Emotet and TrickBot

Two banking trojans — Emotet and Trickbot — have added support for a self-spreading component to improve their chances of infecting other victims on the same network.

This is something new because until recently, banking trojans didn't come with self-spreading modules, being focused mainly on remaining undetected and gathering user credentials without alerting the victim.

It was only after the success of the WannaCry ransomware, and later NotPetya, that we've seen a resurgence of worm components in today's malware.

Emotet

The first to feature a self-spreading component was the Emotet trojan. Spotted by Fidelis and Barkly researchers, this banking trojan drops a self-extracting RAR file on infected hosts, and it uses it to search and gain access to local network resources by brute-forcing their logins.

Emotet's self-spreading component for laterally moving inside a network should not be confused with its propagation module that relies on extracting contacts from email clients and spamming each victim with malicious emails.

This banking trojan is one of today's most active threats, and besides helping crooks collect banking credentials and steal money from bank accounts using surreptitious MitB (Man-in-the-Browser) attacks, the trojan is also used to collect credentials for social media accounts, or even drop other malware on infected hosts — a.k.a. working as a malware downloader.

TrickBot

The second banking trojan spotted sporting a self-spreading worm-like module is TrickBot, a banking trojan that last month expanded its targeting to web-based CRMs and PayPal users.

TrickBot has been seen distributed via spam sent out via the massive Necurs botnet, and a sample discovered this past week included a new SMB worm module designed to spread the trojan to nearby computers on the same network.

Discovered by researchers from Flashpoint and Deloitte, the module scans domains for lists of servers via the NetServerEnum Windows API, and enumerates other computers via Lightweight Directory Access Protocol (LDAP).

The good news, according to Flashpoint Director of Research Vitali Kremez, is that the SMB worm module does not appear to be fully implemented just yet.

The bad news is that TrickBot authors have been constantly expanding its capabilities on a regular basis, meaning it won't take too long before the SMB worm is up and running.

For a few years, worms looked like they died out. The WannaCry and NotPetya ransomware outbreaks have shown cyber-criminals why worms were so successful in the first place. The consensus among malware researchers is that we'll see an increase of dangerous malware (banking trojans and ransomware) that chooses to deploy self-spreading worms in their default configurations in the near future.

Image credits: Sergey Saakyan, Bleeping Computer, Flashpoint