Analysis of three malware families to help infosec pros

In the second half of last year three families of malware —  LokiBot, Trickbot and Emotet — caused a lot of havoc at organizations around the world.

According to a new report on crimeware from Gigamon, which makes network security solutions, the trio were and still are “wildly successful in infiltrating enterprise networks and persisting.”  So the company’s applied threat research team has done an analysis of the malware to help security teams better learn how to combat them.

Here’s a brief overview of the findings:

–LoiBot was the most prevalent crimeware in the first half of 2018, and number two in the second half. Around since 2015, it is now commodity malware sold on a number of underground websites for as little as US$80.

Popular among Nigerian threat actors, it steals login credentials and other private data (such as locally stored passwords and login credential from several browsers, and cryptocurrency wallets) from infected machines. It’s often used as part of a business executive compromise scam, where a staff member is fooled into thinking a message asking for action comes from a higher-up.

–TrickBot is a banking trojan which shares a lot of code with the Dyre/Dyreza trojan. Over time it has used several deployment and obfuscation techniques.

–The biggest current threat is Emotet, which sprang out of nowhere to become the biggest malware threat by the end of the year. “CISOs should be concerned with Emotet’s ability to seek out and steal sensitive corporate information,” says the report. Its ability to move laterally through an organization and spread other malware, including ransomware “should elevate concerns and mitigation efforts.”

It is often delivered through generic and targeted spear phishing campaigns using email with malicious Microsoft Word attachments or links. Email often spoof a “From” header to fool recipients. Common themes of these messages relate to payroll, banking, invoices, overdue notices, and IRS/government, but also can carry a “US Holiday” header.

Interestingly, the report notes that the threat actor behind Emotet — so far — takes minimal effort to evade or disguise its capabilities. For example, it uses public freeware utilities, such as Outlook Scraper for scraping names from victims’ Outlook mailbox, to accomplish its goals.  Similarly, Emotet’s communications with command and control servers is “noisy,” attempting to talk to C2 servers every couple of seconds. Organizations that don’t have deep network visibility will miss that.

It spreads laterally by brute forcing attacks with stolen passwords. That could be detected, says the report, by a security team that has network visibility on east-west traffic.

Unlike Emotet, LokBot so far doesn’t try to spread laterally through an organization. Its main goals are to install a keylogger, steal information from more than 100 applications and credentials theft from Microsoft Windows Credentials Manager.

TrickBot uses many of the same techniques as Emotet, says the report. In fact it’s often deployed through an Emotet infection. Typical delivery is done through spear-phishing email with XLS or DOC attachments that include malicious macros.

More recently it has added a point-of-sale reconnaissance module.

Like Emotet, so far it has little regard for stealth or evasion, seemingly “thumbing its nose at many enterprises’ lack of network detection capabilities,” says the report. And, like Emotet, it uses stolen passwords for brute force attacks to move laterally.

Gigamon calls these families unsophisticated, yet their high volume attacks can move through a network and cause significant damage. Security teams need to leverage indicators to better detect them and reduce response time.

Click here for the full report, which has more details including kill chains for each malware. Registration required.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now