www.proofpoint.com
Open in
urlscan Pro
2a02:e980:107::cf
Public Scan
URL:
https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service
Submission: On March 07 via api from US — Scanned from DE
Submission: On March 07 via api from US — Scanned from DE
Form analysis
3 forms found in the DOM/us
<form action="/us" data-region="us" data-language="en">
<input type="text" name="search_block_form" placeholder="Search">
<input type="submit">
</form>
<form id="mktoForm_10895" data-mkto-id="10895" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label=""
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft js-visible mkto-form-processed" novalidate="novalidate" style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 150px;">
<div class="mktoAsterix">*</div>Business Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email *" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 200px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoFieldWrap mk-form__checkbox-field">
<div class="blog-subscribe__select-box">Select</div><label for="blogInterest" id="LblblogInterest" class="mktoLabel mktoHasWidth mk-form__checkbox-label" style="width: 150px;">
<div class="mktoAsterix">*</div>Blog Interest:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div>
<div class="mktoLogicalField mktoCheckboxList mktoHasWidth" style="width: 200px;"><input name="blogInterest" id="mktoCheckbox_185044_0" type="checkbox" value="All"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_0 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_0" id="LblmktoCheckbox_185044_0">All</label><input name="blogInterest" id="mktoCheckbox_185044_1" type="checkbox" value="Archiving and Compliance"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_1 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_1" id="LblmktoCheckbox_185044_1">Archiving and Compliance</label><input name="blogInterest" id="mktoCheckbox_185044_2" type="checkbox" value="CISO Perspectives"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_2 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_2" id="LblmktoCheckbox_185044_2">CISO Perspectives</label><input name="blogInterest" id="mktoCheckbox_185044_3" type="checkbox" value="Cloud Security"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_3 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_3" id="LblmktoCheckbox_185044_3">Cloud Security</label><input name="blogInterest" id="mktoCheckbox_185044_4" type="checkbox" value="Corporate News"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_4 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_4" id="LblmktoCheckbox_185044_4">Corporate News</label><input name="blogInterest" id="mktoCheckbox_185044_5" type="checkbox" value="Email and Cloud Threats"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_5 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_5" id="LblmktoCheckbox_185044_5">Email and Cloud Threats</label><input name="blogInterest" id="mktoCheckbox_185044_6" type="checkbox" value="Engineering Insights"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_6 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_6" id="LblmktoCheckbox_185044_6">Engineering Insights</label><input name="blogInterest" id="mktoCheckbox_185044_7" type="checkbox" value="Information Protection"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_7 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_7" id="LblmktoCheckbox_185044_7">Information Protection</label><input name="blogInterest" id="mktoCheckbox_185044_8" type="checkbox" value="Insider Threat Management"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_8 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_8" id="LblmktoCheckbox_185044_8">Insider Threat Management</label><input name="blogInterest" id="mktoCheckbox_185044_9" type="checkbox" value="Remote Workforce Protection"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_9 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_9" id="LblmktoCheckbox_185044_9">Remote Workforce Protection</label><input name="blogInterest" id="mktoCheckbox_185044_10" type="checkbox" value="Security Awareness Training"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_10 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_10" id="LblmktoCheckbox_185044_10">Security Awareness Training</label><input name="blogInterest" id="mktoCheckbox_185044_11" type="checkbox" value="Security Briefs"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_11 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_11" id="LblmktoCheckbox_185044_11">Security Briefs</label><input name="blogInterest" id="mktoCheckbox_185044_12" type="checkbox" value="Threat Insight"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_12 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_12" id="LblmktoCheckbox_185044_12">Threat Insight</label></div><span id="InstructblogInterest" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees_Picklist__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="State" class="mktoField