The Panda banking Trojan, used to steal money from organizations worldwide, is now being distributed through the Emotet threat platform. According to researchers from Cylance, Panda Banker, a variant of the Zeus banking malware, is still an active threat over two years after discovery. The Zeus spin-off is used in targeted phishing attacks conducted over email, as well as attacks launched via exploit kits including Angler, Nuclear, and Neutrino. Cyberattackers utilizing the malware often embed the malicious code in crafted Microsoft documents, designed to deploy the payload through macros. Once Panda Banker has compromised a victim machine, the malware connects to a command-and-control (C2) server and sends along information including the OS version, latency, local time, computer name, data relating to any antivirus software which has been installed, and what firewalls are in operation.
The Emotet Trojan, a thorn in the side of financial institutions and your average individual alike, is back with new techniques and an upsurge in attacks. According to researchers from Menlo Security, since mid-January 2019, Emotet has been used in a rapid stream of campaigns which have evolved to infect even more systems. Emotet was first discovered back in 2014 and is now considered one of the most destructive and insidious financial Trojans in existence. Once known simply as an individual, self-propagating Trojan with little to recommend itself, the threat actors behind the malware, dubbed Mealybug, have created a malware-as-a-service business based on the Trojan in recent years -- pivoting the malware to a threat distribution platform available to other cyberattackers. The modular Emotet software now usually acts as a distribution and packing system for other malicious payloads, but is also able to brute-force computer systems, generate Business Email Compromise (BEC) messages in compromised accounts for the purposes of spam campaigns, create backdoors, and steal financial data.
Video: UK banks are TrickBot trojan's favourite new targets Microsoft has appealed to enterprise customers to help stamp out the Qakbot and Emotet banking trojans, which have adopted techniques used by WannaCry to spread on corporate networks. Banking trojans have for the most part been designed for stealth, helping operators steal credentials -- predominantly from consumers -- without setting off alarms that could lead to detection. But cybercriminals behind banking trojans are testing techniques used by their noisy extortionist cousins in the ransomware industry. In particular, Qakbot and Emotet have adopted the exploits that helped WannaCry and NotPetya ransomware rapidly spread inside networks using the file-sharing protocol Server Message Block (SMB). Microsoft has set out the Qakbot and Emotet attack kill chain.
A notorious malware family that has been on a resurgent path since last year has received a major update this week that will send shivers down any organization's back. According to a report from Kryptos Logic shared earlier today with ZDNet, the Emotet malware family has started mass-harvesting full email messages from infected victims, starting yesterday. The Emotet group has been around since 2014 when they first started spreading a first version of their malware that worked as a full-on banking trojan. This banking trojan was never a massive threat and slowly died out over the next three years, all until the summer of 2017, when the Emotet gang revamped their code and turned the original Emotet banking trojan into a modular malware family that was primarily used to infect users and then deliver secondary payloads for other criminal groups --in a classic pay-per-install scheme. Ever since last summer, Emotet has been growing, and growing, and growing --both in capabilities and in the number of victims it has infected.
Trojan malware attacks against business targets have rocketed in the last year, as cyber criminals alter their tactics away from short-term gain and in-your-face ransomware attacks towards more subtle, long-term campaigns with the aim of stealing information including banking information, personal data and even intellectual property. Figures from security company Malwarebytes Labs in a new report suggest that trojan and backdoor attacks have risen to become the most detected against businesses – and the number of trojan attacks has more than doubled in the last year, increasing by 132 percent between 2017 and 2018, with backdoors up by 173 percent. Malwarebytes classifies trojans and backdoors separately, describing a trojan as a program "that claim to perform one function but actually do another", Meanwhile, a backdoor is defined as "a type of trojan that allows a threat actor access to a system by bypassing its security" and gaining access to systems undetected. Attacks using spyware -- malware that gathers information on a device and sends it to a third-party actor -- have also jumped hugely, up by 142 percent in the same period. "When you say spyware, people think of how it's been around for a decade or more and it's old and boring -- but it's really effective and it's really come back into fashion with the rise in attacks on businesses and a thirst for data exfiltration," Chris Boyd, lead malware intelligence analyst at Malwarebytes told ZDNet.