My, my, my, Delilah: new Trojan turns employees into insiders

Would you be willing to reveal your employer’s secrets to keep your private information private? What if a hacker threatened to send screenshots of your personal browsing history to your boss, partner or family? How about if criminals threw in some footage from your webcam for added flavour?

Whether you’re an employee or an employer, you’ll be unhappy to hear that Delilah, a Trojan that has been in the wild for a while but has become increasingly active, can do just that. The malware targets employees visiting adult, gambling or other ‘unsavoury’ websites to blackmail them into becoming malicious insiders willing to divulge company secrets.   Given that 81% of security professionals cite careless staff as the biggest security risk, while three quarters of firms have suffered an insider incident in recent years, we shouldn’t be surprised that cybercriminals are ramping up their efforts to target employees.

However, Delilah blurs the line between negligence and malice.   An inside job Once a user’s machine is infected, Delilah attempts to gather as much personal information as possible; details on the victim’s workplace and family are particularly prized. The Trojan can also take control of webcams, allowing the user to be unwittingly filmed.

Armed with this sensitive information, cybercriminals can create a prioritised list of targets working in the most desirable organisations. Victims are communicated with via VPN services and TOR, ensuring hackers have robust anonymity. Meanwhile, any employees-turned-insiders are also ordered to delete their browser history to obscure audit trails and make it harder for IT security teams to track down leaks.   Fortunately, for the moment at least, Delilah remains closely guarded by hacker groups and isn’t available on the wider black market.

The Trojan is also imperfect, often causing terminals to display error messages or freeze for long intervals when taking screenshots of user activity.   However, it’s a forgone conclusion that these bugs will be quashed and that Delilah will eventually make its way into the mainstream. Worse, the black market will even provide skills-for-hire, such as managed social engineering, if criminals don’t have the expertise to harness the malware’s full potential themselves.

From simply blackmailing individuals for money, to turning employees into full-blown insiders, Delilah gives criminals many options when it comes to cashing-in on their campaign.   How can you fight back? To minimise the danger posed by Delilah, organisations should prevent employees from visiting high-risk sites when using the company’s IT systems. Delilah is usually distributed via malvertising and watering-hole attacks from gaming, online gambling and pornographic websites, so blocking browsing in these areas is highly recommended. Employers can also collect information on VPN and TOR connections to watch for suspicious activity.   Unfortunately, less can be done to prevent employees from accessing dangerous websites on private systems.

With many people now working remotely or after hours, the chance that personal computers will hold some sensitive corporate information is greater than ever. Additionally, social engineering makes it easy to connect an individual with their employer as a prelude to blackmailing them into sharing corporate secrets. In these circumstances, employers should look to educate and inform staff about the potential risks.

Today, we would classify Delilah as a medium risk. However, this is very likely the beginning of a new attack trend that will undoubtedly become more sophisticated in the future.

Cybercriminals understand the power of the insider threat and are looking to exploit it; as Gartner comments: “With Trojans like Delilah, organisations should expect insider recruitment to escalate further and more rapidly”

With that in mind, every organisation should be taking steps to pre-emptively counter Delilah before it becomes commonplace; firms that don’t will find more than just their employees’ deep, dark secrets at risk.

  • Share