mktoFieldDescriptor mktoFormCol" value="State/Province" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Website" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium_Detail__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="www-pfpt" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbasesid" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandBase_Data_Source" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Primary_Product_Interest__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Post_ID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmcampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmterm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="db_employee_count" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Unsubscribed" class="mktoField mktoFieldDescriptor mktoFormCol" value="0" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="10895" placeholder=""><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="309-RHV-619" placeholder=""><input type="hidden" name="Website_Conversion_URL__c" class="mktoField mktoFieldDescriptor"
value="https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service"><input type="hidden" name="gAClientID" class="mktoField mktoFieldDescriptor" value="1828669917.1678226111">
</form>
<form data-mkto-id="10895" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label=""
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate"
style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>
Text Content
Skip to main content Products Solutions Partners Resources Company ContactLanguages Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence Proofpoint Essentials Sendmail Support Log-in Main Menu AEGIS THREAT PROTECTION PLATFORM Disarm BEC, phishing, ransomware, supply chain threats and more. SIGMA INFORMATION PROTECTION PLATFORM Defend your data from careless, compromised and malicious users. INTELLIGENT COMPLIANCE PLATFORM Reduce risk, control costs and improve data visibility to ensure compliance. PREMIUM SECURITY SERVICES Get deeper insight with on-call, personalized assistance from our expert team. NEW THREAT PROTECTION SOLUTION BUNDLES WITH FLEXIBLE DEPLOYMENT OPTIONS AI-powered protection against BEC, ransomware, phishing, supplier risk and more with inline+API or MX-based deployment Learn More SOLUTIONS BY TOPIC COMBAT EMAIL AND CLOUD THREATS Protect your people from email and cloud threats with an intelligent and holistic approach. CHANGE USER BEHAVIOR Help your employees identify, resist and report attacks before the damage is done. COMBAT DATA LOSS AND INSIDER RISK Prevent data loss via negligent, compromised and malicious insiders by correlating content, behavior and threats. MODERNIZE COMPLIANCE AND ARCHIVING Manage risk and data retention needs with a modern compliance and archiving solution. PROTECT CLOUD APPS Keep your people and their cloud apps secure by eliminating threats, avoiding data loss and mitigating compliance risk. PREVENT LOSS FROM RANSOMWARE Learn about this growing threat and stop attacks by securing today’s top ransomware vector: email. SECURE MICROSOFT 365 Implement the very best security and compliance solution for your Microsoft 365 collaboration suite. DEFEND YOUR REMOTE WORKFORCE WITH CLOUD EDGE Secure access to corporate resources and ensure business continuity for your remote workers. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. SOLUTIONS BY INDUSTRY Federal Government State and Local Government Higher Education Financial Services Healthcare Mobile Operators Internet Service Providers Small and Medium Businesses PARTNER PROGRAMS CHANNEL PARTNERS Become a channel partner. Deliver Proofpoint solutions to your customers and grow your business. ARCHIVE EXTRACTION PARTNERS Learn about the benefits of becoming a Proofpoint Extraction Partner. GLOBAL SYSTEM INTEGRATOR (GSI) AND MANAGED SERVICE PROVIDER (MSP) PARTNERS Learn about our global consulting and services partners that deliver fully managed and integrated solutions. TECHNOLOGY AND ALLIANCE PARTNERS Learn about our relationships with industry-leading firms to help protect your people, data and brand. SOCIAL MEDIA PROTECTION PARTNERS Learn about the technology and alliance partners in our Social Media Protection Partner program. PROOFPOINT ESSENTIALS PARTNER PROGRAMS Small Business Solutions for channel partners and MSPs. PARTNER TOOLS Become a Channel Partner Channel Partner Portal RESOURCE LIBRARY Find the information you're looking for in our library of videos, data sheets, white papers and more. BLOG Keep up with the latest news and happenings in the ever‑evolving cybersecurity landscape. PODCASTS Learn about the human side of cybersecurity. Episodes feature insights from experts and executives. NEW PERIMETERS MAGAZINE Get the latest cybersecurity insights in your hands – featuring valuable knowledge from our own industry experts. THREAT GLOSSARY Learn about the latest security threats and how to protect your people, data, and brand. EVENTS Connect with us at events to learn how to protect your people and data from ever‑evolving threats. CUSTOMER STORIES Read how Proofpoint customers around the globe solve their most pressing cybersecurity challenges. WEBINARS Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity. Watch now to earn your CPE credits SECURITY HUBS Get free research and resources to help you protect against threats, build a security culture, and stop ransomware in its tracks. Threat Hub CISO Hub Cybersecurity Awareness Hub Ransomware Hub Insider Threat Management Hub ABOUT PROOFPOINT Proofpoint is a leading cybersecurity company that protects organizations' greatest assets and biggest risks: their people. