The rise in popularity of the Remote Access Trojan, or RAT, among financially motivated threat actors tracked by Proofpoint researchers, was a key highlight in 2019, which continues to gain popularity in 2020. 

According to a Proofpoint report, which analyzes RAT threats throughout 2019, actors that gained an affinity for RATs in 2019 include the highly prolific TA505, which introduced the FlawedGrace RAT along with a new backdoor, ServHelper, in early January last year and continued distributing RATs using two new downloaders, AndroMut and Get2, as well as a new RAT, SDBbot, over the summer. TA516, who can be viewed as a barometer for threat actor trends given the diversity of their malware payloads, spent a large portion of Q2 and Q3 2019 distributing Remcos RAT campaigns and ended its year with a new Remcos campaign on December 31, says Proofpoint. 

In Q1 2019:

  • TA505 started off in early January with a new backdoor, ServHelper, which was used to distribute the FlawedGrace RAT among other types of malware.
  • In February, Proofpoint researchers reported on phishing lures that mimicked job opportunities being used to distribute the More_eggs backdoor, which in turn, often downloaded RATs and other Trojans and stealers as secondary payloads.
  • In March, Proofpoint researchers reverse-engineered the configuration of Nymaim, an evolving downloader which has been used by numerous threat actors to download secondary payloads and to install its own modules for additional functionality.
  • Additionally, in March, Proofpoint researchers revealed the nature of the server-side components of Danabot, a popular banking Trojan that is offered as a “Malware-as-a-Service.”

In Q2 2019:

While traditional tried and true methods of creative phishing lures, credential dumps and exploiting legacy email protocols and APIs proved to continue to be effective TTPs for threat actors in Q2 of 2019, malware continued to evolve as well, say researchers at Proofpoint. In addition, RATs such as Netwire were used in tax-themed phishing email campaigns targeting financial organizations, and stealers such as KPOT continued to evolve with new features such as zero-persistence and in-memory execution to silently exfiltrate user credentials.

In Q3 2019:

  • The third quarter of 2019 was a particularly busy one, especially for the distribution of RATs and sophisticated multi-function, modular malware, says the report. In early July, TA505 returned with a new loader, AndroMut, in order to distribute the FlawedAmmy RAT.
  • In July and August, Proofpoint researchers observed the Chinese APT group, “Operation LagTime IT” targeting government IT agencies with the Cotx RAT, while another actor group used the so-called LookBack malware was used to target the utilities vertical in the United States. Lookback features a RAT module among other multi-function capabilities.
  • In September, PsixBot appeared with new sextortion capabilities, including the ability to capture on-screen video of a victim’s desktop based on keyword triggers, such as those used by adult content sites. 

In Q4 2019:

  • In October, TA505 doubled down on RAT distribution, with the introduction of SDBbot, which was paired with Get2, a new downloader that was also used in September to distribute the FlawedAmmy and FlawedGrace RATs.
  • In November, TA2101, a new threat actor on Proofpoint’s radar, was observed using stolen branding of German, Italian and U.S. government organizations in order to distribute Cobalt Strike, penetration testing software that is frequently abused as multifunction malware.
  • In December, Buer, a new downloader, appeared in an underground marketplace for sale to Russian-speaking threat actors, with a broad feature set that includes containerized installation and a user-friendly control panel. 

In 2019, tactics, techniques and procedures (TTPs) that exploited the Human Factor such as phishing lures and other forms of social engineering continued to be the primary threat to organizations worldwide, says Proofpoint. Robust malware such as banking Trojans like Ursnif and modular bots like Emotet were still the overall volume leaders among malware tracked by Proofpoint researchers. However, based on activity observed throughout the past year, even more, full-featured malware like RATs and backdoors are becoming increasingly common, concludes the report. 

For more information, visit