Emotet and Trickbot Banking Trojans Acquire Internet Worm Capabilities
This means the malware will now self-replicate
Emotet and TrickBOT are two, relatively recent banking Trojans that have shot up in popularity in the past couple of years.
Recently, researchers discovered that two have developed a new kind of malicious feature, directly inspired by the success of the WannaCry and Petya ransomware.
The pair now comes with self-replicating capabilities, which mimic the behavior of Internet worms.
Quick look into how banking Trojans work
Banking Trojans and financial malware in general seek to steal a user’s money by quietly infiltrating his device while posing as a legitimate program and stealing his banking credentials.
The most straightforward method is to harvest the data using a keylogger, which records what users type into forms, or even what they copy/paste into it. The more advanced keyloggers will stay dormant, and only activate when visiting a certain website, or completing certain forms.
Other methods include redirects, where the banking Trojan will modify a user’s browser settings so they will be constantly redirected from the legitimate banking website, to a copied one that looks identical. Basically, if you type in the address of Site A, the banking Trojan will instead send you to Site B, which is the phishing website.
Once they have your login details, all they have to do is clean-up bank and leave you penniless.
How Internet worms work
The most successful malware out there (such as ransomware or banking Trojans) don’t actually spread from user to user. Instead, they rely on a central infection point, such as a malicious website designed to infect visitors. A more effective method however, is to simply spam the user with phishing emails that tempt him to download the malware.
An Internet worm works differently. It seeks to exploit weaknesses in software or websites, so one user can infect the other without the participation of the malicious hacker.
One of the most famous case is that of the Samy MySpace worm. It took the name of its creator, Samy Kamkar, then a 19-year old hacker, who wanted to impress his buddies with how many friends he had on MySpace.
So he made a script, where every profile visitor sent a friend request. On top of that, the script also modified the profile of the visitor to include the line “but most of all, Samy is my hero”, and link to Samy’s MySpace.
Initially, he hoped to gather 200 to 300 friends in a 6 month period. However, within 20 hours, he received 1 million friend requests.
While not designed for profit, the Samy worm remains a textbook case of an Internet worm.
Worm functionalities in Emotet and TrickBOT
The malware is initially distributed using phishing emails disguised as invoices from financial companies.
Emotet will first scan a network for accessible IPC$ drives. IPC is short for inter-communication protocol, and is an important technology in managing communications between servers and computers connected to it.
Emotet will then attempt to take control of a computer by launching a brute force attack against the account login details.
A brute force attack is a password guessing method, where the attacker tries countless password variations in the hope of finding the correct one and opening up the account.
Emotet first targets normal user accounts, such as “NetUserEnum”. If the login attempt fails, it then targets the device’s administrator account.
123456, password, 12345678, qwerty, 123456789, 12345, 1234, 111111, 1234567, dragon, 123123, baseball, abc123, football, monkey, letmein, 696969, shadow, master, 666666, qwertyuiop, 123321, mustang, 1234567890, michael, 654321, pussy, superman, 1qaz2wsx, 7777777, fuckyou, 121212, 000000, qazwsx, 123qwe, killer, trustno1, jordan, jennifer, zxcvbnm, asdfgh, hunter, buster, soccer, harley, batman, andrew, tigger, sunshine, iloveyou, fuckme, 2000, charlie, robert, thomas, hockey, ranger, daniel, starwars, klaster, 112233, george, asshole, computer, michelle, jessica, pepper, 1111, zxcvbn, 555555, 11111111, 131313, freedom, 777777, pass, fuck, maggie, 159753, aaaaaa, ginger, princess, joshua, cheese, amanda, summer, love, ashley, 6969, nicole, chelsea, biteme, matthew, access, yankees, 987654321, dallas, austin, thunder, taylor, matrix, william, corvette, hello, martin, heather, secret, fucker, merlin, diamond, 1234qwer, gfhjkm, hammer, silver, 222222, 88888888, anthony, justin, test, bailey, q1w2e3r4t5, patrick, internet, scooter, orange, 11111, golfer, cookie, richard, samantha, bigdog, guitar, jackson, whatever, mickey, chicken, sparky, snoopy, maverick, phoenix, camaro, sexy, peanut, morgan, welcome, falcon, cowboy, ferrari, samsung, andrea, smokey, steelers, joseph, mercedes, dakota, arsenal, eagles, melissa, boomer, booboo, spider, nascar, monster, tigers, yellow, xxxxxx, 