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. CAREERS Stand out and make a difference at one of the world's leading cybersecurity companies. NEWS CENTER Read the latest press releases, news stories and media highlights about Proofpoint. PRIVACY AND TRUST Learn about how we handle data and make commitments to privacy and other regulations. ENVIRONMENTAL, SOCIAL, AND GOVERNANCE Learn about our people-centric principles and how we implement them to positively impact our global community. SUPPORT Access the full range of Proofpoint support services. Learn More English (Americas) English (Europe, Middle East, Africa) English (Asia-Pacific) Español Deutsch Français Italiano Português 日本語 한국어 Products Overview EMAIL SECURITY AND PROTECTION Email Protection Email Fraud Defense Secure Email Relay Threat Response Auto-Pull Sendmail Open Source Essentials for Small Business ADVANCED THREAT PROTECTION Targeted Attack Protection in Email Email Isolation Threat Response Emerging Threats Intelligence SECURITY AWARENESS TRAINING Assess Change Behavior Evaluate Overview INFORMATION PROTECTION Enterprise Data Loss Prevention (DLP) Insider Threat Management Intelligent Classification and Protection Endpoint Data Loss Prevention (DLP) Email Data Loss Prevention (DLP) Email Encryption Data Discover CLOUD SECURITY Browser Isolation Cloud Account Defense Cloud App Security Broker Web Security Overview COMPLIANCE AND ARCHIVING Automate Capture Patrol Track Archive Discover Supervision DIGITAL RISK PROTECTION Social Media Protection Domain Fraud Monitoring Executive and Location Threat Monitoring Overview PREMIUM SECURITY SERVICES Technical Account Managers Proofpoint Threat Information Services Managed Services for Security Awareness Training People-Centric Security Program Managed Email Security Managed Services for Information Protection Insider Threat Management Services Compliance and Archiving Services Consultative Services Products Solutions Partners Resources Company English (Americas) English (Europe, Middle East, Africa) English (Asia-Pacific) Español Deutsch Français Italiano Português 日本語 한국어 Login Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence Proofpoint Essentials Sendmail Support Log-in Contact AEGIS THREAT PROTECTION PLATFORM Disarm BEC, phishing, ransomware, supply chain threats and more. SIGMA INFORMATION PROTECTION PLATFORM Defend your data from careless, compromised and malicious users. INTELLIGENT COMPLIANCE PLATFORM Reduce risk, control costs and improve data visibility to ensure compliance. PREMIUM SECURITY SERVICES Get deeper insight with on-call, personalized assistance from our expert team. Overview EMAIL SECURITY AND PROTECTION Email Protection Email Fraud Defense Secure Email Relay Threat Response Auto-Pull Sendmail Open Source Essentials for Small Business ADVANCED THREAT PROTECTION Targeted Attack Protection in Email Email Isolation Threat Response Emerging Threats Intelligence SECURITY AWARENESS TRAINING Assess Change Behavior Evaluate Overview INFORMATION PROTECTION Enterprise Data Loss Prevention (DLP) Insider Threat Management Intelligent Classification and Protection Endpoint Data Loss Prevention (DLP) Email Data Loss Prevention (DLP) Email Encryption Data Discover CLOUD SECURITY Browser Isolation Cloud Account Defense Cloud App Security Broker Web Security Overview COMPLIANCE AND ARCHIVING Automate Capture Patrol Track Archive Discover Supervision DIGITAL RISK PROTECTION Social Media Protection Domain Fraud Monitoring Executive and Location Threat Monitoring Overview PREMIUM SECURITY SERVICES Technical Account Managers Proofpoint Threat Information Services Managed Services for Security Awareness Training People-Centric Security Program Managed Email Security Managed Services for Information Protection Insider Threat Management Services Compliance and Archiving Services Consultative Services NEW THREAT PROTECTION SOLUTION BUNDLES WITH FLEXIBLE DEPLOYMENT OPTIONS AI-powered protection against BEC, ransomware, phishing, supplier risk and more with inline+API or MX-based deployment Learn More SOLUTIONS BY TOPIC COMBAT EMAIL AND CLOUD THREATS Protect your people from email and cloud threats with an intelligent and holistic approach. CHANGE USER BEHAVIOR Help your employees identify, resist and report attacks before the