Symantec Discovers That Banking Threat Actor Mealybug Is Now Aggressively Distributing Threats for Other Groups for Profit
July 18 2018 - 9:00AM
Business Wire
Mealybug’s business model evolved from lone
threat actor to global distributor, collecting profits from other
threat groups
Symantec Corp. (NASDAQ: SYMC), the world’s leading cyber
security company, today announced that Symantec’s advanced threat
research group has discovered that activities undertaken by threat
group Mealybug have evolved from maintaining and delivering its own
custom banking Trojan to operating as a distributor of threats for
other groups that operate similarly to steal information from
targeted organizations. When Mealybug was first identified in 2014,
it used custom malware called Emotet to spread Trojans that would
then steal online banking credentials from computer users in
Europe. New Symantec telemetry now reveals that Emotet is focused
on U.S. targets and is also being used to spread Qakbot, a separate
family of banking Trojans. Both Emotet and Qakbot have
self-propagating capabilities, which allow the threats to spread
aggressively once on a network.
“We believe Mealybug has evolved its business model from a lone
threat actor to a global distributor. This follows a trend we
identified in the Internet Security Threat Report this year where
threat actors are refining their techniques and business models to
maximize profits,” said Jon DiMaggio, senior threat intelligence
analyst at Symantec. “From our analysis, Mealybug appears to be
supporting multiple attack groups at any given time and makes money
by taking a cut of the resulting profits.”
Symantec believes Emotet and Qakbot are controlled by two
separate groups, and that Mealybug is offering Emotet as a delivery
mechanism for Qakbot, as well as other threats. Symantec analysis
has detected no overlap between the command-and-control
infrastructure of the two Trojans, and also found differences in
the code of their main components and anti-debugging
techniques.
Mealybug activity presents several challenges for organizations:
its worm-like capabilities let it spread rapidly across networks,
and its brute forcing of passwords may result in victims getting
locked out of their machines, impeding user productivity and
increasing demand on helpdesk and IT teams. Network worms like
Emotet and Qakbot have regained notoriety in recent years with
other notable examples including WannaCry and Petya/NotPetya. These
attacks are particularly challenging for organizations because
victims can become infected without ever clicking on a malicious
link or downloading a malicious attachment.
To help protect against threats such as Emotet and Qakbot,
organizations are recommended to deploy endpoint, email, and web
gateway security solutions and keep these solutions up to date with
the latest protection so that threats like Emotet are detected as
early as possible in the infection chain. Symantec also recommends
employing two-factor authentication on accounts to provide an
additional layer of security and prevent any stolen or cracked
credentials from being used by attackers. Symantec’s Targeted
Attack Analytics (TAA), a new feature within Symantec Advanced
Threat Protection, can detect Emotet’s activity based on suspicious
patterns in its propagation behavior, such as when files are
dropped by the spreader module on multiple machines.
For more information on Mealybug and a complete list of security
best practices for organizations, please visit the Symantec Threat
Intelligence blog.
About Symantec
Symantec Corporation (NASDAQ: SYMC), the world’s leading cyber
security company, helps organizations, governments and people
secure their most important data wherever it lives. Organizations
across the world look to Symantec for strategic, integrated
solutions to defend against sophisticated attacks across endpoints,
cloud and infrastructure. Likewise, a global community of more than
50 million people and families rely on Symantec’s Norton suite of
products for protection at home and across their devices. Symantec
operates one of the world’s largest civilian cyber intelligence
networks, allowing it to see and protect against the most advanced
threats. For additional information, please
visit www.symantec.com or connect with us
on Facebook, Twitter, and LinkedIn.
View source
version on businesswire.com: https://www.businesswire.com/news/home/20180718005290/en/
SymantecMatt Nagel, (650) 527-8000uspress@symantec.com
Symantec (NASDAQ:SYMC)
Historical Stock Chart
From Mar 2024 to Apr 2024
Symantec (NASDAQ:SYMC)
Historical Stock Chart
From Apr 2023 to Apr 2024