New research based on observed attack data over the second half of 2018 (2H 2018) reveals the command-and-control and lateral activities of three high-profile pieces of malware targeting large organizations in recent months: Emotet, LokiBot, and TrickBot.
Gigamon’s report is intended to increase the understanding of how the most prolific malware of 2018 traversed enterprise networks without detection.
The paper shows Emotet campaigns soared in November and December of 2018, which accounted for 45.9% of observed attacks during the entire second half of the year.
Emotet is a banking trojan that obtains sensitive data by injecting malicious code into the networking stack of an infected endpoint, allowing sensitive data to be exfiltrated upon transmission. The malware can also slide itself into software modules and perform denial of service attacks on other systems, and it can act as a downloader or dropper of other banking Trojans.
While attackers leveraged many known network techniques that make detection fairly easy, their Emotet-centric campaigns also included significant changes and experimentation, researchers said.
LokiBot, another trojan designed to covertly siphon information from a compromised endpoint, represented 11.6% of observed samples in 2H 2018 and the most diverse attachment types used for initial infection.
LokiBot is both an information stealer and keylogger, mainly used for credential theft. The malware had a fairly high success rate throughout 2018, illustrating that even simple threats can infiltrate enterprises with a poor network security posture.
“The network behaviors remain simplistic highlighting the clear value of pervasive network visibility,” researchers noted.
TrickBot, one of the newer banking trojans, represented 10.4% of observed attacks during 2H 2018, roughly the same as in 1H 2018. The malware typically spreads via spam campaigns and specializes in harvesting emails and credentials using the Mimikatz tool. It comes in “chunks” with specific tasks like gaining persistence, propagation, stealing data, etc. A configuration file commands the modules and how and when they are deployed.
Notably, TrickBot has undergone periods of experimentation by those who control it, resulting in disparate deployment and obfuscation techniques that makes detection harder. Due to its continuous change in its tactics, TrickBot remained a prevalent threat to enterprises throughout 2018, researchers said.
“Emotet, LokiBot and TrickBot may all be considered common, high-volume malware; however, all three are wildly successful in infiltrating enterprise networks and persisting,” they added. “They pose significant damage potential and cost to organizations and take significant resources to respond to and remediate. The opportunity to learn from their success can lead security teams to a more mature and productive security strategy.”
According to the paper, all three malware families show network activity and behaviors that can be rapidly detected with pervasive network visibility along with an understanding of adversary methodologies gained through intelligence efforts.