emotet trojan

Emotet returns, attacking 100K mailboxes every day

After nearly two months of silence, the Emotet botnet has returned, updated its payload, and carried out attacks against 100K targets every day.

Emotet started as a banking Trojan in 2014 and has continuously developed into a comprehensive threat transmission mechanism. It can install a series of malicious software on the victim’s machine, including information stealers, email collectors, self-propagation mechanisms, and ransomware. It last appeared in October, and the attack was mainly on volunteers from the Democratic National Committee (DNC); before that, after a five-month pause in its activities, it became active again in July and began to launch the Trojan. In February before this, people saw it in an attack that forged and sent SMS from the victim’s bank.

“The Emotet botnet is one of the malicious e-mail senders who have a lot of attacks in an active state, but it often sleeps for weeks or months,” Cofense researcher Brad Haas said in a blog on Tuesday. “This year, one such dormancy lasted from February to mid-July. This is the longest dormancy period that Cofense has seen in the past few years. Since then, they have observed that Emotet’s regular activities have continued. Until the end of October, but no news has been received since then until today.”

The researchers said that the payload of the botnet has remained the same and has not changed. “In October, the most common payloads were TrickBot, Qakbot and ZLoader; today we observed TrickBot,” according to Haas.

malware is a well-known and complex Trojan. It was first developed as banking malware in 2016. Like Emotet, it has also changed itself and added new features in the past to evade detection or enhance infection capabilities. the behavior of. Users infected with the TrickBot Trojan will see their devices become part of the botnet, and attackers use it to load the second stage of malware – researchers call it “an ideal dropper for almost any other malware payload” .

The typical consequences of infection are the takeover of bank accounts, telecom fraud and ransomware attacks. It has recently implemented the function of checking the UEFI/BIOS firmware of the target system. After Microsoft and other companies conducted research and breaches of the malware’s infrastructure in October, it made a comeback.

Several security companies discovered the latest attack activities. Proofpoint pointed out via Twitter: “We have seen more than 100,000 messages in English, German, Spanish, Italian and other languages. The decoy of the attack is mainly the use of Word attachment thread hijacking and being hijacked. Password-protected compressed packages and malicious URLs.”

Thread hijacking is an attack method that Emotet added in the fall, which was discovered by Palo Alto Networks researchers. The operator will insert the virus into the email to reply to the real email sent by the target. In this way, the recipient has no reason to think that this email is malicious.

Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, told Threatpost that this week’s activities are very normal for Emotet.

“Our team is still auditing the new samples, and so far, we have only found very small changes. For example, the form of Emotet is now made into a DLL instead of an .exe,” DeGrippo said. “When Emotet launches an attack, we usually observe hundreds of thousands of emails being sent out every day. This attack is similar to their situation. Since these attacks are ongoing, we are updating the count in real time. These attacks The number of activities is similar to other attacks in the past, generally ranging from 100,000 to 500,000 per day.”

She added that the most interesting thing about this attack is the timing.

“We usually see Emotet stop attacking from December 24 to early January,” she pointed out. “If they keep this way, the recent attack will be very short and unusual for them.”

The Malwarebytes researchers also pointed out that cyber attackers are alternately using different baits to perform social engineering attacks on users to enable macros. It also includes the use of phishing bait with the theme of COVID-19. The researchers also observed that the Emotet gang used false false information to load the payload.

Haas’ Cofense team observed the same attack and pointed out that it marked a technological innovation by the Emotet group.

“The new Emotet maldoc has undergone an obvious change, probably to prevent victims from noticing that they are infected,” he said. “The document still contains the malicious code for installing Emotet, and it still appears to be a “protected” document, requiring the user to enable the macro to open it. The old version will not give any visible response after the macro is enabled, which may be Make the victim suspicious. The new version will create a dialog box saying “Word encountered an error while trying to open the file.” This will give the user an explanation as to why they did not see the expected content and make them more likely to ignore The whole incident happened, and Emotet was already running in the background.”

DeGrippo told Threatpost that preliminary observations of these emails indicated that some threads would require the recipient to open a .zip attachment after being hijacked and require a password to access it.

The researchers said that although the re-emergence of the malware has not changed from previous activities, it should be worthy of attention by administrators.

Regarding “Emotet”, the most worrying thing is that it teamed up with other criminals to launch attacks, especially those engaged in ransomware business. The Emotet-TrickBot-Ryuk combination caused serious damage around Christmas 2018, “according to Malwarebytes.” Although some cyber attackers also spend holidays, when many companies have fewer staff, this is the time to initiate The perfect time for a new attack. In view of the outbreak of the epidemic and the recent SolarWinds incident, the situation this year is even more critical. We urge organizations to be particularly vigilant and continue to take measures to protect network security, especially the protection of security policies and access control. “