Threat Management, Malware, Security Strategy, Plan, Budget

Emotet creators shift from banking trojan to threat distributor

Mealybug, the threat group behind the Emotet banking trojan, has evolved over the years from making its own custom malware to operating as a distributor for other threat groups.

It is unclear whether this is because Mealybug was finding it harder to make money exclusively from banking Trojans but researchers noted that banks increasingly using two-factor authentication has made it harder to compromise accounts by stealing credentials, according to a July 18 blog post.

Symantec researchers predict the firm is presumably taking a cut of the profits made by the threat actors who use its services.

The threat actors have been active since at least 2014 and have made a name for themselves with its custom Emotet trojan which is known for its self-propagating abilities which allow it to spread through networks and infecting victims without the need for them to click on a malicious link or download a malicious file.

Researchers also noted that the threat actors behind the trojan are evolving and refining their techniques and business models to maximized profits.

While the group's malware infrastructure is primarily known for spreading baking trojans it can in theory spread any threat as it can support any payload.

“The main component of Trojan.Emotet functions as a loader, and can theoretically support any payload,” researchers said in the post. “While it is still primarily known for distributing banking Trojans, it can in theory spread any threat, and there have been reports of it distributing the Ransom.UmbreCrypt ransomware.”

The threat actors were relatively quiet since 2015 until detection of the malware surged in the second half of 2017 when the group began targeting victims in Canada, China, the UK, and Mexico although now the group's targets are primarily in the U.S. using spambots.

Emotet has recently been used to spread the W32.Qakbot malware family.  The trojan's payload consists of a packed file containing the main component and an anti-analysis module which ensures it isn't running on a sandbox. The trojan will then launch either a PowerShell or JavaScript is used to download the trojan which then delivers the final packet payload file to the victim's machine.

The malware has the ability to brute force passwords as well as spread to additional computers using a spam module to generate malicious emails that are socially engineered to influence others to open them thus continuing the spread of the malware.

Some of these include a banking module to steal banking information, and email client Infostealer, a browser Infostealer module, and a PST Infostealer module.

Once on a machine the latest version of the malware moves itself to its preferred directory, creates a LNK file pointing to itself in the start-up folder, and collects victim machine information and sends it to the C&C server in order to download n and execute new malicious payloads.

The best way for companies to protect themselves against these threats is to emphasize the use of multiple, overlapping, and mutually supportive defensive systems as well as employ two-factor authentication, educate employees on cybersecurity best practices, and require everyone within an organization to have long, complex passwords which are frequently changed. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.