Symantec finds that banking threat actor Mealybug is now aggressively distributing threats for other groups for profit

Symantec Corp. announced on Wednesday that its advanced threat research group has discovered that activities undertaken by threat group Mealybug have evolved from maintaining and delivering its own custom banking Trojan to operating as a distributor of threats for other groups that operate similarly to steal information from targeted organizations.

When Mealybug was first identified in 2014, it used custom malware called Emotet to spread Trojans that would then steal online banking credentials from computer users in Europe. New Symantec telemetry now reveals that Emotet is focused on U.S. targets and is also being used to spread Qakbot, a separate family of banking Trojans. Both Emotet and Qakbot have self-propagating capabilities, which allow the threats to spread aggressively once on a network.

Symantec believes Emotet and Qakbot are controlled by two separate groups, and that Mealybug is offering Emotet as a delivery mechanism for Qakbot, as well as other threats. Symantec analysis has detected no overlap between the command-and-control infrastructure of the two Trojans, and also found differences in the code of their main components and anti-debugging techniques.

Mealybug activity presents several challenges for organizations: its worm-like capabilities let it spread rapidly across networks, and its brute forcing of passwords may result in victims getting locked out of their machines, impeding user productivity and increasing demand on helpdesk and IT teams.

Network worms like Emotet and Qakbot have regained notoriety in recent years with other notable examples including WannaCry and Petya/NotPetya. These attacks are particularly challenging for organizations because victims can become infected without ever clicking on a malicious link or downloading a malicious attachment.

To help protect against threats such as Emotet and Qakbot, organizations are recommended to deploy endpoint, email, and web gateway security solutions and keep these solutions up to date with the latest protection so that threats like Emotet are detected as early as possible in the infection chain. Symantec also recommends employing two-factor authentication on accounts to provide an additional layer of security and prevent any stolen or cracked credentials from being used by attackers. Symantec’s Targeted Attack Analytics (TAA), a new feature within Symantec Advanced Threat Protection, can detect Emotet’s activity based on suspicious patterns in its propagation behavior, such as when files are dropped by the spreader module on multiple machines.

“We believe Mealybug has evolved its business model from a lone threat actor to a global distributor. This follows a trend we identified in the Internet Security Threat Report this year where threat actors are refining their techniques and business models to maximize profits,” said Jon DiMaggio, senior threat intelligence analyst at Symantec. “From our analysis, Mealybug appears to be supporting multiple attack groups at any given time and makes money by taking a cut of the resulting profits.”


Leave a Reply

WWPI – Covering the best in IT since 1980