The Old is New Again – Return of the Trojan Horse

Trojan horse, backdoor, and spyware exploits are back with a vengeance, according to a recent report by cybersecurity firm Malwarebytes.  These exploits may seem like old and out-of-date attack vectors, but these tools have been updated and revamped, and are appearing at an alarming rate.  Last year, Trojan horse deployments increased by 132%, backdoors increased by 173%, and spyware exploits increased 142%.

Crypto-ransomware and crypto-jacking exploits have been the hot and sexy threats over the last several years, but this is changing.  With the drop in values for crypto-currencies, crypto-mining and crypto-jacking exploits have become less profitable.  And crypto-ransomware exploits, which always bore expensive overhead costs to the attacker, have been blunted by new anti-crypto tools provided by anti-malware companies, such as Sophos Intercept-X.  This has made crypto-ransomware less profitable for cyber-criminal collectives.  Ransomware exploits only increased 9%, while crypto-jacking actually decreased.

According to US-CERT, much of this increase in Trojan horse activity can be attributed to the Emotet, TrickBot, QBot and BitPaymer malware exploits.

“Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic (always mutating) banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.

Emotet is disseminated through malspam (emails containing malicious attachments or links) that uses branding familiar to the recipient; it has even been spread using the MS-ISAC name. As of July 2018, the most recent campaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices purportedly from MS-ISAC. Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro-enabled Microsoft Word document included in the malspam. Once downloaded, Emotet establishes persistence and attempts to propagate the local networks through incorporated spreader modules.”

Once the link has been clicked or the attachment opened in these phishing emails, the Trojan horse is installed.  In many cases, a Powershell script is used to download Emotet.  Emotet in particular often is used as a “dropper” program, downloading and installing other tools, such as Netpass.exe, WebBrowserPassView, MailPassView, Outlook scraper, and a credential enumerator.  These tools allow the attacker to recover network passwords, collect names and email addresses, recover passwords stored on a web browser, recover email passwords, and uses SMB (Server Message Block) vulnerabilities to enumerate network resources and devices, and discover and access network file shares.

Prevention is the best defense.  Of course, you can and should warn your user community to be alert for phishing emails, and to avoid clicking on links or opening attachments.  But this does not work 100% of the time, and it only takes a single ill-considered click to start the ball rolling on your network.  Here are actions you can take to block Emotet from installing on your network

  • Block Powershell – In Windows, Powershell is enabled by default.  But very few users need access to Powershell.  Blocking or blacklisting Powershell using your application control program should prevent Emotet from installing at all.  Users who require Powershell can be granted access individually.
  • Patching and updates – Of course, running Windows operating system updates, software updates, and anti-malware updates can help, and should be part of your current cybersecurity program.
  •  Identify weak or unknown devices – Use a network scanning tool to first list all of the devices attached to your network.  If there are devices attached to your network that you can’t identify, chances are they may have been running unpatched.  These devices often provide the perfect foothold for cyber-attackers looking to set up a long-term exploit.  These might be old servers, or computers running home-brewed network applications.  In my experience, I have found applications running on old and unsupported versions Windows XP or Server 2003.  Or they might be any of the many IoT devices appearing on business networks.
  • Vulnerability scanning – Then scan for unpatched vulnerabilities and make sure to apply the necessary updates or remediation steps to bring your systems up to standards.

The threat environment is constantly evolving, and it requires vigilance to stay on top of the current threats.  This exploit appears to be favored by the threat actors, and we need to be defending against this type of attack.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at


Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.