March 21, 2019 | Posted in Blue Teams and Purple Teams by Kyle Sheely
Chances are if you’ve been affected by cybercrime in the past year, you’ve been the victim of a banking trojan. Proofpoint’s latest quarterly threat report notes that over half of all successful email-based attacks were propagated by banking trojans (meanwhile ransomware, once one of the greatest threats to enterprises, came in at a mere .1% of total attacks).
This is no coincidence. Unlike the obtrusiveness of most ransomware attacks, where the attacker makes money by getting the victim to pay for the return of their files, a banking trojan is much more pernicious: infected hosts contribute to identity theft by quietly siphoning off sensitive information and login credentials, all the while using the host’s computing power to mine cryptocurrencies and send out spam emails in the background.
A look at Emotet, one of the most prominent banking trojan from the past 18 months, gives insight into the advanced and destructive nature that these attacks can wreak upon an organization.
Emotet, also known as Geodo, has been around for almost five years and started off primarily self-distributed through attempts at brute-forcing user accounts. Attackers would attempt easily-guessable passwords and those found from compromised sites that were sold or published on the darkweb. Instituting password requirements, password rotation, and password lock outs were enough to thwart most initial Emotet iterations. Recently, however, it has gained and maintained relevance by switching to phishing campaigns that use enticing emails and malicious payloads that resist detection and analysis.
An attack usually starts by a victim receiving an email from either a spoofed sender address or a compromised legitimate account. The email and link/attachment are usually themed as something the user would want to click on due to its urgent (invoices, shipping notifications) or contextual (tax season, holiday season) nature. Recent iterations of these malspam emails have a malicious link or macro-enabled Word document which launch when clicked upon, in turn running a PowerShell script that either downloads or runs an already-downloaded malicious payload.
Emotet is largely resistant to signature-based detection because it is polymorphic, meaning it will change its code in slight but meaningful ways every time it is downloaded. Attackers will routinely change the IP addresses and domains that the links and attachments will reach out to, further evading detection solutions. It can also frustrate analysts looking to study the malware because if it senses that it’s in a virtual machine, it won’t download or execute its payload like it would in a normal environment.
Emotet is also modular in nature, meaning attackers are able to customize the payload and specify their malware campaign to fit their particular goals. While it primarily delivers trojans that scrape credentials and mine Monero (a cryptocurrency that obscures the source, amount, and destination of its transaction), it’s able to release a host of other attacks into an organization’s network, including ransomware. Once a system is compromised, however, most variations will look to establish persistence on the machine its currently on and spread to more machines by using captured credentials and send out more malicious emails via the victim’s email accounts.
An organization affected by a banking trojan like Emotet could have their sensitive or proprietary information stolen or altered and could witness a disruption to their productivity, files, and reputation. In some cases the cost for the remediation of an incident caused by Emotet costs upwards of $1 million (according to https://www.us-cert.gov/ncas/alerts/TA18-201A and https://www.infosecurity-magazine.com/news/allentown-struggles-with-1-million/).
Organizations can take measures to significantly reduce the chance of a successful Emotet phishing campaign. Here are some proactive steps that SRA recommends:
Emotet isn’t going away, but that doesn’t mean you have to fear it. By practicing common sense principles regarding email and web use, a phishing campaign can be stopped before a banking trojan reaches your network.