Symantec Discovers That Banking Threat Actor Mealybug Is Now Aggressively Distributing Threats for Other Groups for Profit

Mealybug’s business model evolved from lone threat actor to global distributor, collecting profits from other threat groups

MOUNTAIN VIEW, Calif.--()--Symantec Corp. (NASDAQ: SYMC), the world’s leading cyber security company, today announced that Symantec’s advanced threat research group has discovered that activities undertaken by threat group Mealybug have evolved from maintaining and delivering its own custom banking Trojan to operating as a distributor of threats for other groups that operate similarly to steal information from targeted organizations. When Mealybug was first identified in 2014, it used custom malware called Emotet to spread Trojans that would then steal online banking credentials from computer users in Europe. New Symantec telemetry now reveals that Emotet is focused on U.S. targets and is also being used to spread Qakbot, a separate family of banking Trojans. Both Emotet and Qakbot have self-propagating capabilities, which allow the threats to spread aggressively once on a network.

We believe Mealybug has evolved its business model from a lone threat actor to a global distributor. This follows a trend we identified in the Internet Security Threat Report this year where threat actors are refining their techniques and business models to maximize profits,” said Jon DiMaggio, senior threat intelligence analyst at Symantec. “From our analysis, Mealybug appears to be supporting multiple attack groups at any given time and makes money by taking a cut of the resulting profits.”

Symantec believes Emotet and Qakbot are controlled by two separate groups, and that Mealybug is offering Emotet as a delivery mechanism for Qakbot, as well as other threats. Symantec analysis has detected no overlap between the command-and-control infrastructure of the two Trojans, and also found differences in the code of their main components and anti-debugging techniques.

Mealybug activity presents several challenges for organizations: its worm-like capabilities let it spread rapidly across networks, and its brute forcing of passwords may result in victims getting locked out of their machines, impeding user productivity and increasing demand on helpdesk and IT teams. Network worms like Emotet and Qakbot have regained notoriety in recent years with other notable examples including WannaCry and Petya/NotPetya. These attacks are particularly challenging for organizations because victims can become infected without ever clicking on a malicious link or downloading a malicious attachment.

To help protect against threats such as Emotet and Qakbot, organizations are recommended to deploy endpoint, email, and web gateway security solutions and keep these solutions up to date with the latest protection so that threats like Emotet are detected as early as possible in the infection chain. Symantec also recommends employing two-factor authentication on accounts to provide an additional layer of security and prevent any stolen or cracked credentials from being used by attackers. Symantec’s Targeted Attack Analytics (TAA), a new feature within Symantec Advanced Threat Protection, can detect Emotet’s activity based on suspicious patterns in its propagation behavior, such as when files are dropped by the spreader module on multiple machines.

For more information on Mealybug and a complete list of security best practices for organizations, please visit the Symantec Threat Intelligence blog.

About Symantec

Symantec Corporation (NASDAQ: SYMC), the world’s leading cyber security company, helps organizations, governments and people secure their most important data wherever it lives. Organizations across the world look to Symantec for strategic, integrated solutions to defend against sophisticated attacks across endpoints, cloud and infrastructure. Likewise, a global community of more than 50 million people and families rely on Symantec’s Norton suite of products for protection at home and across their devices. Symantec operates one of the world’s largest civilian cyber intelligence networks, allowing it to see and protect against the most advanced threats. For additional information, please visit www.symantec.com or connect with us on FacebookTwitter, and LinkedIn.

Contacts

Symantec
Matt Nagel, (650) 527-8000
uspress@symantec.com

Contacts

Symantec
Matt Nagel, (650) 527-8000
uspress@symantec.com