A Threat-Delivery Service for Slacking Hackers?

What to do when you need to perpetrate a dramatic cyberattack, but you'd rather be eating tacos on the couch and watching Netflix? Hire a threat-delivery service (of course!). 

Whereas hacking was once an individual sport reserved for the motivated, times have changed. Mealybug, the threat group responsible for the trojan downloader known as Emotet, appears to have changed its tactics from 2014 (when its favorite pasttime was targeting the banking industry to steal credentials), according to a joint technical alert (TA) issued by three government agencies. These days, the group is hawking its malware to other attack groups to use as a distribution mechanism for their own threats.

While it seems to have fallen off of the radar of the security community, the Emotet trojan “continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors,” according to the July TA, which was issued by a consortium of the Multi-State Information Sharing & Analysis Center (MS-ISAC), the Department of Homeland Security (DHS), and the National Cybersecurity and Communications Integration Center (NCCIC).” Emotet infections have cost SLTT governments up to $1 million per incident to remediate,” the report said.

The group appears to have both expanded the trojan’s capabilities and its targets to become what threat researchers call an “end-to-end service for delivery of threats.” For example, earlier this year, Emotet was found to be using its loader function to spread the Quakbot and Ransomware variants.

An Analytic Story in the September 27th release of the Splunk Enterprise Security Content Update (ESCU) app can help you detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that Emotet (or similar types of malware) has compromised your environment. 

Install the Latest Version of ESCU

The Security Research group at Splunk sleeps better when we know that you're protected against the latest threats and vulnerabilities. So download the Splunk ESCU app today!


The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.

Read more Splunk Security Content