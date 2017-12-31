Symantec Corp. (NASDAQ: SYMC), the worlds leading cyber security
company, today announced
that Symantecs advanced threat research group has discovered that
activities undertaken by threat group Mealybug have evolved from
maintaining and delivering its own custom banking Trojan to operating as
a distributor of threats for other groups that operate similarly to
steal information from targeted organizations. When Mealybug was
first identified in 2014, it used custom malware called Emotet to spread
Trojans that would then steal online banking credentials from computer
users in Europe. New Symantec telemetry now reveals that Emotet is
focused on U.S. targets and is also being used to spread Qakbot, a
separate family of banking Trojans. Both Emotet and Qakbot have
self-propagating capabilities, which allow the threats to spread
aggressively once on a network.
"We believe Mealybug has evolved its business model from a lone threat
actor to a global distributor. This follows a trend we identified in the
Internet Security Threat Report this year where threat actors are
refining their techniques and business models to maximize profits, said
Jon DiMaggio, senior threat intelligence analyst at Symantec. "From our
analysis, Mealybug appears to be supporting multiple attack groups at
any given time and makes money by taking a cut of the resulting profits.
Symantec believes Emotet and Qakbot are controlled by two separate
groups, and that Mealybug is offering Emotet as a delivery mechanism for
Qakbot, as well as other threats. Symantec analysis has detected no
overlap between the command-and-control infrastructure of the two
Trojans, and also found differences in the code of their main components
and anti-debugging techniques.
Mealybug activity presents several challenges for organizations: its
worm-like capabilities let it spread rapidly across networks, and its
brute forcing of passwords may result in victims getting locked out of
their machines, impeding user productivity and increasing demand on
helpdesk and IT teams. Network worms like Emotet and Qakbot have
regained notoriety in recent years with other notable examples including
WannaCry and Petya/NotPetya. These attacks are particularly challenging
for organizations because victims can become infected without ever
clicking on a malicious link or downloading a malicious attachment.
To help protect against threats such as Emotet and Qakbot, organizations
are recommended to deploy endpoint, email, and web gateway security
solutions and keep these solutions up to date with the latest protection
so that threats like Emotet are detected as early as possible in the
infection chain. Symantec also recommends employing two-factor
authentication on accounts to provide an additional layer of security
and prevent any stolen or cracked credentials from being used by
attackers. Symantecs
Targeted Attack Analytics (TAA), a new feature within Symantec
Advanced Threat Protection, can detect Emotets activity based on
suspicious patterns in its propagation behavior, such as when files are
dropped by the spreader module on multiple machines.
For more information on Mealybug and a complete list of security best
practices for organizations, please visit the Symantec
Threat Intelligence blog.
