Some cybersecurity threats are so old-school that you don't really hear that much about them—and they might even appear to slow down over the years. But since the beginning of the COVID-19 pandemic, threat actors and malware authors have been finding new ways to exploit the situation the world has found itself in. One of the most common tactics we're seeing is the use of trojans.
How and why do they still persist? How can organizations protect themselves in the wake of so many new and reinvented campaigns? For a thorough examination, let's start at the beginning.
- Defining trojans
- Types of trojans
- How to protect against trojan attacks
- How to recognize a trojan infection
It wouldn't be right to talk about trojans if we didn't briefly touch on the origins of the term itself. The story of the Trojan Horse is well-known: it chronicles how Greek soldiers were able to take over Troy, considered an impregnable city. All it took to actually take Troy down was a trick—the attackers built a wooden horse that was presented to the Trojans as a gift, which they gladly accepted. They let it through their protective walls, and once it was inside the city, Greek warriors got out of the horse while no one was around and attacked.
Even after more than 3,000 years, the Trojan horse remains a metaphor, symbolizing any strategy that allows attackers to infiltrate and ultimately defeat their opponent—through the opponent's unknowing cooperation.
Trojans in cybersecurity also use deception—or in this case, social engineering—to trick victims into running seemingly benign, sometimes even familiar, programs that don't have benign contents. These trojans are code or programs disguised as legitimate programs but behave in a malicious manner, effectively concealing any such execution. They're willingly installed by the victim to perform a desired function, but perform a harmful one once installed.
While we often hear the term "trojan virus", they are not technically viruses. A virus has the ability to spread by attaching itself to other software, and trojans spread by disguising themselves as other software.
Trojans can arrive in any form: email attachments, free music, tools, online games, advertisements or any seemingly harmless and legitimate app. Because there are so many ways in which trojans can disguise themselves, there are just as many ways in which users can get infected with them.
Trojans are usually installed on a victim's device while the victim is browsing the internet, downloading free tools, programs and utilities or through a phishing email. They disguise themselves as valid software; oftentimes, even anti-malware software, to add to the irony. The victim is usually unaware of the presence of the malicious program, but once it's installed, it can execute code to create backdoors, run scripts, monitor activities, disrupt performance of devices and networks, and steal personal data.
Another way in which trojan authors prey on unsuspecting users is by disguising the program to reflect the latest trends and occurrences around the world. We've seen much of this taking place during the COVID-19 pandemic, with its exceptional magnitude of trojans.
As one of the oldest forms of digital threats in existence, trojans have seen their widespread re-appearance over the last couple of years, with 2021 showing signs of them dominating the cyber threat landscape yet again.
In these first few months of the year we have already seen the newly discovered ElectroRAT trojan that has been found targeting cryptocurrency users; a malware campaign involving a new Quaverse trojan that lures people into downloading a malicious attachment from phishing emails (that pretend to have a scandalous video of the U.S. president); and Rogue RAT, which is offered for sale on the dark web and uses source code from two other Android RATs.
And let's not forget cybersecurity's most wanted: Emotet, once a banking trojan but as of recently a distributor of other malicious campaigns. It continues to prevail as the top trojan threat of 2021, even after international law enforcement efforts to seize control of its infrastructure.
If we weren't already, we can be sure now that however "outdated" and less talked about trojans might be, they are enduring and thriving, with no signs of stopping. We don't hear about trojans as a standalone either; they've taken another form as being part of the cyberattack lifecycle or of even larger attacks, usually to gain an initial foothold on the target system. For an example we can look back at 2020 and one of the most wide-reaching and dangerous cases, the SolarWinds breach.
The attack involved attackers compromising the infrastructure of SolarWinds, the company that produces Orion, and then using that access to distribute trojanized updates to the software's users. The trojanized components of the software update were named SUNBURST and there are now open source detection rules available.
Types of trojans
The term "trojan" can also describe the type of malware delivery used, due to the fact that there is an almost immeasurable number of trojans in the wild, categorized by the intent of the attacker. We've put together a non-exhaustive list of some of the more common types of trojans; keep in mind that there are many more types and variants out there.
A backdoor trojan creates a "backdoor" that allows attackers remote control over a victim's infected device. With this remote access, attackers can send, receive, delete or execute files, install additional malware, act as a keylogger, and even be part of a large group of infected devices that are used as a botnet.
Exploit trojans contain code or a script that exploits a known vulnerability in software or an application on the infected device.
A DDoS attack involves shutting down a device or a network and rendering it inaccessible by flooding it with requests from different sources. With DDoS trojans, attackers infect a large number of devices with a trojan, taking control over them and simultaneously launching distributed denial-of-service attacks on the target, overwhelming it and ultimately causing it to stop operating.
Downloaders are trojans that download and execute additional malicious programs, including keyloggers, adware or even other trojans onto the infected device. Attackers often distribute trojan-downloaders as part of the payload of another malicious program.
Fake antivirus trojans pose as legitimate antivirus software you would willingly download from the internet. Once installed however, they will solicit money from the victim in exchange for scanning their device for viruses and removing them. While they often warn of a "secret" detected threat, the threats are fake.
