Tue, May 14, 2019

Evolving World of Cybercrime - Banking Trojans and Ransomware Deployment

Cybercriminals, both organized criminal groups and Nation State Advanced Persistent Threat actor groups have been raising the stakes with banking Trojans. This malware primarily aims to steal the banking credentials of an organization or individual, usually moving silently in the background, waiting until victims go to access their personal or corporate financial accounts. At that point, credentials are captured through a variety of means and ultimately funds are drained, paychecks are diverted, fraudulent transactions occur, etc.

In recent months, however, banking Trojan variants such as Emotet, Trickbot, ICE-ID, Qakbot, and others have been crippling companies, schools and government networks around the world. The newest strains don’t stop at bank-related fraud; some join with other malware as secondary and tertiary payload drops into infected networks to saturate victims with unauthorized remote access looking for additional information to steal and can severely disrupt business. Some infected victims become part of a larger botnet and in recent months, Kroll has observed actor groups maturing their tactics and moving to deploy ransomware post network saturation as both a means to cover their tracks and to further monetize their intrusion through ransomware payments.

Organizations should be prepared with a diversified defense that blends “back to the basics” security with advanced threat monitoring and response capabilities.

Watch our video for Remote Work Security Assessment – Safer WFH Environments

Remote Work Security Assessment: What you need to know
Employee Education and Awareness Still Key For Defense

For the most part, banking Trojans are unwittingly and unknowingly welcomed into networks by users at all levels of the organization. Many of the strategies used by fraudsters are not new and include:

  • Social engineering attacks, including phishing (email), vishing (voicemail) and smishing (mobile messaging), where victims most often click on infected links
  • Email attachments that contain macro viruses (i.e., maldocs)
  • Compromised Internet ad campaigns
  • “Drive-by” attacks: users visit a website infected by malware that in turn infects users’ computers

While many organizations are getting better at educating employees about social engineering attacks, other enterprise priorities – such as delivering responsive client service – can work against caution. For example, Kroll recently worked an investigation where a supervisor at a financial services company received an email request from a business associate at another financial institution. Despite recognizing the request was somewhat out of character, the supervisor—who routinely works with financial information—opened the attachment expecting an invoice.  The document was in fact a maliciously crafted document which triggered a chain of events on the endpoint that were invisible to the user.

As fraudsters become more sophisticated in crafting decoy messages, we recommend that organizations conduct more frequent training with staff at all levels, including executive leadership and boards of directors. Issuing regular bulletins that share examples of deceptive emails can also prove enlightening to employees. To gauge the effectiveness of their training programs, many enterprises are proactively making social engineering exercises part of their technical penetration testing programs.  Annual training should be conducted along tabletop exercises that involve IT Security teams, corporate staff, internal and external legal counsel, and a third-party incident response firm like Kroll.


Be Prepared With Threat Intelligence, Endpoint Monitoring and Expert Response

For many organizations, endpoint threat monitoring is part of their network protection arsenal, but next generation endpoint solutions are still evolving. Kroll regularly works with clients who have traditional anti-virus solutions that have historically proved ineffective against polymorphic, bit-shifting, and process hollowing techniques.

While each banking Trojan is unique in the mechanisms it employs to inflict harm and further spread malware, the following simplified overview of the way we typically handle common banking trojans such as Emotet or Trickbot provides a glimpse into the steps of an effective response:

  • Kroll leverages our Endpoint Detection and Response (“EDR”) solution to combine forensic and incident response tools, threat intelligence feeds, human analysts, and client feedback about their own networks to identify and ban identified malware hashes (i.e., unique fingerprints of malicious processes or binaries) which terminates running processes and prevents subsequent execution.  When deployed at an enterprise level, this gives us the ability to block the execution of malware network wide
  • When necessary, Kroll can isolate infected systems to prevent data acquisition or exfiltration from client networks due to unauthorized access and network intrusions.
  • Work with the client to identify and block actor command and control (“C2”) IPs at the network perimeter
  • Pull selected events to generate a timeline of infections and determine user accounts being utilized by malware for installation and/or spreading.
  • Work with Client to reset domain and local user account credentials for all accounts known to have been used by the malware to spread (or at the appropriate time, performs an enterprise-wide password reset); also ensures all local administrator user account passwords are unique.
  • Ultimately, we create and deploy a custom remediation script to purge remaining malware artifacts.


Ubiquitous and Persistent Threat

The evolving nature of banking Trojans—and frankly, all types of malware—means that enterprises of all sizes can never let down their guard. In fact, there is no better time than now to ask yourself three questions:

  • Are we continually educating employees and leaders on realistic threat scenarios?
  • How are we testing our defenses and how regularly are we testing?
  • Do we have advanced resources to detect and eradicate threats?

With every day that goes by, cybercriminals are counting on you not to know. Get answers and act today. 

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Office 365 Security, Forensics and Incident Response

Digital forensic experts investigate hundreds of Office 365 incidents per year and help strengthen your security.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

Malware and Advanced Persistent Threat Detection

Our expertise allows us to identify and analyze the scope and intent of advanced persistent threats to launch a targeted and effective response.