Microsoft: Help us kill off two banking trojans that learned from WannaCry

Microsoft warns that more and more businesses are being infected by consumer-focused banking trojans.

 

 

qakbot-and-emotet-fig3-cyber-kill-chain-2.png

Microsoft has set out the Qakbot and Emotet attack kill chain.

Image: Microsoft

 

 

Microsoft has appealed to enterprise customers to help stamp out the Qakbot and Emotet banking Trojans, which have adopted techniques used by WannaCry to spread on corporate networks.

Banking Trojans have for the most part been designed for stealth, helping operators steal credentials — predominantly from consumers — without setting off alarms that could lead to detection.

But cybercriminals behind banking Trojans are testing techniques used by their noisy extortionist cousins in the ransomware industry.

In particular, Qakbot and Emotet have adopted the exploits that helped WannaCry and NotPetya ransomware rapidly spread inside networks using the file-sharing protocol Server Message Block (SMB).

Security researchers discovered in July that Emotet and another active banking trojan Trickbot had adopted the same spreading technique.

Microsoft warns that though Qakbot and Emotet have typically targeted consumers, it’s seeing “more and more” enterprise and small and businesses becoming affected by “indiscriminate infections”.

“Recent variants of these malware families have spreading capabilities, which can increase the chances of multiple infections in corporate networks. They can also be spread by other malware during the lateral movement stage of a cyberattack,” Microsoft said.

Qakbot and Emotet can spread on a network by infecting all accessible network shares and drives, including USB drives, harvesting credentials to spread via default admin shares and shared folders, and guessing the passwords to Active Directory accounts.

Qakbot and Emotet can also drop copies in other machines in the network using SMB and then use remote execution to activate,” notes Microsoft.

Microsoft’s telemetry data shows two significant peaks in Qakbot and Emotet encounters in mid-May and August, which together show a general upward trend.

The company has provided a list of actions customers can take to stop the malware spreading, such as disconnecting affected machines from the network and cutting off internet access until infected machine has been cleaned.

It’s also provided links to its own security products that can help isolate and remove Qakbot, Emotet and other related malware.

qakbot-and-emotet-fig1-machine-encounters.png

Microsoft says Qakbot and Emotet monthly machine encounters are increasing.

Image: Microsoft