Banking malware finds new life spreading data-stealing trojan

Mealybug hacking group is selling Emotet as a means for other gangs to deliver their attacks - for a profit.
Written by Danny Palmer, Senior Writer

The group behind a notorious banking trojan have expanded their operations and are now offering to deliver other forms of malware on behalf of other attackers.

The Mealybug hacking operation has been active since at least 2014 and is known for its custom-built Emotet trojan, a form of self-propagating malware which has mostly targeted banking customers across Europe.

But now Mealybug has changed its approach to cyber crime, with a shift towards using Emotet as a way for other groups to steal information with the US by far the biggest market for this malicious activity, accounting for 90 percent of detections.

The evolution of Emotet from banking trojan to distributor of threats for other malicious actors has been detailed by researchers at security company Symantec, who have been monitoring its activity.

Emotet arrives via a phishing email containing a malicious link or a malicious document which is used to download the payload.

After establishing itself on a machine, the malware can be used to download new payloads from a command-and-control server - as opposed to previous activity which would see Emotet harvest banking credentials for itself.

Once on a network, Emotet also has the capability to spread onto other machines through brute force attacks which attempt to crack systems via selecting passwords from a list embedded in the malware.

Emotet can also send spam emails containing fake versions of invoices and other common business documents to others on the network -- they often contain the name of the infected user in an effort to look more genuine.

Since February, Mealybug has been using its infrastructure to spread a different banking trojan as a service: Qakbot. This trojan is similar to Emotet in that it can spread across networks via the use of brute-force attacks, but also uses PowerShell to download and run open-source tools for the purposes of stealing credentials in order to quickly move across the network.

SEE: What is malware? Everything you need to know about viruses, trojans and malicious software

Given there's no overlap in the command-and-control structure of Qakbot and Emotet and differences in the anti-debugging techniques of the malware, researchers suggest that Mealybug is providing Emotet as a delivery mechanism for Qakbot alone -- the group isn't controlling the delivered payload. It's highly likely that Mealybug is charging for this illicit service.

"Emotet functions as a loader, to get payloads onto a machine, and it can theoretically support any payload so it is being used to deliver Qakbot. We assume Mealybug is making its money by taking a cut of the profits made by the threat actors, like Qakbot, who use its services," a Symantec spokesperson told ZDNet.

Traditionally, Emotet hasn't been massively widespread, with the banking trojan only targeting a relatively small number of victims at once, but that's now changed, with the criminal group behind it seemingly willing to offer their services to others to use in a more open fashion.

As the group specialises in banking trojans, it could be that this particular form of malware isn't as lucrative as it was -- hence the shift towards providing Emotet as a delivery mechanism for other payloads.

"It appears Mealybug has decided that it can best maximize its returns through taking a role as distributor. It may be that Mealybug was finding it harder to make money exclusively from banking Trojans so it had to change its approach," said Symantec, in an email.

"The growth in popularity, and use by banks of, two-factor authentication (2FA) has made it more difficult to compromise accounts by stealing credentials, and awareness and protection has also improved as online banking has matured," they added.

Best practices recommended by Symantec in order to avoid falling victim to Emotet include employing 2FA so that cracked or stolen credentials can't be used by attackers and to train employees to be cautious about opening unsoliciated email attachments.


Editorial standards