damage is done. COMBAT DATA LOSS AND INSIDER RISK Prevent data loss via negligent, compromised and malicious insiders by correlating content, behavior and threats. MODERNIZE COMPLIANCE AND ARCHIVING Manage risk and data retention needs with a modern compliance and archiving solution. PROTECT CLOUD APPS Keep your people and their cloud apps secure by eliminating threats, avoiding data loss and mitigating compliance risk. PREVENT LOSS FROM RANSOMWARE Learn about this growing threat and stop attacks by securing today’s top ransomware vector: email. SECURE MICROSOFT 365 Implement the very best security and compliance solution for your Microsoft 365 collaboration suite. DEFEND YOUR REMOTE WORKFORCE WITH CLOUD EDGE Secure access to corporate resources and ensure business continuity for your remote workers. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. SOLUTIONS BY INDUSTRY Federal Government State and Local Government Higher Education Financial Services Healthcare Mobile Operators Internet Service Providers Small and Medium Businesses PARTNER PROGRAMS CHANNEL PARTNERS Become a channel partner. Deliver Proofpoint solutions to your customers and grow your business. ARCHIVE EXTRACTION PARTNERS Learn about the benefits of becoming a Proofpoint Extraction Partner. GLOBAL SYSTEM INTEGRATOR (GSI) AND MANAGED SERVICE PROVIDER (MSP) PARTNERS Learn about our global consulting and services partners that deliver fully managed and integrated solutions. TECHNOLOGY AND ALLIANCE PARTNERS Learn about our relationships with industry-leading firms to help protect your people, data and brand. SOCIAL MEDIA PROTECTION PARTNERS Learn about the technology and alliance partners in our Social Media Protection Partner program. PROOFPOINT ESSENTIALS PARTNER PROGRAMS Small Business Solutions for channel partners and MSPs. PARTNER TOOLS Become a Channel Partner Channel Partner Portal RESOURCE LIBRARY Find the information you're looking for in our library of videos, data sheets, white papers and more. BLOG Keep up with the latest news and happenings in the ever‑evolving cybersecurity landscape. PODCASTS Learn about the human side of cybersecurity. Episodes feature insights from experts and executives. NEW PERIMETERS MAGAZINE Get the latest cybersecurity insights in your hands – featuring valuable knowledge from our own industry experts. THREAT GLOSSARY Learn about the latest security threats and how to protect your people, data, and brand. EVENTS Connect with us at events to learn how to protect your people and data from ever‑evolving threats. CUSTOMER STORIES Read how Proofpoint customers around the globe solve their most pressing cybersecurity challenges. WEBINARS Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity. Watch now to earn your CPE credits SECURITY HUBS Get free research and resources to help you protect against threats, build a security culture, and stop ransomware in its tracks. Threat Hub CISO Hub Cybersecurity Awareness Hub Ransomware Hub Insider Threat Management Hub ABOUT PROOFPOINT Proofpoint is a leading cybersecurity company that protects organizations' greatest assets and biggest risks: their people. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. CAREERS Stand out and make a difference at one of the world's leading cybersecurity companies. NEWS CENTER Read the latest press releases, news stories and media highlights about Proofpoint. PRIVACY AND TRUST Learn about how we handle data and make commitments to privacy and other regulations. ENVIRONMENTAL, SOCIAL, AND GOVERNANCE Learn about our people-centric principles and how we implement them to positively impact our global community. SUPPORT Access the full range of Proofpoint support services. Learn More Zeigen Sie weiterhin Inhalte für Ihren Standort an United StatesUnited KingdomFranceDeutschlandEspaña日本AustraliaItaliaFortsetzen Blog Threat Insight Threat Actor Profile: TA542, From Banker to Malware Distribution Service THREAT ACTOR PROFILE: TA542, FROM BANKER TO MALWARE DISTRIBUTION SERVICE Share with your network! Facebook Twitter LinkedIn Email App May 15, 2019 Axel F and the Proofpoint Threat Insight Team Update: Table 1 was updated to reflect a Poland-targeted Emotet campaign discovered on the day of publication. This is the first campaign targeting the region since 2017. OVERVIEW Proofpoint researchers began tracking a prolific actor (referred to as TA542) in 2014 when reports first emerged about the appearance of the group’s signature payload, Emotet (aka Geodo) [1][2]. TA542 consistently uses the latest version of this malware, launching widespread email campaigns on an international scale that affect North America, Central America, South America, Europe, Asia, and Australia. Earlier versions of Emotet had a module that was used to commit banking fraud, specifically targeting German, Austrian, and Swiss banks [7], and for years, the malware was widely classified as a banking Trojan. However, later versions of Emotet no longer loaded its own banking