In a recent Cybercrime Tactics and Techniques Report focusing on the health care industry, cybersecurity company Malwarebytes discovered a significant 82% spike in Trojan malware attacks on health care organizations in Q3 2019. Emotet and TrickBot, two especially sophisticated and dangerous forms of malware, were mostly responsible for this surge.
Used primarily as ’banking Trojans” to steal credentials and financial information, these intrusive, fast-replicating Trojans spread quickly. Emotet is polymorphic, which makes it difficult for traditional antivirus solutions to detect. It worms its way through a network, generally using phishing emails from compromised systems to spread as quickly as possible. Once it’s infected enough computers, it will “drop” (install) other malicious programs, especially TrickBot, which has all sorts of modular, built-in tools to discover system information, compromise that system and steal data.
The presence of either of these Trojans on a network is a serious threat. Both of these Trojans are closely related; where you see one, you often see the other. To help visualize how they work, think about them like a team of professional robbers:
- Emotet is the ‘strike team’ hired to get Trickbot through as many doors as possible, by exploiting vulnerabilities or by stealing keys
- Trickbot is the professional ‘safe-cracking team’ the Emotet strike team gets in the door
- Trickbot might install ransomware to collect a ransom, or maybe just cover their tracks when they’re done. When it installs ransomware, it’s often Ryuk.