How malware traverses your network without you knowing about it

A research report has been released which, based on observed attack data over the second half of 2018 (2H 2018), reveals the command-and-control and lateral activities of three highest-volume malware, Emotet, LokiBot, and TrickBot. It also highlights effective methodologies to proactively combat these cybersecurity threats.

how malware traverses your network

Threat family distribution 2H 2018

The data and analysis bring to light threat-actor behavior and provides a high-level look at the technical methods they use to accomplish their objectives.

Key findings in the Gigamon Applied Threat Research (ATR), How the Most Prolific Malware Traversed Your Network Without Your Knowledge, include:

Emotet

  • Emotet’s rapid increase began in early November 2018, which continued through late December 2018. During this time, Emotet campaigns appeared daily with different attachment hashes, different attachment filenames, and different e-mail subject lines. On or about 21 December 2018, Emotet went silent and remained silent through the first weeks of 2019.
  • As the most prominent malware threat in the second half of 2018 (46 percent of attacks) and despite being well known by the security community, Emotet continues to infiltrate enterprises and allude security prevention tools and security professionals.
  • Emotet serves many objectives: Information Stealer, Credential Theft, Spam, and Malware Distribution are amongst its top offenses.
  • Due to Emotet’s polymorphic nature, it is difficult to detect by signatures alone, so organisations must be able to identify Emotet’s network communications behaviours to mitigate its rapid proliferation.
  • While identifying a single victim machine with Emotet is important, Emotet’s ability to spread laterally throughout the network creates a challenge to identify its full presence and eradicate Emotet from an enterprise’s network.

LokiBot

  • LokiBot accounted for 12 percent of attacks in H2 2018.
  • LokiBot’s success through all of 2018 illustrates that simple threats can be quite successful at infiltrating enterprises.
  • On the surface, LokiBot appears to be a rather run-of-the-mill information stealer; however, the fact its code is now open sourced raises a much greater risk to enterprises.
  • LokiBot, by itself, has three primary objectives: Information Stealer, Credential Theft, and Keylogger.

TrickBot

  • TrickBot accounted for 10 percent of attacks in H2 2018.
  • TrickBot pulled in front of Pony in the H2 2018 to come in as the third most prevalent crimeware and has many of the same techniques used by Emotet.
  • Since its inception in 2016, TrickBot continues to evolve and counteract defensive measures of the security community.
  • TrickBot includes the ability to push down “modules” that execute independently of the primary RAT.

“While these high-volume threats are well discussed in the security industry, and are seemingly novel, Emotet, Lokibot, and TrickBot still succeed in impacting enterprises around the world, causing significant damage,” said Justin Warner, Director of Applied Threat Research for Gigamon. “It is our desire to share a threat focused methodology in approaching security operations and apply it to these prolific threats. Our goal is to empower security teams to be more prepared to detect and respond to this malicious activity, and others that share or recycle similar technical methods.”