You have probably heard of Mealybug, a hacking outfit that has been around since 2014 and done some pretty significant damage. Maybe you did not know exactly what they did, but you were sure you wanted absolutely nothing to do with them.
Back then, the group behind it was mostly notorious for its Emotet trojan. The self-propagating malware targeted mostly banking customers across Europe, but was fairly specific to that goal.
Why does this matter today? Well, it turns out the people behind Mealybug have expanded their operation to more than just their own attacks.
They’re malware mercenaries now
It is said that crime doesn’t pay, but the truth of the matter is it very much can. In this case, Mealybug has shifted its approach toward using their Emotet trojan as something to be given to others.
They are not doing this for free, of course, and are instead making money from other groups who want their malware. Whereas once the Emotet trojan was mostly focused on European banks, it is now being spread all over — with the United States being one of its biggest markets.
Mealybug’s evolution was detailed by Symantic, who says the change follows a trend of bad actors refining their techniques and business models in order to maximize profits. For Mealybug, that means supporting multiple attack groups simultaneously, if need be, and getting a cut of whatever is made.
How does it work?
Like most malware, Emotet gets in through a phishing email that contains a bad link or document that is used to download the bug to the machine. Once in, the malware can download new payloads that come from a command-and-control server.
These days, Emotet is acting as a delivery mechanism for Qakbot and other trojan threats. Symantec said they have discovered no overlap between the command-and-control infrastructure for the separate trojans, and there are differences found in their respective codes. That leads them to believe the malwares are being run by separate groups.
But once it’s on a network — any network — it has the ability to spread onto other machines through attacks that attempt to crack systems with passwords that are embedded into the malware. If that works, it can lead to victims being locked out of their computers, which leads to all sorts of issues.
According to Symantec, worms like Emotet and Qakbot have come back into play in recent years, along with similar malware WannaCry and Petya/NotPetya. And whereas in the past Emotet wasn’t particularly widespread, it being provided to other groups with different goals will only expand its reach.
Here’s how to avoid becoming a victim
The issue with Mealybug is what they do is very challenging for organizations to prevent. However, it is advised to deploy endpoint, email and web gateway security systems while keeping them all up to date with the latest protections.
Symantec also advises using two-factor authentication on accounts to provide an extra layer of security. Also, as is the case for any phishing attacks, it is important to pay close attention to emails and attachments, making sure not to click on or download anything that comes from a suspicious source.