module, and instead loaded third party banking malware. More recently, we have observed Emotet delivering third-party payloads such as Qbot, The Trick, IcedID, and Gootkit. Additionally, Emotet loads its modules for spamming, credential stealing, email harvesting, and spreading on local networks. TA542 typically distributes high volume email campaigns consisting of hundreds of thousands or even millions of messages targeting all industries. TA542 is currently one of the most prolific actors in the entire threat landscape. With TA542’s international reach and high volume campaign strategy, we expect Emotet use to continue to grow in the upcoming quarters. Figure 1: Indexed volume of email messages containing Emotet, TA542’s signature payload (from 5/1/17-5/1/19) EVOLUTION OF EMOTET Version 1 of Emotet originated around May 2014 as a banking Trojan, which at first was only known to load its own banking module targeting German and Austrian banks [1][2]. Version 2 was detected in fall 2014, when it began using the Automatic Transfer System (ATS), and had a modular structure with a spamming module, banking module, DDoS module, and address book stealing module [7]. Version 3 of Emotet appeared in January of 2015, containing stealth modifications designed to prevent its detection by anti-malware defenses, and soon began targeting Swiss banks [7]. Version 4 was initially observed around December 1, 2016, spreading via the RIG 4.0 exploit kit [9]. Proofpoint researchers next observed it spreading via emails with links to zipped executables or JScript in February 2017. Starting in April 2017, TA542 began consistently distributing this version in high-volume campaigns. This version does not use its own banking module, but primarily loads other modules and third-party banking malware. Figure 2: Timeline of major milestones in TA542 activity EMOTET MODULES Since its introduction, Emotet has used a number of modules: Main module: Downloads other modules from a command and control (C&C) server. Spam module: This module has been present in most versions of Emotet. The spam module facilitates the continued spread of the Emotet botnet by sending out emails with links or attachments that lead to Emotet. “Distribution is performed using previously scraped mail accounts, which are sent to each spambot” from the C&C [8]. Credential stealing: This module has been present in most versions of Emotet. In version 4, it steals credentials from web browsers and mail clients, using NirSoft tools Mail PassView and WebBrowser PassView [8]. Spreader module: The network spreader module, introduced in September 2017, enumerates network resources. It attempts to connect to them “as the currently logged on user before jumping into the bruting portion of the code.” [10] The brute force attack happens by enumerating available logins and attempting passwords from a hardcoded list. For every successful login, a file is copied into the new network folder. A service is configured on the remote system to execute the file. Email harvesting: This module was introduced in October 2018. It exfiltrates email content from the infected machines to the C&C. Specifically targeted components of email include the email subject, body, the name of the sender and the receiver, along with his or her corresponding email address. This information is only stolen for emails sent/received in the last 180 days. “If the body is longer than 16384 characters, it is truncated to this size plus the string ...” [6]. Address book stealer: This module, first seen in 2017, performs a relationship analysis between sender and recipient in the current user’s Outlook data file. It extracts the name and address list from each profile’s address book and then undergoes a recursive scan on each email stored in the data file. Information about each sender and recipient is extracted, which is then used to make inferences about the relationship and refine its targeting, that is then passed to the spam module. [11] DDoS module: No longer active, a module from early versions of Emotet [7]. Banking module: No longer active, a module from early versions of Emotet [7]. DELIVERY As with many threat actors monitored by Proofpoint researchers, TA542 leverages social engineering mechanisms to increase infection rates. They frequently use stolen branding and urgent subject lines in order to deceive potential victims. They also compose emails in the appropriate language for the targeted country. TA542 uses a variety of social engineering mechanisms and strategies, but the most common are described below. Email Subjects TA542 primarily uses generic subject lines that usually refer to transactions, payments, and invoices. Examples include: “ACH Payment Info”, “Payment Notification”, “Transaction for your invoice”, “Overdue payment”, “Paid Invoices”, “Sales Invoice”, “Status update”, “Document needed”, “New Order”, “Receipt for your invoice”. Email Body Often, the body of the message is simple, and consists of only a