Q1 2020 Malware Threat Report

Avira Protection Labs, 4 months ago 2 min read

Our previous malware threat report highlighted the increases – and decreases – in threats and exploits that made their mark between Q3 2019 and Q4 2019. This edition highlights cyber threats and exploits observed by the Avira Protection Labs team in the first quarter of 2020. This report focuses on a growing trend that includes, phishing and malspam campaigns, and a surge in Emotet related attacks.

More than 320 million new threats detected and blocked

Although the global pandemic has disrupted our lives, it has created a platform for phishing and malspam campaigns. While we do not see any new malware families that can be linked solely to the Coronavirus, many threat actors leverage established malware such as Nanocore, Hawkexe or MortyStealer. Here is a detailed dive into Covid-19 threats.


In the first quarter of 2020, Avira Protection Labs identified nearly 14 thousand new and unique samples of the banking trojan ‘Emotet’. In the most recent quarter, we saw 9 times more Emotet related attacks compared to Q4 2019. Samples found at the beginning of the year used a chain of Office macros, WMI (Windows Management Instrumentation) and Powershell. However, newer variants of Emotet found in February 2020 moved away from Powershell, instead triggering the malware payload directly via WMI. Malware authors commonly attempt to hide Emotet from detection by AV scanners. They do this by compiling the payload into publicly available projects such as open GitHub repositories. The resulting PE file is very similar to a clean version without the Emotet payload. After February, Emotet attacks reduced, only providing updates to infected hosts, and no new malware email campaigns.

General Malware

In Q1 2020 attacks mainly consists of general Malware, such as trojans, worms and fileinfectors. These, together with other malware categories include, rootkits and dialers make up about 2/3rds of total detections. PUA and Adware form the next big block with about 1/4th of the total detection. The rest is made up of script and Office malware, exploits, mobile threats and coin miners. The biggest growth category compared to last quarter is PUA where detections increased by nearly 20%.

For the first time since 2018 we saw a quarter on quarter growth in coin-miner detections. However, absolute numbers do not compare to the explosion in coin-miner we saw in 2017/2018, as it is far less lucrative today. Another interesting development was seen in the phishing category where phishing attacks grew tremendously. Besides the usual banking, eBay and PayPal frauds, we detected a leap in phishing campaigns related to MasterCard, CNN and the Italian Postepay.

Emotet IoCs found in Q1 2020

  • W97M/Dldr.Emotet.*
  • TR/AD.Emotet.*
  • 10a3e965ac9cdfa65e529c66be67ed84de617ec36f95f22ae1ddf43f9c46fe8f
  • f0fb34923074ff390ccf29cf660272c040658f9cb4a0eb106d2963b2448e2d3d
  • 2326f8446b92e4bcb5349a992244f599708d79d3d103c72cc9b34711dfbe9c11
  • 249.63.138
  • 209.200.220
  • 236.16.165
  • 192.90.148
  • C:\ProgramData\F1BsrEvf.exe (and similar random strings)
  • C:\Users\<USER>\739.exe (and similar random numbers)
  • PE headers containing various half sentences and text snippets involving “Trump”, “President”, “Romney”, “Mormon”, “Republican”, “Democrat”, “National”, “People” and other key words related to the US political landscape.

Learn more about new and novel malware in the research section of the Avira Insights blog, or find out how you can improve your own detection rates by using Avira’s anti-malware SDKs or threat intelligence.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.
Q1 2020 Malware Threat Report

Avira Protection Labs

Protection Lab is the heart of Avira’s threat detection and protection unit. The researchers at work in the Labs are some of the most qualified and skilled anti-malware researchers in the security industry. They conduct highly advance research to provide the best detection and protection to nearly a billion people world-wide.

You might like


The evolution of Mirai into HolyMirai

The evolution of Mirai into HolyMirai

We present a study of the core similarities, differences, and evolution of the original Mirai and its new variant, HolyMirai.

8 months ago 6 min read

Capesand. The revival of exploit kits.

Capesand. The revival of exploit kits.

In this blog we are taking a brief look at the background of exploit kits, but mainly focusing on reversing NJcrypt which is a loader for njRAT.

8 months ago 7 min read