Emotet and the New Wave of Trojans

Though ransomware has stolen much of the limelight over the past two years, following the unprecedented WannaCry and NotPetya attacks of 2017, the biggest threat to businesses remains, and may be increasingly, that of Trojan horse malware. This threat also continues to evolve, as evidenced by the currently-popular Emotet variant, described by the US Computer Emergency Readiness Team (US-CERT) as ‘among the most costly and destructive [examples of] malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.’

A Trojan horse is a piece of malware that tricks a user into running it by disguising itself as something innocuous, like a Word document or an advert. Once run, its payload can be deployed—the payload can be anything from a credential harvester that scrapes any logins it can find on the system and returns them to the attacker to a backdoor that allows the attacker to access the device remotely in the future (known as a remote-access Trojan, or RAT). The biggest threat is that of the banking Trojan, which waits until the user visits their banking service, steals the entered credentials and allows the attacker to log in and drain the account of money remotely. The Zeus banking Trojan is believed to have infected 13m devices since its discovery in 2007.

Trojan horses have been around since at least the 1980s, and have remained a perennial favourite in the arsenal of cyber attackers ever since. Whilst other, more novel attack vectors have drawn the cyber security world’s attention lately, banking Trojans made up 56% of all malicious email attachments in Q4 of last year, according to threat research biz Proofpoint. For reference, ransomware only accounted for 0.001%. Backdoor-installing Remote-Access Trojans (RATs), meanwhile, made up 8.4% of the attachments, which Proofpoint identified as a signifiant increase.

One of the most prominent new types of Trojan is Emotet. Distributed via emails that ‘appear as quite convincing invoices, receipts and shipping notices using branding familiar to the recipient’, Emotet spreads rapidly throughout any networks and devices connected to the infected device. ‘It can evade typical signature-based detection…and has several methods for maintaining persistence on a network’, making it very difficult to both detect and remove. The US-CERT warning reports that ‘Emotet infections have cost SLTT governments up to $1 million per incident to remediate’.

Emotet has been used to attack business across a range of sectors, from the aforementioned state, local, tribal and territorial governments to the education and healthcare sectors. In addition, the attacks are unpredictable, with ‘little, if any, correlation between how and where Emotet spikes’, suggesting that criminals ‘appear to have made randomness the cornerstone of the strategy’.

Luckily, with old-school threats (even in new-school guises) comes the benefit of years of understanding in how to defend against them. The means of deflecting Trojans may sound simple, but they have almost three decades of success that can speak for itself: ‘Those organisations with good spam filtering, who only give administrator rights when appropriate and with proper system administration and up-to-date Windows hosts, are at a lower risk of infection.’

Scroll to Top