For several years, Proofpoint researchers have been tracking the use of first-stage downloaders, which are used by threat actors to install other forms of malware during and after their malicious email campaigns. In particular, over the last two years, these downloaders have become increasingly robust, providing advanced profiling and targeting capabilities.
More importantly, downloaders and other malware like botnets and banking Trojans have displaced ransomware as primary payloads, giving threat actors the flexibility to deploy a range of malware in secondary infections. For example, one of the most prevalent, Smoke Loader, has been used extensively to drop payloads such as Ursnif and The Trick banking Trojans, as well as using its own modules for credential and other information and data-stealing, among other malicious functions.
Since late August 2019, Proofpoint researchers have been tracking the development and sale of a new modular loader named Buer by its authors. Buer has features that are highly competitive with Smoke Loader, is being actively sold in prominent underground marketplaces, and is intended for use actors seeking a turn-key, off-the-shelf solution.