few sentences. Email bodies usually include brief verbiage about missed or upcoming payments, incoming financial statements, or invoices. However, Proofpoint researchers have observed more sophisticated examples in which TA542 included stolen company branding. Email Thread Hijacking Thread hijacking is a technique in which threat actors reply to existing benign email conversations with a malicious attachment or URL. Since early April 2019, TA542 began to consistently utilize this technique to distribute Emotet, sending what appear to be replies to legitimate emails [4][5]. While the technique is not novel or original, it is still effective because as victims have seen these email chains before, they may believe that they are interacting with a person they trust, making them more inclined to open attachments and links in the message body. The appearance of thread hijacking followed reports of a new module that can steal emails from the victim’s machines in October 2018 [5]. Brand Abuse TA542 abuses the branding of dozens of high-profile companies, including them in the body of the email, Microsoft Word document attachments, PDF attachments, and in the malicious URL paths. Commonly abused brands include shipping companies (such as DHL and UPS), telecommunication companies (such as T-Mobile and O2), large financial institutions (such as TD Bank, Barclays, and RBC) and others. Holiday Lures TA542 also drafts holiday-themed lures to target consumers during major holidays. Proofpoint researchers have observed seasonal upticks in TA542 Emotet activity, especially around Christmas, Thanksgiving, Black Friday, and Cyber Monday, likely targeting holiday shoppers. Geographical targeting TA542 frequently targets certain core geographies such as Germany, United Kingdom, United States, and Latin America. TA542 also targets other countries, but less consistently. Each region is targeted with appropriate language translations in email bodies, subjects, filenames, and geographically relevant branding. Known targeted countries are listed in Table 1 below: Country Language Note Germany German Consistently targeted Austria German Intermittently targeted: First targeted in 2015; since then intermittently targeted until April 9, 2019, when we began to observe regular targeting Switzerland German Intermittently targeted: First targeted in 2015; since then intermittently targeted until April 9, 2019, when we began to observe regular targeting United Kingdom English Consistently targeted United States English Consistently targeted Canada French Intermittently targeted Japan Japanese Proofpoint observed campaigns on April 12-16, 2019 China, Hong Kong, Taiwan Chinese Proofpoint observed campaigns on April 12-16, 2019 Australia English Proofpoint observed several campaigns in April 2019 Latin America Spanish, Portuguese Proofpoint regularly observes countries targeted in this region, including: Mexico, Uruguay, Argentina, Colombia, Chile, Bolivia, Paraguay, Brazil, Ecuador, Costa Rica, El Salvador, Guatemala Caribbean Spanish Countries such as the Dominican Republic Poland Polish Last observed in 2017 Update: Proofpoint researchers detected a campaign targeting Poland on May 15, 2019 Table 1: Description of the countries with observed Emotet email campaigns. Note that this list is not considered exhaustive. EXAMPLE EMAILS This section highlights email lures from some of the more notable TA542 campaigns. The figure below shows the following email messages: * German language email targeting Switzerland containing a malicious URL on April 29, 2019 (top left). * English language email targeting the United States and utilizing thread hijacking on April 30, 2019 (top right). * Chinese language email targeting Taiwan on April 12, 2019. This email is notable because, for a few days in April, TA542 experimented with targeting this region as well as China, Hong Kong, and Australia (bottom left). * Spanish language email targeting a company in the Dominican Republic on May 3, 2019. This particular email is notable because, while Latin American countries are frequently targeted, the neighboring Caribbean countries are rarely targeted (bottom right). Figure 3: Example emails showing a variety of geographic targeting by TA542, including language localization The example emails below show the seasonal customization used in the days leading up to Christmas and Black Friday in 2018: Figure 4: Example emails showing holiday email lures ATTACHMENTS / URLS The malicious content included in the emails sent by this threat actor is generally either a URL or an attachment, although Proofpoint researchers have observed some instances in which both were included at the same time. The actor maintains a diverse arsenal of attachments and URLs in order to vary their attacks. TA542 frequently uses some formats, such as attached Microsoft Word documents with macros and URLs linking to similar documents. The actor uses other formats such as PDFs and JScript intermittently. Finally, formats