What to do when you need to perpetrate a dramatic cyberattack, but you'd rather be eating tacos on the couch and watching Netflix? Hire a threat-delivery service (of course!).
Whereas hacking was once an individual sport reserved for the motivated, times have changed. Mealybug, the threat group responsible for the trojan downloader known as Emotet, appears to have changed its tactics from 2014 (when its favorite pasttime was targeting the banking industry to steal credentials), according to a joint technical alert (TA) issued by three government agencies. These days, the group is hawking its malware to other attack groups to use as a distribution mechanism for their own threats.
While it seems to have fallen off of the radar of the security community, the Emotet trojan “continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors,” according to the July TA, which was issued by a consortium of the Multi-State Information Sharing & Analysis Center (MS-ISAC), the Department of Homeland Security (DHS), and the National Cybersecurity and Communications Integration Center (NCCIC).” Emotet infections have cost SLTT governments up to $1 million per incident to remediate,” the report said.
The group appears to have both expanded the trojan’s capabilities and its targets to become what threat researchers call an “end-to-end service for delivery of threats.” For example, earlier this year, Emotet was found to be using its loader function to spread the Quakbot and Ransomware variants.
An Analytic Story in the September 27th release of the Splunk Enterprise Security Content Update (ESCU) app can help you detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that Emotet (or similar types of malware) has compromised your environment.
The Security Research group at Splunk sleeps better when we know that you're protected against the latest threats and vulnerabilities. So download the Splunk ESCU app today!
The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.
Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.