Experts On Report: Cofense Malware Trends Report Shows Heavy Use Of Macro-enabled Documents For Malware Delivery

Cofense has released release its Q4 2019 Malware Trends report, shedding light on the malware families, delivery methods and campaigns that dominated the past quarter.

Q4 2019 demonstrated an overall decrease in malware volume, as Emotet (also known as Geodo) overtook the limelight and threat actors scaled down for the holidays.

The information stealer Loki Bot edged out once abundant Agent Tesla keylogger from its top spot as the most prevalent non-Emotet malware, demonstrating perpetual lead changes between the two. Less-experienced threat actors have likely favored Loki Bot over its competition thanks to easy deployment and low maintenance, enabling more distribution with less effort.

Using macro-enabled documents for malware delivery accounted for a sizeable portion of malware phishing emails, predominantly as part of Emotet campaigns. Unlike Q3 2019, threat actors diminished the use of CVE-2017-11882 to enable further payloads, which typically involves a malicious Rich Text Format (RTF) or Excel Spreadsheet file that downloads or executes another malware such as Loki Bot or HawkEye Keylogger.

Globally, Command and Control (C2) servers for malware related to phishing campaigns stood fast, as the United States continued to account for a sizable portion at over 40%. The U.S. grew by 6% while Russia fell by 4% in total C2 distribution. Germany, France, and the UK trailed behind in malware delivery or command.

The full report can be found here: https://cofense.com/wp-content/uploads/2020/01/Q4-2019_Malware-Trends.pdf