Banker trojans are designed to steal financial data: banking, credit and debit card, and similar info. Recent and notorious real-world examples of trojans were, in fact, banking trojans: Emotet began in 2014 as a banker trojan, as did TrickBot, another one of the most prolific banker trojans ever.
We've already mentioned that downloading online games is a common method of trojan infection, and in fact, there are trojans designed specifically for that. While trojan-bankers are aimed at financial data, game-thief trojans are created to steal information related to online gaming accounts.
Ransom trojans will, once installed, execute a ransomware attack which will encrypt a system and the data on it, making it unusable to the victim. Encryption and the safe return of data can be given if a sum is paid.
A spy trojan secretly installs programs intended for spying or keylogging. It can monitor all processes on an infected device, track its keyboard movements, and steal its data.
Trojan-Password Stealing Ware (PSW)
As a trojan with a very specific objective, a PSW trojan is designed to steal passwords from an infected device. Attackers can extract stored data from browsers, analyze cache and cookies and collect any data that can provide them with passwords. The data collected by the trojan is then sent to a command center, from where attackers can use it to launch further attacks.
How to protect against trojan attacks
Trojans have been present in the threat landscape for a long time, with one of the first trojans being developed way back in 1975. Because they are so widespread, we're equipped with plenty of knowledge that will help us keep devices safe from trojans.
And it's not a complex task—following the do's and don'ts of staying safe online in combination with modern security solutions (such as endpoint detection and response systems, antivirus software and firewalls) will go far in keeping trojans out of devices and networks.
Here are some of the best practices to follow for protecting against trojans, for individuals as well as for organizations to enforce across their entire network:
Keep all software updated
Having unpatched software with known security vulnerabilities is like leaving the doors of your Troy open, they almost wouldn't need to disguise themselves to get in. We mentioned the trojan-exploit designed to exploit CVEs present in unpatched software, so the best way to counteract this type of trojan is to keep all software regularly updated, whether by manually checking for available updates or scheduling automatic updates wherever possible.
Back up everything
Doubling as both a prevention and mitigation practice, backing up all files and data is crucial in securing a successful recovery in the event of infection. In the case of a trojan-ransom, or just about any type of trojan that will modify, corrupt, destroy or steal data, have all files on the network backed up and ready to recover after an attack, to ensure that the least possible amount of damage will be sustained.
Don't click on suspicious email attachments
Even if an email appears to come from a legitimate source, be wary of any attachments and links in emails. This is one of the most common ways of trojan delivery, so awareness and verifying links and attachments before opening them can go far in preventing trojans making their way onto your device. For organizations, cybersecurity culture and awareness should be nurtured through continuous and engaging training, open communication with the security team and following basic best practices such as a strong password policy, use of MFA, and privileged access management.
Safe browsing 101
Free software, music, games and movies are great, but any time you download something from an unknown source you run the risk of downloading malware with it, including trojans. Additionally, avoid visiting any unsecure websites and clicking on pop-ups and banners, even if they practically scream at you that you have malware on your computer (you don't, but you might if you click on it). Organizations can leverage web filtering to prevent users on a network from accessing websites that are deemed potentially malicious.
Automatic diagnostic scans
Having an antivirus software installed on a device and running properly should actually be the first step in trojan prevention. Besides making sure it's actually running, all users on the network should set up this software to run automatic diagnostic scans.
How to recognize a trojan infection
A large number of trojans are detected by antivirus software, but some can still sneak their way onto a device. Antivirus and antimalware software can detect trojans, but malware authors are constantly adapting and creating new versions, with protection software playing catch-up.
Thankfully, there are a few tell-tale signs that can indicate a trojan infection. Stay alert to the following, and make sure that everyone across the organization understands how they can report any suspicious behaviors they notice on their device, which include:
- Changes on the desktop screen such as a different color and screen resolution than usual, as well as the screen being turned upside-down
- Changes to the program icons on the desktop
- The blue screen of death (which isn't hard to notice)
- In the task manager: programs or apps running that you don't recognize
- A taskbar with unusual icons or a taskbar that is missing completely
- A mouse moving by itself or performing some functions differently than usual
- Slow performance and device crashes
- Disabled software—while trojans can be picked up by antivirus software, trojans can also disable them, making it much harder to confirm and remove the infection
- Strange browser behaviour, such as changes to the web browser's default home screen and redirection to unfamiliar websites (can indicate trojans as well as changes to web browser software)
- Unavoidable and annoying pop-ups everywhere—in the browser, on every webpage, even on the desktop (often advertising antivirus software and telling you that your device is infected)
If we've learned one thing from the re-emergence of trojans, it's that malware and threats don't really go away, but take on new forms to adapt to the current environment and find ways to achieve their malicious goals. Protection methods for old-school threats, including trojans, include basic cybersecurity awareness, safe online behaviour and the employment of common security software, but it seems that many fail to use them.
As threats adapt, so should we, and having an understanding of the trends and advancements in the cyber threat landscape will empower us to always keep our guard up, never letting the enemy through our gates.