Trojan Horses: From Ancient History to Modern Threat
In January of this year, the Trojan horse (or simply trojan) known as Emotet was disrupted thanks to a coordinated international effort, which included authorities from both sides of the Atlantic. Since originating as a banking trojan in 2014, it has gone on to wreak havoc across millions of devices. It was even developed into an ‘attack for hire’ service offered to other criminal gangs, allowing them to install different types of malicious material onto devices. Last year alone, which saw many records smashed in terms of the number of cyberattacks (as criminals sought to exploit the pandemic), the use of Emotet increased a staggering 4000%.1 The costs associated with this trojan have also been astronomical, with a report from the US Homeland Security quoting up to $1 million per incident to remediate.2 Therefore, it is no wonder that Europol described Emotet as being one of the “most professional and long-lasting cybercrime services out there”.3 But what exactly is a trojan, and what is it about them that makes them so dangerous?
For those living outside of the IT bubble, you may be familiar with the term trojan, but are unaware of how it differs from, say, a virus or a worm, or perhaps what features about it make it so incredibly dangerous? Firstly, a quick history lesson.
Many of us are likely aware of the Greek myth of the Trojan horse, introduced by the Greek poet Homer, over 2000 years ago, in which, to end the ongoing ten-year siege on the city of Troy, the Greeks offered the city a wooden horse; supposedly as a peace offering. However, a force of Greek soldiers within the horse snuck out at night and destroyed the city. If we fast forward to modern-day, computer trojans, in a similar vein, operate in the same way by pretending to be legitimate software. They act as bait, with cybercriminals using social engineering tactics to manipulate users into allowing the trojan easy access into the network to release its malicious code.
“A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorisations of a system entity that invokes the program.”
- National Institute of Standards and Technology (NIST)
Trojans come in all shapes and sizes, from banking trojans designed to gain access to online banking applications to trojans that spy on the user, track keystrokes, make screenshots, etc. The end goal is to steal information, extract money or exploit the victim. Trojans can therefore be viewed as an umbrella term for malware delivery,4 which hackers use for various threats (e.g. ransomware attacks, file deletion, information theft).
The reasons behind these kinds of attacks are varied, from politically motivated attacks, corporate espionage, resource theft or nation-state sponsored cyberwarfare, to name a few. However, most attacks continue to be primarily financially motivated, with cybercrime being an incredibly profitable business, with high-end cybercriminals making $166,000 plus per year!5
There are several ways in which a trojan can infect a device; the common theme throughout each method is that they require interaction from the victim to complete the attack, much like how the inhabitants of Troy pulled the horse into the city. This is also why social engineering is such a big part of trojan attacks. After all, it is easier to target the weakest entry point, the human, than trying to hack a network directly.
Some examples of how trojans make their way onto devices include:
- Phishing or spear phishing attacks; legitimate-looking emails with harmful attachments or containing malicious links that direct victims to a dodgy website.
- Hackers set up fake Wi-Fi hotspot networks to redirect users to malicious sites.
- Through a cybercriminal exploiting software vulnerabilities.
- Pop-up advertisements or fake antivirus software that claim that the user’s computer is infected (“scareware”).
Once the user has clicked and downloaded the malware, it will reside undetected until the user carries out a specific action (e.g. visiting a banking website), whatever the trojan has been designed to execute. A trojan may spread by turning the host computer into a ‘zombie’ where the victim has no idea that their device is controlled by someone else. The zombie device spreads further malware to other devices and creates a network of zombie computers, known as a ‘botnet’. But it isn’t just computers that trojans can infect; devices such as smartphones and tablets are also susceptible to these kinds of attacks.
With Emotet, many infections spread through sophisticated phishing campaigns and targeted specifically Windows-based systems. One high-profile victim of this attack was the Chilean bank Consorcio, which led to $2 million in damages. Another victim was the town of Allentown, in Pennsylvania, who suffered $1 million worth of damages.
To those unfamiliar with this topic, you may understand the terms trojan and virus to be one of the same. Perhaps you have even come across the (technically incorrect) term ‘trojan virus’? While both can be considered a form of malware, they both possess distinct features that separate them from one another, from their method of delivery, how they interact with the host and even the speed at which they operate. The two most distinct features worth mentioning are:
- Unlike a virus, a trojan cannot manifest itself without interaction from the potential victim. Because of this, social engineering plays such a key role in trojan attacks.
- A virus will replicate and spread moderately quickly, whereas a trojan does not self-replicate, and the spread rate in comparison to a virus is slow.
Trojan horses are complex in that they can remain on your device undetected for a long time without the user being aware. Then, once it has completed its intended task (e.g. logging keystrokes to steal login data), it may delete itself, return to a dormant state, or continue to be active on the device.6 However, some signs that you have become a victim of a trojan horse attack include:
- A sudden loss of device performance
- Excessive amounts of pop-up ads
- Your browser may have changed, or it may redirect you to a different site
- Unknown programs in your task manager
- The device seems to be performing independently
- Antivirus and anti-malware tools are disabled
As previously mentioned, the trojan cannot manifest without interaction from the end-user, e.g. by downloading a malicious file, clicking a malicious link etc. Therefore, cybercriminals rely heavily on social engineering to trick users into ensuring the attack is successful. As over 90% of malware is still delivered via email, learning how to detect a phishing email will go a long way to ensure you stay protected. Remember:
- Check the sender address; are they who they claim to be?
- Check the language used in the email; does it seem too formal or too casual?
- An urgent need to take action is usually a sign of a phishing email
- Do not download attachments without confirming the legitimacy of the email
Being aware of the threats and learning how to spot a phishing email is a good starting point for improving your cybersecurity defences, but it is by no means a panacea. Ensuring that you keep regular and multiple backups and frequently scanning your device for malware are also important. Ensuring you download apps and software from reputable sources is another way to prevent becoming victims of this kind of attack. Remember that all unsolicited communication should be treated with healthy suspicion.
With 2018 alone seeing a 239% year on year uptick in incidents relating to banking trojans7 and cybercrime looking to cost the world $10.5 trillion annually by 20258, the problem does not look to be going away anytime soon. So take extra care when using the internet or interacting with emails and remember that if something seems too good to be true, it probably is!
Author: Tomas Edwards