Much of the threat research from leading security vendors over the past several months indicates that banking Trojan malware is on the rise. The vast majority of those attacks activate via phishing emails, which experts say have confounded efforts by many companies to raise security awareness.
In June, Check Point’s Global Threat Index reported that over the preceding four months, banking Trojans had increased their global impact by 50 percent. Among Trojan malware types, the Dorkbot and Emotet variants posed the primary threat.
Dorkbot — a banking Trojan that steals sensitive financial information and launches denial-of-service attacks — affected 7 percent of all organizations around the world. Check Point also reported the rise of Emotet, a banking Trojan that steals financial account credentials while using the victim’s infected machines to spread.
Check Point’s reporting runs in line with research from Proofpoint, which found that for the first time since the second quarter of 2016, banking Trojans displaced ransomware as the top malware delivered via email. Proofpoint found that banking Trojans accounted for nearly 59 percent of all malicious email payloads in the first quarter of 2018, research that was confirmed by its second-quarter reporting as well.
According to Proofpoint, Emotet was the most widely distributed banking Trojan, accounting for 57 percent of all banking malware attacks and 33 percent of malicious payloads overall.
How Emotet Works
Because Emotet can self-propagate, it presents a real challenge for businesses, according to Symantec. Network worms are having a bit of a renaissance, including WannaCry (Ransom.Wannacry) and Petya/NotPetya (Ransom.Petya). Because these worms spread across networks, victims can become infected without clicking on a malicious link or downloading an infected attachment. Once it’s on a computer, Emotet downloads and executes a spreader module that contains a password list it uses to access other machines on the network.
Emotet’s method of self-propagation — brute-force password attempts — has added potential to cause major headaches for companies because the multiple failed login attempts it creates can lock users out of their network accounts. This increases calls to the IT help desk and reduces productivity.
Along with brute-forcing passwords, Emotet can spread to additional computers using a spam module that it installs on infected machines. The module generates emails that use standard social engineering techniques and typically contain subject lines such as “Invoice.” Subject lines might also include the name of the person whose email account has been compromised to make it seem less like spam. The emails typically contain a malicious link or attachment that, if launched, will infect the system with Trojan.Emotet.
The Qakbot Threat to the Banking Sector
Symantec reports that since February 2018, Emotet has also been used to spread W32.Qakbot, a family of banking Trojans known for behaving like network worms. Much like Emotet, Qakbot can self-propagate, using brute-force access attempts to spread across networks. It also uses PowerShell to download and run Mimikatz (Hacktool.Mimikatz), an open-source credential-stealing tool that lets attackers move rapidly across a network once they have established a foothold.
Because Emotet and Qakbot are self-spreading, once they get onto a network they can expand aggressively. A spike in Qakbot detections by Symantec in February 2018 indicated that double-spreading was taking place: While the threat group Mealybug used Emotet to spread Qakbot across networks, Qakbot was simultaneously using its own self-spreading capabilities. As a result, users were locked out of their accounts.
5 Ways Banks and Financial Institutions Can Prevent Trojans
- Protect against single points of failure: Emphasize multiple, overlapping, and mutually supportive defensive systems to guard against a single point of failure. That includes deploying endpoint, email and web gateway protection technologies, as well as firewalls and vulnerability assessment products. Always keep these security products updated with the latest protection features.
- Deploy two-factor authentication: This additional layer of security can prevent any stolen or cracked credentials from being used by bad threat actors.
- Create a security awareness culture: Offer security awareness training to educate employees and urge them to be cautious when opening emails from unfamiliar sources or clicking on attachments that haven’t been approved by IT. Schedule weekly, monthly and quarterly follow-ups to reinforce the initial training.
- Use more complex passwords: Require everyone in the company to use long, complex passwords that are changed frequently (at minimum, every 30 to 45 days). Teach users not to set the same passwords for multiple websites. Make it a policy that users don’t share passwords with their colleagues — or with anyone, for that matter.
- Build a robust email defense: Use a tool that identifies and quarantines both inbound email threats that target employees and outbound threats that target customers before messages reach the inbox. Preventing email fraud requires a multilayered solution that includes email authentication and domain discovery. It should also have dynamic classification that can analyze the content and context of emails, stopping display-name and look-alike domain spoofing at the email gateway. Finally, look for a comprehensive social media security tool that scans all social networks and reports fraudulent activity.