower-volume campaigns that used links to hosted malware,” Proofpoint observes.
“In part, this was due to only sporadic activity from a single actor, TA505, who is usually responsible for the highest volume attachment campaigns we see on a daily basis. Even TA505, though, sent two large, uncharacteristic spam campaigns linking to suspicious pharmaceutical sales landing pages this quarter.
“The slowdown in TA505 activity allows us to more closely examine trends and payloads that might otherwise be drowned out by massive message volume from a single actor. Moreover, many of the other relatively prolific actors have historically used URLs in their malicious spam, further reinforcing the predominance of URL-based messages.
“Overall, URL messages outnumbered those with malicious attached documents by a 4-to-1 ratio in Q1.
“The relative mix of payloads in these messages, whether delivered by attachment or URL, also saw a significant shake-up in Q1. For the first time since Q2 2016, banking trojans displaced ransomware as the most common payload by message volume.”