Mealybug, the group behind Emotet has changed their business model from maintaining the malware to distributer of the malware. This cybercrime as a service has obtained the interest of other threat actor groups.
Mealybug is a threat actor group which surfaced in the year 2014.
The Emotet Trojan has the functionality to perform brute force password attacks – this often results in failed logins, which again can lead to locked out accounts. The effect of this can be seen at IT helpdesks – they will get spammed with messages from users that have been locked out.
The second characteristic of the Emotet Trojan is the fact that it will use obtained company information to spread itself – it will use it’s spam module, and this spam module will often send out emails which contain words like ‘Invoice’ and ‘Urgent’.
The Emotet Trojan also contains the following modules:
The threat actor Mealybug might also be behind the following malware:
Meatybug has evolved its business model towards an end-to-end-service.
The threat actor behind Emotet has implemented multiple anti-analysis techniques in order to reduce the risk of the malware being caught by convential anti-virus solutions. The techniques which are used:
Once on a machine, the latest version of Emotet, will first move itself towards a preferred directory, once it has been moved, it will create a LNK file which will be run on start-up, and once that has been setup, the victim machine will start sending out information towards the Emotet command and control server.