TrickBot Becomes Biggest Malware Threat Following Emotet Takedown

The Emotet botnet was the biggest malware threat until a joint law enforcement operation succeeded in taking the botnet down. Emotet was primarily used as a malware loader, with the malware-as-a-service operation used to distribute several malware variants. The takedown of the Emotet botnet only caused temporary disruption to malware distribution, with cybercriminals quick to switch to other botnets to distribute their malware payloads.

The operators of the TrickBot botnet survived an attempt by Microsoft and its partners to shut down its operation in late 2020. The infrastructure was rapidly rebuilt and was back up and running at full tilt. TrickBot has been one of the main malware variants to benefit from the absence of Emotet, and it is now the biggest malware threat according to an analysis by researchers at Check Point.

In the last quarter of 2020, Emotet was the biggest malware threat and that continued in January until the botnet was taken down. In January, TrickBot ranked in third place but Check Point’s data for February show it is now the biggest malware threat, following a massive spamming campaign in February delivering the Trojan. TrickBot has not reached the same level as Emotet so far, but infections are growing fast, and other malware loaders are also taking advantage of the gap left by Emotet.

“Even when a major threat is removed, there are many others that continue to pose a high risk on networks worldwide, so organizations must ensure they have robust security systems in place to prevent their networks from being compromised and minimize risks”, explained Check Point in its recent malware report.

Emotet and TrickBot have similar capabilities. Both are banking Trojans, but they are more commonly used as the first-stage loaders for delivering other malware variants, including ransomware. TrickBot is an attractive alternative to Emotet. The malware has a proven track record and has been used in extensive attacks. It has a range of capabilities and is regularly updated to add new functions and the malware is able to evade security solutions.

The second most prevalent malware threat in February is also a malware loader. XMRing was used in a large-scale campaign to deliver the XMRing cryptocurrency miner and ransomware. The Qbot banking Trojan was the third most prevalent malware threat. The absence of Emotet has also seen increases in other malware variants such as Formbook, Ramnit, and Glubteba.

The three most commonly used malware variants are mostly distributed through spam and phishing emails. Defending against these attacks requires a combination of a powerful email security solution and end user training. Technical controls should block the majority of threats; however, some will inevitably sneak past those defenses and will reach inboxes. It is therefore essential that the workforce is trained how to recognize and avoid threats.

The biggest mobile malware threat in February was Hiddad, with the xHelper malicious app in second place followed by the FurBall RAT.

Exploitation of vulnerabilities was also common in February, with the three most commonly exploited vulnerabilities being the “Web Server Exposed Git Repository Information Disclosure” vulnerability, followed by the HTTP Headers RCE vulnerability – CVE-2020-13756. The first vulnerability impacted 48% of organizations with the second affecting 46%. They were closely followed by the DVR RCE vulnerability that affected 45% of organizations globally.

The high number of attacks exploiting vulnerabilities and the number of companies that have been successfully attacked confirms just how important it is to ensure that patches are applied promptly after they have been released.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of