Story image

EMOTET banking malware returns with a wider scope & vengeance

12 Sep 2017

The EMOTET banking malware has emerged with a wider target scope than ever before, three years after it was originally found.

The original malware primarily targeted the banking sector and monitored network activity in order to steal information. It was distributed through spam messages disguised as invoices and bank transfers.

Trend Micro researchers discovered the new Emotet variants in August. The variants were detected as TSPY_EMOTET.AUSJLA, TSPY_EMOTET.SMD3, TSPY_EMOTET.AUSJKW and TSPY_EMOTET.AUSJKV.

Researchers believe that the new variants have been created to target new geographic regions and new business sectors, although its functions as an information stealer remain the same.

Smart Protection Network data showed that the malware is targeting a number of industries, including healthcare and hospitality. Most of the malware is targeting the US, however the UK and ‘other’ countries made up 12% of targets respectively.

Because the malware has been dormant for so long, researchers believe that the new wave of attacks are attempting to catch targets off guard, thus increasing affect effectiveness.

“For a malware with email-spamming and lateral-movement capabilities, infecting business systems and acquiring corporate e-mails translates to larger and more effective spam targeting and a higher chance of gaining information. For a malware with email-spamming and lateral-movement capabilities, infecting business systems and acquiring corporate e-mails translates to larger and more effective spam targeting and a higher chance of gaining information,” Trend Micro researchers say.

The new variants are also using botnets to deliver spam. Like the original Emotet, the variants mimic an invoice or payment notification in order to trick users into clicking a malicious URL. That URL downloads a document with a malicious macro, which is launched when clicked.

The macro runs PowerShell commands that distribute the malware into the system. It will establish itself as a system service and ensure it runs at startup every time, researchers say.

It can then make the infected system part of its botnet, deliver payloads such as Dridex, steal usernames and passwords and harvest email information.

 The Emotet malware can also spread through network propagation and compromised URLs for command & control purposes.

“The malware can also turn the infected system into part of a botnet that sends spam emails intended to spread the malware even further. This allows the trojan to spread quickly, as the more systems it can potentially infect, the faster it will propagate. The malware is also capable of harvesting email information and stealing username and password information found in installed browsers,” researchers conclude.

Multilayered security is recommended for protection against threats such as Emotet.

IoT and DDoS attacks: A match made in heaven
A10 Network’s Adrian Taylor uses findings from a number of reports to illustrate his point that advances in technology are facilitating cybercrime.
ForgeRock launches Sandbox-as-a-Service to facilitate compliance
The cloud-based testing environment for APIs enables banks to accelerate compliance with Open Banking and PSD2 deadlines.
Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Singapore firm to launch borderless open data sharing platform
Singapore-based Ocean Protocol, a decentralised data exchange that promotes data sharing, has revealed details of what could be the kickstart to a global and borderless data economy.
Huawei picks up accolades for software-defined camera ecosystem
"The company's software defined capabilities enable it to future-proof its camera ecosystem and greatly lower the total cost of ownership (TCO), as its single camera system is applicable to a variety of application use cases."
Barracuda expands MSP security offerings with RMM acquisition
Managed Workplace delivers an RMM platform with security tools and services, such as site security assessments, Office 365 account management, and integrated third-party antivirus.
Flashpoint: APAC companies must factor geopolitics in cyber strategies
The diverse geopolitical and economic interests of the states in the region play a significant role in driving and shaping cyber threat activity against entities operating in APAC.
Expert offers password tips to aid a stress-free sleep
For many cybersecurity professionals, the worries of the day often crawl into night-time routines - LogMeIn says better password practices can help.