123123123, gateway, marina, diablo, bulldog, qwer1234, compaq, purple, hardcore, banana, junior, hannah, 123654, porsche, lakers, iceman, money, cowboys, 987654, london, tennis, 999999, ncc1701, coffee, scooby, 0000, miller, boston, q1w2e3r4, fuckoff, brandon, yamaha, chester, mother, forever, johnny, edward, 333333, oliver, redsox, player, nikita, knight, fender, barney, midnight, please, brandy, chicago, badboy, iwantu, slayer, rangers, charles, angel, flower, bigdaddy, rabbit, wizard, bigdick, jasper, enter, rachel, chris, steven, winner, adidas, victoria, natasha, 1q2w3e4r, jasmine, winter, prince, panties, marine, ghbdtn, fishing, cocacola, casper, james, 232323, raiders, 888888, marlboro, gandalf, asdfasdf, crystal, 87654321, 12344321, sexsex, golden, blowme, bigtits, 8675309, panther, lauren, angela, bitch, spanky, thx1138, angels, madison, winston, shannon, mike, toyota, blowjob, jordan23, canada, sophie, Password, apples, dick, tiger, razz, 123abc, pokemon, qazxsw, 55555, qwaszx, muffin, johnson, murphy, cooper, jonathan, liverpoo, david, danielle, 159357, jackie, 1990, 123456a, 789456, turtle, horny, abcd1234, scorpion, qazwsxedc, 101010, butter, carlos, password1, dennis, slipknot, qwerty123, booger, asdf, 1991, black, startrek, 12341234, cameron, newyork, rainbow, nathan, john, 1992, rocket, viking, redskins, butthead, asdfghjkl, 1212, sierra, peaches, gemini, doctor, wilson, sandra, helpme, qwertyui, victor, florida, dolphin, pookie, captain, tucker, blue, liverpool, theman, bandit, dolphins, maddog, packers, jaguar, lovers, nicholas, united, tiffany, maxwell, zzzzzz, nirvana, jeremy, suckit, stupid, porn, monica, elephant, giants, jackass, hotdog, rosebud, success, debbie, mountain, 444444, xxxxxxxx, warrior, 1q2w3e4r5t, q1w2e3, 123456q, albert, metallic, lucky, azerty, 7777, shithead, alex, bond007, alexis, 1111111, samson, 5150, willie, scorpio, bonnie, gators, benjamin, voodoo, driver, dexter, 2112, jason, calvin, freddy, 212121, creative, 12345a, sydney, rush2112, 1989, asdfghjk, red123, bubba, 4815162342, passw0rd, trouble, gunner, happy, fucking, gordon, legend, jessie, stella, qwert, eminem, arthur, apple, nissan, bullshit, bear, america, 1qazxsw2, nothing, parker, 4444, rebecca, qweqwe, garfield, 01012011, beavis, 69696969, jack, asdasd, december, 2222, 102030, 252525, 11223344, magic, apollo, skippy, 315475, girls, kitten, golf, copper, braves, shelby, godzilla, beaver, fred, tomcat, august, buddy, airborne, 1993, 1988, lifehack, qqqqqq, brooklyn, animal, platinum, phantom, online, xavier, darkness, blink182, power, fish, green, 789456123, voyager, police, travis, 12qwaszx, heaven, snowball, lover, abcdef, 00000, pakistan, 007007, walter, playboy, blazer, cricket, sniper, hooters, donkey, willow, loveme, saturn, therock, redwings, bigboy, pumpkin, trinity, williams, tits, nintendo, digital, destiny, topgun, runner, marvin, guinness, chance, bubbles, testing, fire, november, minecraft, asdf1234, lasvegas, sergey, broncos, cartman, private, celtic, birdie, little, cassie, babygirl, donald, beatles, 1313, dickhead, family, 12121212, school, louise, gabriel, eclipse, fluffy, 147258369, lol123, explorer, beer, nelson, flyers, spencer, scott, lovely, gibson, doggie, cherry, andrey, snickers, buffalo, pantera, metallica, member, carter, qwertyu, peter, alexande, steve, bronco, paradise, goober, 5555, samuel, montana, mexico, dreams, michigan, cock, carolina, yankee, friends, magnum, surfer, poopoo, maximus, genius, cool, vampire, lacrosse, asd123, aaaa, christin, kimberly, speedy, sharon, carmen, 111222, kristina, sammy, racing, ou812, sabrina, horses, 0987654321, qwerty1, pimpin, baby, stalker, enigma, 147147, star, poohbear, boobies, 147258, simple, bollocks, 12345q, marcus, brian, 1987, qweasdzxc, drowssap, hahaha, caroline, barbara, dave, viper, drummer, action, einstein, bitches, genesis, hello1, scotty, friend, forest, 010203, hotrod, google, vanessa, spitfire, badger, maryjane, friday, alaska, 1232323q, tester, jester, jake, champion, billy, 147852, rock, hawaii, badass, chevy, 420420, walker, stephen, eagle1, bill, 1986, october, gregory, svetlana, pamela, 1984, music, shorty, westside, stanley, diesel, courtney, 242424, kevin, porno, hitman, boobs, mark, 12345qwert, reddog, frank, qwe123, popcorn, patricia, aaaaaaaa, 1969, teresa, mozart, buddha, anderson, paul, melanie, abcdefg, security, lucky1, lizard, denise, 3333, a12345, 123789, ruslan, stargate, simpsons, scarface, eagle, 123456789a, thumper, olivia, naruto, 1234554321, general, cherokee, a123456, vincent, Usuckballz1, spooky, qweasd, cumshot, free, frankie, douglas, death, 1980, loveyou, kitty, kelly, veronica, suzuki, semperfi, penguin, mercury, liberty, spirit, scotland, natalie, marley, vikings, system, sucker, king, allison, marshall, 