A Threat-Delivery Service for Slacking Hackers?

What to do when you need to perpetrate a dramatic cyberattack, but you'd rather be eating tacos on the couch and watching Netflix? Hire a threat-delivery service (of course!). 

Whereas hacking was once an individual sport reserved for the motivated, times have changed. Mealybug, the threat group responsible for the trojan downloader known as Emotet, appears to have changed its tactics from 2014 (when its favorite pasttime was targeting the banking industry to steal credentials), according to a joint technical alert (TA) issued by three government agencies. These days, the group is hawking its malware to other attack groups to use as a distribution mechanism for their own threats.

While it seems to have fallen off of the radar of the security community, the Emotet trojan “continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors,” according to the July TA, which was issued by a consortium of the Multi-State Information Sharing & Analysis Center (MS-ISAC), the Department of Homeland Security (DHS), and the National Cybersecurity and Communications Integration Center (NCCIC).” Emotet infections have cost SLTT governments up to $1 million per incident to remediate,” the report said.

The group appears to have both expanded the trojan’s capabilities and its targets to become what threat researchers call an “end-to-end service for delivery of threats.” For example, earlier this year, Emotet was found to be using its loader function to spread the Quakbot and Ransomware variants.

An Analytic Story in the September 27th release of the Splunk Enterprise Security Content Update (ESCU) app can help you detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that Emotet (or similar types of malware) has compromised your environment. 

Install the Latest Version of ESCU

The Security Research group at Splunk sleeps better when we know that you're protected against the latest threats and vulnerabilities. So download the Splunk ESCU app today!

The Security Research Team is devoted to delivering actionable intelligence to Splunk's customers, in an unceasing effort to safeguard them against modern enterprise risks. Composed of elite researchers, engineers, and consultants who have served in both public and private sector organizations, this innovative team of digital defenders monitors emerging cybercrime trends and techniques, then translates them into practical analytics that Splunk users can operationalize within their environments. Download Splunk Enterprise Security Content Update in Splunkbase to learn more.

Join the Discussion