Two banking Trojans resurged in a span of five days: EMOTET and Trickbot, detected by Trend Micro as TSPY_EMOTET and TSPY_TRICKLOAD, respectively. These banking malware are distributed through socially engineered malicious spam and phishing emails. Security researchers also noted the capabilities and techniques used, including its worm-like propagation, dropping additional malware into the affected machine, and mimicking the banks’ domains.
EMOTET first emerged in 2014 targeting customers of German banks. Unlike other banking malware that employed malicious field insertions/phishing pages to steal banking information, EMOTET was capable of “sniffing” the data sent over network connections. This feature allowed attackers to bypass secure connections like HTTPS and evade traditional detection techniques. In December 2016, Trend Micro observed its reappearance in the same region, along with old but familiar information stealers DRIDEX and ZeuS/ZBOT.
The latest resurgence of EMOTET also entailed dropping DRIDEX as additional payload. Malicious links in the spam email will redirect would-be victims into a domain hosting a Word document embedded with Visual Basic code that triggers a PowerShell script. This script will download and execute EMOTET and other payloads, the most common of which is DRIDEX, from various attacker-owned domains.
Trickbot is a banking Trojan that sends users banking-related website pages that almost look like the real thing. An iteration of older malware DYRE/Dyreza, Trickbot is also distributed via malicious spam containing HTML attachments. These HTML files download a Word document masquerading as a login form. It’s actually embedded with a malicious macro that retrieves Trickbot from the cybercriminals’ command and control (C&C) server when enabled.
Trickbot’s operators have been observed actively pushing the malware through various spam email campaigns. The first campaigns this year were observed last April and July, targeting financial institutions and their customers in the US, UK, Australia, Switzerland, and Germany.
The mobile platform is also not immune. Android banking malware Bankbot (ANDROIDOS_BANKERSMS.OPS) resurfaced early this year, initially targeting Russian users via third-party app marketplaces. Now, it has more than 420 financial institutions in its list of targets, including those in Austria, France, Austria, the Netherlands, and Turkey. Bankbot was built from the source code of another banking Trojan that was leaked and fine-tuned by Bankbot’s operators.
This Android malware isn't just capable of stealing banking credentials and credit card data information; it also monitors and intercepts text messages, which enables the bad guys to bypass verification methods like two-factor authentication. It's also capable of mining credit card data stored in apps installed on the device, like Facebook, WhatsApp, Google Play, and Uber. In mid-April and late July this year, several Bankbot-infected apps made their way into Google Play, posing as video or online banking apps. The said apps have since been taken down.
The spate of campaigns that deliver information stealers reflect how hackers value personally identifiable information. This is especially true for financial data, as these can be used not only for emptying bank accounts, but also as tradeable commodities in the cybercriminal underground. In 2016, fraud and identity theft have cost businesses and end users over US $16 billion in losses.
While these threats still rely on old tactics such as the use of macros and spam messages, they are compounded with techniques that provide stealth. Case in point: the increasing use of vectors that aren’t typically used to deliver malware, such as HTML files or legitimate system administration tools like PowerShell. EMOTET and Trickbot’s self-replication capability also seems to draw inspiration from the notorious WannaCry and Petya outbreaks.
How can enterprises and end-users avoid or defend against these threats? Follow best practices for defending against phishing attacks. An attacker has a lot to gain with just a single typo. Identify the tell-tale signs of malware gone phishing: the sender’s name, email address, URL/domain, grammar and spelling errors, unsolicited request for personal information. Employ strong security policies to your organization’s email gateway and ensure that your network infrastructure can filter, validate, and block malicious traffic like anomalous data exfiltration.
Trend Micro Solutions
Trend Micro™ InterScan™ Messaging Security stops email threats in the cloud with global threat intelligence, protects your data with data loss prevention and encryption, and identifies targeted email attacks, ransomware, and APTs as part of the Trend Micro™ Network Defense Solution. The hybrid SaaS deployment combines the privacy and control of an on-premises virtual appliance with the proactive protection of a cloud-based pre-filter service.
Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats like the above mentioned zero-day attacks even without any engine or pattern update.
Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach your network. It protects Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and on-premises email solutions.
End users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security for Android™ (available on Google Play). Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).