The disruption of Emotet was a blow for cyber criminals – but just weeks later, the gap is being filled by other trojans and botnets. And now Trickbot malware has risen to fill the gap left by the takedown of the Emotet botnet, with a higher number of criminals shifting towards it to distribute malware attacks.
Emotet was the world’s most prolific and dangerous malware botnet before it was disrupted by an international law enforcement operation in January this year.
What initially emerged as a banking trojan in 2014 went on to become much more, establishing backdoors on compromised Windows machines which were leased out to other cyber-criminal groups to conduct their own malware or ransomware campaigns.
While the disruption of Emotet represented a blow for cyber criminals, they’ve quickly adapted and now Trickbot has become the most prevalent form of malware.
Trickbot offers many of the same capabilities as Emotet, providing cyber criminals with a means of delivering additional malware onto compromised machines – and according to analysis of malware campaigns by cybersecurity researchers at Check Point, it’s now become the most commonly distributed malware in the world.
First distributed in 2016, Trickbot has long been up there with the most prolific forms of malware, but with the crackdown on Emotet, has quickly become an even more popular way for criminals to widely distribute their chosen cyberattack campaigns.
“Criminals will continue using the existing threats and tools they have available, and Trickbot is popular because of its versatility and its track record of success in previous attacks,” said Maya Horowitz, director of threat intelligence and research at Check Point.
“As we suspected, even when a major threat is removed, there are many others that continue to pose a high risk on networks worldwide, so organizations must ensure they have robust security systems in place to prevent their networks being compromised and minimise risks,” she added.
But Trickbot is far from the only malware threat to organisations and other cyber-criminal campaigns have also helped fill the gap left by the disruption of Emotet.
XMRig, an open-source form of cryptocurrency-mining malware, has risen to become the second most common malware family, as cyber criminals continue to exploit the processing power of compromised systems in an effort to generate Monero cryptocurrency for themselves.
The third most commonly distributed malware family during Feburary was Qbot, a banking trojan that has been in existence since 2008. Qbot is designed to steal usernames and passwords for bank accounts by secretly logging keystrokes made by the user and uses several anti-debugging and anti-sandbox techniques to evade detection. Like Trickbot, Qbot is commonly distributed via phishing emails.
Other banking trojans and botnets that have become more prolific since the takedown of Emotet include Formbook, Glupteba and Ramnit.
One way organisations can help protect their networks from malware threats is to ensure the latest security patches are applied as soon as possible after they’re released, because that will prevent cyber criminals exploiting known vulnerabilities to run malware on networks.
And with phishing still such a common method for distributing cyberattacks, it’s important that organisations take the time to educate employees on how to detect potential threats.
“Comprehensive training for all employees is crucial, so they are equipped with the skills needed to identify the types of malicious emails which spread Trickbot and other malware,” said Horowitz.