Who’s going to replace Emotet?

BattleBots 2021

Back in January, we reported on a collaborative law enforcement effort that led to the takedown of Emotet, which was perhaps the largest and most successful malware-as-a-service in history. Since law enforcement agencies were able to take over the servers in the Emotet network, they were also able to load a module on all infected systems to have Emotet uninstall itself on April 25th (which is just a couple of weeks away). The loss of Emotet left a vacuum in the malware-as-a-service space and we’re now seeing a couple of contenders for the top spot.

Emotet began as a banking trojan that later became a downloader embedded in malicious Office documents. It was typically distributed via malspam with a massive network that was often paired with ransomware. Dridex, IcedID, and QBot have taken top spots for the most seen malware in March 2021 according to multiple reports (see references below).

Like Emotet, these started as banking trojans that focused on stealing credentials but have largely shifted tactics and are used as downloaders for loading different malware, often paired with various ransomware variants. There was a spike in malspam campaigns in March mostly focused on COVID-related news that led to multiple infections of Dridex, IcedID, and QBot around the globe.

We’ve even seen some URLs that were hosting QBot switch to IcedID and then back again after a recent update to QBot, making it more difficult to detect and breaking all the current configuration extractors used by researchers.

Dridex is an evolution of Cridex, which was based on Zeus, and first appeared on the scene in 2014. It’s gone through multiple iterations with regular active development and new features added. The latest campaign was distributing malicious XLSM samples via malspam that appear to be invoices from a logistic company. It uses social engineering tactics to convince victims to allow the malicious macros to run, which then, in turn, download a malicious DLL that then handles connections to the C2 network for additional instructions.

IcedID first appeared in 2017 as a banking trojan. IcedID campaigns tend to hijack existing email threads and attach a malicious zip file that extracts to an XLSM and appears to be relevant to the conversation. Once again, malicious macros in the file download a DLL that then takes over C2 communication and establishes persistence via multiple mechanisms.

QBot has been around since 2007. Like the others, QBot is also distributed via malspam that includes a malicious Excel document, but it calls JavaScript to download the DLL which handles C2.

Of course, there are many other similar malware families out there following similar tactics, like Lokibot and Trickbot. The Perch team will continue to keep an eye on all of these variants and more. We download hundreds of malware samples each day to analyze and use this information to improve our detection capabilities.

The FBI has been cleaning up your web shells

Last month, we saw some critical 0-day vulnerabilities discovered in Microsoft Exchange, commonly referred to as Proxylogon, which were used to drop web shells on Exchange servers across the globe. This week, sealed court orders were made public that disclose new information that the FBI received a warrant to remotely access and delete web shells on compromised servers.

Federal agents utilized the malicious web shells to issue commands to delete the web shells. They did not take any further action to patch infected systems. The deletions occurred without the knowledge of the owners of the infected systems; however, the FBI claims they will attempt to email owners of all the servers they touched with information regarding what actions were taken and recommendations on how they can patch their systems to prevent future infections.

This news came out around the same time that additional remote code execution (RCE) vulnerabilities were disclosed for Exchange during April’s Patch Tuesday and less than a week after additional undisclosed vulnerabilities were used at Pwn2Own. After all the excitement of the past month, it seems a new focus has been placed on Exchange by security researchers and bad actors alike. So far, there’s no evidence that any of these new vulnerabilities have been used.

  • Bryson Medlock, the Dungeon Master

References

https://therecord.media/icedid-malware-gang-positioning-itself-as-one-of-the-emotet-replacements/

https://blog.checkpoint.com/2021/04/13/march-2021s-most-wanted-malware-icedid-banking-trojan-enters-top-10-following-covid-related-campaign/

https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html

https://www.bleepingcomputer.com/news/security/qbot-malware-is-back-replacing-icedid-in-malspam-campaigns/

https://blogs.vmware.com/networkvirtualization/2021/03/analysis-of-a-new-dridex-campaign.html/

https://blog.lexfo.fr/dridex-malware.html

https://www.justice.gov/opa/press-release/file/1386631/download

https://www.theregister.com/2021/04/14/fbi_exchange_server_malware_deletion/