Hacker Group Selling Malware As A Service

It is summer and that means a lot of extra bugs are out. Not all of them will physically bite you, but may cause a sting. Researchers at the security company, Symantec have discovered the hacking group, Mealybug, increasing activity and changing its approach to the cybercrimes it dabbles in. It’s now using a custom-built Emotet Trojan to target customers across Europe and into the United States. It arrives via phishing, of course and if it’s set loose, it can do all kinds of things on a network. Below is an example of a current phishing campaign distributing the Emotet Trojan.

First, let’s talk about phishing. No amount of software or hardware will 100% guarantee that a phishing email will not end up in an end-user’s email inbox. The phishers are just getting too good at bypassing that stuff now. So, it really takes additional awareness training to educate everyone that opens email about avoiding these hooks. It needs to be continuous learning too. This isn’t a one time and done sort of approach to a good cybersecurity strategy. The number one rule is that no matter who the sender is or who it appears to be, if a link or attachment is not expected, it should never be clicked. If there is any amount of uncertainty, it should be verified with who the sender supposedly is first. It could save an organization a lot of time, money, and frustration if someone takes a few minutes to just ask the simple question of the sender, “Did you really intend to send me that link (or attachment)?”

Previously Emotet was used by Mealybug to spread Qakbot. That’s another notorious banking Trojan that is similar to Emotet. Both spread throughout networks using brute-force attacks and PowerShell to spread tools quickly that intend to steal login credentials. Now, the researchers are finding that the group is actually making it available for other malicious actors or groups as well. They think this because the command and control structure of Qakbot and Emotet, as well as the anti-bugging techniques of them are different. This leads researchers to conclude that Mealybug is actually supplying Emotet to others as a delivery mechanism for Qakbot and likely charging for it. Yep. It’s malware-as-a-service.

Symantec advises companies to educate employees on phishing and also to employ some type of two-factor authentication within their organizations to prevent stolen credentials from being used by cybercriminals.

Stickley on Security
Published August 29, 2018