View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 23, 2018updated 07 Jul 2022 8:40am

Emotet Trojan on the Market as Hack Groups Become Malware Mercenaries

Tightening of banking security such as two-factor verification is putting pressure on hack groups to diversify

By CBR Staff Writer

Mealybug, the hacker group behind the 2017 Emotet banking malware attacks, have redefined their organisation’s business model and now operate as malware mercenaries.

This is according to cybersecurity firm Symantec, who say the group have moved from maintaining Trojans designed to attack the banking sector, to a role that sees them as distributors of malware capabilities.

In a blog post, Symantec’s Threat Intelligence group identified the change in tactics over the last year, noting: “Mealybug has developed its capabilities over the years and now appears to offer an “end-to-end” service for delivery of threats.”

“It delivers the threats, obfuscates them to reduce the chances of detection, and provides a spreader module that allows the threats to self-propagate.”


In 2017 the European banking sector was under siege from the Trojan malware Emotet, a self-propagating malware that spreads though computer networks collecting machine information before sending it back to the command and control server (C&C).

Once malware is in place on just a single computer: “Emotet downloads and executes a spreader module that contains a password list that it uses to attempt to brute force access to other machines on the same network,” states Symantec.

This can cause a number of problems for your IT network adding work load as processes run in the background, but it will also result in downtime for your employees as they are locked out of their accounts due too many incorrect password entries.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The module will also send out email phishing spams within your network often using standard social engineering techniques such as including the word ‘invoice’ in the subject line.

The email may also contain the name of the employee who’s system has already been compromised.

Once sensitive information has been collated it is then sent back to the C&C server.

Earlier this year we reported how two threat groups aligned their interests and worked in collaboration to combine their Trojans ‘IcedID’ and ‘TrickBot’ to attack the banking infrastructure, in another example of a changing malicious malware marketplace.

We discussed how the attackers now send IcedID directly as spam, and the malware acts as a downloader that installs TrickBot, which in turn installs other modules on victims’ machines.


Symantec have followed the use of this particular Trojan and is seeing a sharp increases in its use in the US.

Symantec notes in their threat analysis report that: “Mealybug seems to have found its niche as a provider of delivery services for other threats. The main component of Trojan.Emotet functions as a loader, and can theoretically support any payload.”

The Emotet Trojan is now been recorded across the globe and its targets are no longer aimed at the banking sector. The sheers number of uses means that this is out on the black market for use.

“Emotet surged in the second half of 2017, and in that year Mealybug’s targets included victims in Canada, China, the UK, and Mexico,” states Symantec.

A key reason cited for the change in tactic by Mealybug is the introduction and widespread popularity of two-factor authentication. This has made it “difficult to compromise accounts by stealing credentials, and awareness and protection has improved as online banking has matured,” note Symantec.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.