Our previous malware threat report highlighted the increases – and decreases – in threats and exploits that made their mark between Q3 2019 and Q4 2019. This edition highlights cyber threats and exploits observed by the Avira Protection Labs team in the first quarter of 2020. This report focuses on a growing trend that includes, phishing and malspam campaigns, and a surge in Emotet related attacks.
More than 320 million new threats detected and blocked
Although the global pandemic has disrupted our lives, it has created a platform for phishing and malspam campaigns. While we do not see any new malware families that can be linked solely to the Coronavirus, many threat actors leverage established malware such as Nanocore, Hawkexe or MortyStealer. Here is a detailed dive into Covid-19 threats.
In the first quarter of 2020, Avira Protection Labs identified nearly 14 thousand new and unique samples of the banking trojan ‘Emotet’. In the most recent quarter, we saw 9 times more Emotet related attacks compared to Q4 2019. Samples found at the beginning of the year used a chain of Office macros, WMI (Windows Management Instrumentation) and Powershell. However, newer variants of Emotet found in February 2020 moved away from Powershell, instead triggering the malware payload directly via WMI. Malware authors commonly attempt to hide Emotet from detection by AV scanners. They do this by compiling the payload into publicly available projects such as open GitHub repositories. The resulting PE file is very similar to a clean version without the Emotet payload. After February, Emotet attacks reduced, only providing updates to infected hosts, and no new malware email campaigns.
In Q1 2020 attacks mainly consists of general Malware, such as trojans, worms and fileinfectors. These, together with other malware categories include, rootkits and dialers make up about 2/3rds of total detections. PUA and Adware form the next big block with about 1/4th of the total detection. The rest is made up of script and Office malware, exploits, mobile threats and coin miners. The biggest growth category compared to last quarter is PUA where detections increased by nearly 20%.
For the first time since 2018 we saw a quarter on quarter growth in coin-miner detections. However, absolute numbers do not compare to the explosion in coin-miner we saw in 2017/2018, as it is far less lucrative today. Another interesting development was seen in the phishing category where phishing attacks grew tremendously. Besides the usual banking, eBay and PayPal frauds, we detected a leap in phishing campaigns related to MasterCard, CNN and the Italian Postepay.
Emotet IoCs found in Q1 2020
- C:\ProgramData\F1BsrEvf.exe (and similar random strings)
- C:\Users\<USER>\739.exe (and similar random numbers)
- PE headers containing various half-sentences and text snippets involving “Trump”, “President”, “Romney”, “Mormon”, “Republican”, “Democrat”, “National”, “People” and other keywords related to the US political landscape.
Learn more about new and novel malware in the research section of the Avira Insights blog, or find out how you can improve your own detection rates by using Avira’s anti-malware SDKs or threat intelligence.