Emotet and Trickbot

Next generation malware has flipped today’s threat landscape on its head. The wormable nature of new threats makes removal extremely difficult with reinfection often occurring moments after a system is cleaned. Emotet and Trickbot are two trojans that recently resurfaced and are two of the heavy-hitting threats in the malware world.

In order to explain what Emotet and Trickbot are and how they work, you’ll need to understand the basics of malicious software such as:

  • Trojan: a malicious piece of software disguised as another legitimate piece of software. Computer users are tricked by social engineering to download and execute trojans onto their system. Once downloaded, the trojan will begin to install malware on the device.
  • Worm: Malicious software whose primary purpose is to spread to other computers without human intervention. Worms are self-replicating and stay active on systems while continuing to spread across the network.
  • Polymorphic malware: A type of malware that constantly changes its identifiable footprint in order to evade detection from computer users or antivirus software.

What is Emotet?

Emotet is a banking trojan whose primary function is to act as a “dropper” for other banking trojans; once successfully installed, it downloads and installs other trojans onto a system. The worm-like capabilities makes it one of the most costly and destructive pieces of malware. 

Emotet has 3 main goals:

  • Infect as many systems as possible.
  • Send malicious emails to infect other organizations.
  • Download and execute malware payload.

The Department of Homeland Security issued this security alert in July, 2018:

Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.”

Emotet is polymorphic in nature, meaning it evades antivirus software signature detection. Emotet can also receive software updates from attackers. Since its discovery in 2014, there have been numerous new versions of Emotet, each more devastating and advanced than the last. The newest variation of Emotet was discovered in December 2019.

What is TrickBot?

In most cases, TrickBot is a secondary, more sophisticated infection installed by Emotet. In fact, in 2018, Trickbot was the top-ranked threat for businesses. Trickbot is the payload in this theoretical one-two punch, with additional recorded payloads including other banking trojans and ransomware. Discovered in 2016, Trickbot is in direct competition with Emotet in the virtual race to steal as much information as possible.

Trickbot shares several similarities with Emotet, however its primary goal is to steal money or financial information by accessing online banking and PayPal accounts. Unlike Emotet, Trickbot can:

  • Brute force attack usernames and passwords.
  • Harvest credentials during user login.
  • Exploit the SMB vulnerability which was originally used by WannaCry ransomware.
  • Deploy different attack types at will, such as propagation, stealing credentials, encrypting files and drop other piece of malware like RYUK ransomware.

This advisory was released by the UK’s Cybersecurity Center in September, 2018:

“Trickbot is reported to have a range of malicious capabilities, including the ability to:

  • Steal sensitive information, including banking login details and memorable information, by manipulating web-browsing sessions.
  • Gather detailed information about infected devices and networks.
  • Steal saved online account passwords, cookies and web history.
  • Steal login credentials for infected devices.
  • Connect infected devices to malicious and criminally controlled networks over the Internet.
  • Spread by infecting other devices on the victim’s network.
  • Download further malicious files such as Remote Access Tools, VNC clients, or ransomware.”

Preventative Actions 

Once a compromise occurs, Emotet and Trickbot are difficult to remove from systems and networks. Taking steps to prevent infection should be every organization’s top priority. The first of these prevention steps should be social engineering awareness and training for all employees. Emotet and Trickbot are primarily spread through phishing emails as malicious attachments or links. Oftentimes, the email will contain tempting language regarding a payment, invoice, or shipping status from a familiar company. 

Other prevention steps include:

  • Keeping all software and patches up to date
  • Know the proper procedure for handling phishing emails.
  • Avoid the use of privileged accounts for everyday use.
  • Avoid the storage of plain text passwords.
  • Keep RDP sessions open only when necessary
  • Enforce a strong password policy and enable 2FA (2-Factor Authentication)
  • Disable unnecessary share folders. Change default share folder names if used.
  • Disable macros across the board.

If you need help with employee cyber security awareness training or are looking for the extra email security Outlook can provide, contact us today!