1979, 098765, qwerty12, hummer, adrian, 1985, vfhbyf, sandman, rocky, leslie, antonio, 98765432, 4321, softball, passion, mnbvcxz, bastard, passport, horney, rascal, howard, franklin, bigred, assman, alexander, homer, redrum, jupiter, claudia, 55555555, 141414, zaq12wsx, shit, patches, nigger, cunt, raider, infinity, andre, 54321, galore, college, russia, kawasaki, bishop, 77777777, vladimir, money1, freeuser, wildcats, francis, disney, budlight, brittany, 1994, 00000000, sweet, oksana, honda, domino, bulldogs, brutus, swordfis, norman, monday, jimmy, ironman, ford, fantasy, 9999, 7654321, PASSWORD, hentai, duncan, cougar, 1977, jeffrey, house, dancer, brooke, timothy, super, marines, justice, digger, connor, patriots, karina, 202020, molly, everton, tinker, alicia, rasdzv3, poop, pearljam, stinky, naughty, colorado, 123123a, water, test123, ncc1701d, motorola, ireland, asdfg, slut, matt, houston, boogie, zombie, accord, vision, bradley, reggie, kermit, froggy, ducati, avalon, 6666, 9379992, sarah, saints, logitech, chopper, 852456, simpson, madonna, juventus, claire, 159951, zachary, yfnfif, wolverin, warcraft, hello123, extreme, penis, peekaboo, fireman, eugene, brenda, 123654789, russell, panthers, georgia, smith, skyline, jesus, elizabet, spiderma, smooth, pirate, empire, bullet, 8888, virginia, valentin, psycho, predator, arizona, 134679, mitchell, alyssa, vegeta, titanic, christ, goblue, fylhtq, wolf, mmmmmm, kirill, indian, hiphop, baxter, awesome, people, danger, roland, mookie, 741852963, 1111111111, dreamer, bambam, arnold, 1981, skipper, serega, rolltide, elvis, changeme, simon, 1q2w3e, lovelove, fktrcfylh, denver, tommy, mine, loverboy, hobbes, happy1, alison, nemesis, chevelle, cardinal, burton, wanker, picard, 151515, tweety, michael1, 147852369, 12312, xxxx, windows, turkey, 456789, 1974, vfrcbv, sublime, 1975, galina, bobby, newport, manutd, daddy, american, alexandr, 1966, victory, rooster, qqq111, madmax, electric, bigcock, a1b2c3, wolfpack, spring, phpbb, lalala, suckme, spiderman, eric, darkside, classic, raptor, 123456789q, hendrix, 1982, wombat, avatar, alpha, zxc123, crazy, hard, england, brazil, 1978, 01011980, wildcat, polina, freepass
If the brute force attack is successful and Emotet gains access to the computer, it will then copy itself from the attacking device onto the newly infected one.
In Trickbot’s case, researchers at Intel have discovered that malware creators are testing a new type of functionality that seems to exploit weaknesses in SMB (short for Server Message Block). This might sound familiar to you, since it is the same kind of exploit used by WannaCry and Petya.
Fortunately, these new functionalities for Trickbot aren’t yet active in the wild, so users are mostly safe. For now.
Just like with Emotet, malicious hackers first spread Trickbot by way of spam and phishing emails, often disguised as invoices.
If the infection is successful, Trickbot will then use the SMB exploit to scan for other computers connected in a network. Once it finds new targets, Trickbot will infect them via LDAP (short for lightweight access protocol).
How to stay safe from Trickbot and Emotet
Update your Windows software
Both WannaCry and Petya ransomware were possible because of a vulnerability in Windows SMB called EternalBlue. Microsoft has released an update that fixes it but most users have yet to install it. Here are the steps you should follow to manually update your PC.
Set up a strong password to protect your account
Setting up a good, strong password is one of the most heavily repeated cybersecurity advice coming from professionals.
Password guessing methods such as brute-force or dictionary attacks can guess your average, 6 character password in 5 seconds. In comparison, a 14 character password requires 5,000 years of hacking attempts to break open.
Here are some basic tips you can follow to set up a strong password:
- Make it at least 10 characters long
- Include an upper and lower case letter, a number and a special character (such as “ or *)
- Never reuse the same password for more than 2 accounts.
- Always log out from accounts when you’ve finished using them.
- Use a password manager.
If you want a more in-depth view of password security, we suggest you visit our dedicated security guide on the subject.
Companies are most exposed to worm-like malware
Most companies have their own network of computers and servers, and all communicate with one another. Internet worms leverage this exact type of setup. Shared drives, Dropbox and other file sharing techniques are all excellent targets.
To counteract this, we suggest you check out this clear and concise guide that covers how a company can protect its business network.
*This article features cyber intelligence provided by CSIS Security Group researchers.