such as password-protected Zip files containing Microsoft Word documents appear to be experimental and it remains to be seen if they will be adopted for broader use. Attachments The following is a list of known types of email attachments used by TA542. All types of attachments are first-stage downloaders that attempt to download the Emotet payload or another intermediary downloader, as in the case of PDFs, from one of several (typically five) hardcoded payload URLs. Many unique attachments can contain the same set of payload URLs. TA542 also exchanges the URL sets several times a day. * Microsoft Word documents with macros * PDFs with links to Microsoft Word documents with macros * PDFs with links to Zip archives with JScript files inside * Password-protected Zip archives with JScript files inside * Password-protected Zip files containing Microsoft Word documents URLs The following is a list of known types of URLs that the actor embeds in the emails. The URLs are frequently hosted on compromised vulnerable sites, including vulnerable WordPress installations. The actor typically adds a nested structure of one or more folders on the compromised site and hosts a malicious PHP script that initiates the download of the payload. The folder names are sometimes synchronized with the rest of the campaign theme, and might use stolen branding. * URLs linking to Microsoft Word documents with macros * URLs linking to Zipped Microsoft Word documents with macros * URLs linking to Jscript * URLs linking to Zipped JScript * URLs linking to Zipped executables (not used since 2017) Experiments * April 3, 2019: First use of password-protected Zip files containing JScript. The actor has intermittently used this technique several more times. * April 4, 2019: First use of password-protected Zip files containing Microsoft Word documents. At the time of writing of this analysis, the actor has only used this method once. Figure 5: TA542 most commonly uses Microsoft Word documents with macros. The actor periodically updates the visual lure used in the document. This collage shows many of the lures used. Figure 6: PDF attachment examples used by this threat actor. The actor commonly abuses branding of large financial institutions, telecommunications companies, and more in the PDFs CONCLUSION In the last two years, TA542 has become one of the most prolific threat actors in the overall threat landscape. Leveraging a robust Botnet known as Emotet, TA542 orchestrates high-volume, international email campaigns that distribute hundreds of thousands or even millions of messages per day. They use Emotet to download third-party banking malware such as The Trick, IcedID, and Gootkit, and to facilitate the continued spread of their botnet via a number of modules. As TA542 continues to operate at near-global scale, we can expect Emotet use to grow in the upcoming quarters. REFERENCES [1] https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/ [2] https://web.archive.org/web/20140708121405/https://www.abuse.ch/?p=7930 [3] https://www.proofpoint.com/us/threat-insight/post/proofpoint-threat-report-banking-trojans-dominate-malware-landscape-first-months [4] https://www.trendmicro.com/vinfo/nz/security/news/cybercrime-and-digital-threats/further-emotet-evolution-operators-hijacking-existing-email-threads-to-deliver-malware [5] https://cofense.com/emotet-gang-switches-highly-customized-templates-utilizing-stolen-email-content-victims/ [6] https://www.kryptoslogic.com/blog/2018/10/emotet-awakens-with-new-campaign-of-mass-email-exfiltration/ [7] https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/ [8] https://www.cert.pl/en/news/single/analysis-of-emotet-v4/ [9] https://twitter.com/kafeine/status/804360636847321088 [10] https://www.fidelissecurity.com/threatgeek/threat-intelligence/emotet-network-spreader-component/ [11] https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus Previous Blog Post Next Blog Post Subscribe to the Proofpoint Blog * Business Email: Select * Blog Interest: AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight Submit ABOUT * Overview * Why Proofpoint * Careers * Leadership Team * News Center * Nexus Platform * Privacy and Trust THREAT CENTER * Threat Hub * Cybersecurity Awareness Hub * Ransomware Hub * Threat Glossary * Threat Blog * Daily Ruleset PRODUCTS * Email Security & Protection * Advanced Threat Protection * Security Awareness Training * Cloud Security * Archive & Compliance * Information Protection * Digital Risk Protection * Product Bundles RESOURCES * White Papers * Webinars * Data Sheets * Events * Customer Stories * Blog * Free Trial CONNECT * +1-408-517-4710 * Contact Us * Office Locations * Request a Demo SUPPORT * Support Login * Support Services * IP Address Blocked? * Facebook * Twitter * linkedin * Youtube * English (US) * English (UK) * English (AU) * Español * Deutsch * Français * Italiano * Português * 日本語 * 한국어 © 2023. All rights reserved. Terms and conditions Privacy Policy Sitemap