Latin America the 'capital' of Emotet Trojan activity

Recorded Future tracked the locations of command and control servers of the most virulent Trojans over a 39-day period

Latin America is the surprising ‘capital' of remote access Trojan (RAT) activity, according to researchers at Recorded Future's Insikt Group, with the Emotet Trojan particularly widely used by cyber criminals in the region.

Recorded Future found active malware controllers for 14 malware families during the 39-day period of their analysis earlier this year.

But rather than tracking all malware controllers, they focused on just three particularly virulent forms - Emotet, ZeroAccess and xTreme RAT. Emotet was found to be the most prevalent in Latin America, while ZeroAccess and xTreme RAT more commonly run out of South Korea, US, the UK, or India.

One of the most active Emotet command and control centres, though, was found to be operating out of South Korea.

The team identified 26 organisations with hosts infected with Emotet, most of which were also located in Latin America. These organisations were found to be operating in the finance, automotive, energy, retail, construction, entertainment, technology and logistics sectors.

Infected xTreme RAT hosts were identified across Europe, Middle East, South Asia and East Asia, with organisations compromised including companies in gaming, telecoms and IT sectors, as well as an industrial conglomerate.

The research team also identified a single instance of a victim organisation communicating with a ZeroAccess Trojan C2 active on a Romanian IP address. The victim organisation was an IT firm based in East Asia.

A RAT is malware capable of enabling third parties to take full control of a computer system via a remote network connection. RATs typically include a backdoor for administrative control over compromised systems.

In most cases, RATs are downloaded accidentally through a user-requested programme or via an email attachment. Once a system is infected by RAT malware, it enables attackers to use the system to spread the programme to other vulnerable systems.

A RAT enables intruders to perform a variety of activities, such as monitoring user behaviour, logging keystrokes, accessing and exfiltrating confidential information, downloading file systems, recording host audio and video, and much more.

Many state-backed advanced persistent threat groups also prefer to use RATs to attack organisations, because the malware is easy to configure, modify, and use. Its prevalence also provides a modicum of plausible (enough) deniability.

In the current study, researchers examined network metadata using the joint Recorded Future and Shodan Malware Hunter project, as well as the Recorded Future platform. The team looked for active controllers in the period from 2nd December 2018 to 9th January 2019.

The analysis enabled the research team to identify several RAT command-and-control (C2) servers as well as corporate networks that were communicating with those controllers.