Analysis of three malware families to help infosec pros

Image from (c) Maksim Kabakou

In the second half of last year three families of malware —  LokiBot, Trickbot and Emotet — caused a lot of havoc at organizations around the world.

According to a new report on crimeware from Gigamon, which makes network security solutions, the trio were and still are “wildly successful in infiltrating enterprise networks and persisting.”  So the company’s applied threat research team has done an analysis of the malware to help security teams better learn how to combat them.

Here’s a brief overview of the findings:

–LoiBot was the most prevalent crimeware in the first half of 2018, and number two in the second half. Around since 2015, it is now commodity malware sold on a number of underground websites for as little as US$80.

Popular among Nigerian threat actors, it steals login credentials and other private data (such as locally stored passwords and login credential from several browsers, and cryptocurrency wallets) from infected machines. It’s often used as part of a business executive compromise scam, where a staff member is fooled into thinking a message asking for action comes from a higher-up.

–TrickBot is a banking trojan which shares a lot of code with the Dyre/Dyreza trojan. Over time it has used several deployment and obfuscation techniques.

–The biggest current threat is Emotet, which sprang out of nowhere to become the biggest malware threat by the end of the year. “CISOs should be concerned with Emotet’s ability to seek out and steal sensitive corporate information,” says the report. Its ability to move laterally through an organization and spread other malware, including ransomware “should elevate concerns and mitigation efforts.”

It is often delivered through generic and targeted spear phishing campaigns using email with malicious Microsoft Word attachments or links. Email often spoof a “From” header to fool recipients. Common themes of these messages relate to payroll, banking, invoices, overdue notices, and IRS/government, but also can carry a “US Holiday” header.

Interestingly, the report notes that the threat actor behind Emotet — so far — takes minimal effort to evade or disguise its capabilities. For example, it uses public freeware utilities, such as Outlook Scraper for scraping names from victims’ Outlook mailbox, to accomplish its goals.  Similarly, Emotet’s communications with command and control servers is “noisy,” attempting to talk to C2 servers every couple of seconds. Organizations that don’t have deep network visibility will miss that.

It spreads laterally by brute forcing attacks with stolen passwords. That could be detected, says the report, by a security team that has network visibility on east-west traffic.

Unlike Emotet, LokBot so far doesn’t try to spread laterally through an organization. Its main goals are to install a keylogger, steal information from more than 100 applications and credentials theft from Microsoft Windows Credentials Manager.

TrickBot uses many of the same techniques as Emotet, says the report. In fact it’s often deployed through an Emotet infection. Typical delivery is done through spear-phishing email with XLS or DOC attachments that include malicious macros.

More recently it has added a point-of-sale reconnaissance module.

Like Emotet, so far it has little regard for stealth or evasion, seemingly “thumbing its nose at many enterprises’ lack of network detection capabilities,” says the report. And, like Emotet, it uses stolen passwords for brute force attacks to move laterally.

Gigamon calls these families unsophisticated, yet their high volume attacks can move through a network and cause significant damage. Security teams need to leverage indicators to better detect them and reduce response time.

Click here for the full report, which has more details including kill chains for each malware. Registration required.


Please enter your comment!
Please enter your name here