New
research based on observed attack data over the second half of 2018 (2H 2018) reveals
the command-and-control and lateral activities of three high-profile pieces of
malware targeting large organizations in recent months: Emotet, LokiBot, and
TrickBot.

Gigamon’s report is intended to increase the understanding of how the most prolific malware of 2018 traversed enterprise networks without detection.

The
paper shows Emotet campaigns soared in November and December of 2018, which
accounted for 45.9% of observed attacks during the entire second half of the
year.

Emotet
is a banking trojan that obtains sensitive data by injecting malicious code
into the networking stack of an infected endpoint, allowing sensitive data to
be exfiltrated upon transmission. The malware can also slide itself into
software modules and perform denial of service attacks on other systems, and it
can act as a downloader or dropper of other banking Trojans.

While
attackers leveraged many known network techniques that make detection fairly
easy, their Emotet-centric campaigns also included significant changes and
experimentation, researchers said.

LokiBot,
another trojan designed to covertly siphon information from a compromised
endpoint, represented 11.6% of observed samples in 2H 2018 and the most diverse
attachment types used for initial infection.

LokiBot
is both an information stealer and keylogger, mainly used for credential theft.
The malware had a fairly high success rate throughout 2018, illustrating that
even simple threats can infiltrate enterprises with a poor network security
posture.

“The
network behaviors remain simplistic highlighting the clear value of pervasive
network visibility,” researchers noted.

TrickBot, one of the newer banking trojans, represented 10.4% of observed attacks during 2H 2018, roughly the same as in 1H 2018. The malware typically spreads via spam campaigns and specializes in harvesting emails and credentials using the Mimikatz tool. It comes in “chunks” with specific tasks like gaining persistence, propagation, stealing data, etc. A configuration file commands the modules and how and when they are deployed.

Notably,
TrickBot has undergone periods of experimentation by those who control it,
resulting in disparate deployment and obfuscation techniques that makes
detection harder. Due to its continuous change in its tactics, TrickBot
remained a prevalent threat to enterprises throughout 2018, researchers said.

“Emotet,
LokiBot and TrickBot may all be considered common, high-volume malware;
however, all three are wildly successful in infiltrating enterprise networks
and persisting,” they added. “They pose significant damage potential and cost to
organizations and take significant resources to respond to and remediate. The
opportunity to learn from their success can lead security teams to a more mature
and productive security strategy.”

According
to the paper, all three malware families show network activity and behaviors
that can be rapidly detected with pervasive network visibility along with an
understanding of adversary methodologies gained through intelligence efforts.

Network-level threats have been a tough nut to crack for years, but security vendors today have dedicated solutions on offer to combat these threats. Learn more by downloading Bitdefender’s free whitepaper, Combating Advanced Threats with Network Traffic Analytics.”