The infamous banking trojan Emotet is re-emerging via new cyber campaigns after a low period of activity over the recent Christmas holidays. Emotet is one of the most widely developed and distributed malware families used by cyber criminals.
Historically, Emotet has been known as a banking trojan, but has evolved over the years and has also been linked to large-scale ramsomware infections. Emotet is often delivered via malicious email campaigns that use malicious office documents or URLs that can lead to infection.
Researchers from Cisco’s Talos Intelligence Group have spotted the new cyber criminal activity and noticed malicious emails with Microsoft Word attachments loaded with embedded macros used to download Emotet malware. Additional devious features have also been added to the latest version.
According to Talos, the new strain can now check to see if the compromised system’s IP address is listed on any spam-related blacklists, such as those hosted by SpamCop, Spamhaus, SORBS and others. Attackers could then deliver more malicious emails to victims’ mailboxes without detection from spam filters.
The new Emotet also changes up the subject line on a large number of emails so idential subject lines are harder to detect via the distribution.
The infection vector usually starts with the user clicking on the phishing email and opening up the malware-infected Word document or clicking on a link. Once the file is opened, the malicious code is executed on the victim’s system. This then launches a PowerShell script, which runs and then reaches out to the Emotet malware distribution server, downloads the payload, executes it and then infects the system.
Talos further describes the command-and-control (C2) capabilities that consist of C2 servers on multiple ports (such as 20, 80, 443, 7080, 8443, and 50000). The traffic typically uses HTTP traffic hard-coded to IP addresses.
Another interesting note is the Emotet malware is usually hosted on compromised websites, which are used as random hosting locations by the cyber campaigns.
Brad Duncan, of SANS Internet Storm Center, also observed a pickup in recent Emotet campaign activity.
“Dozens of indicators are discovered every day as vectors for Emotet infections. Emotet also acts a distributor for other families of malware. So far in 2019, I’ve seen Emotet retrieve Gootkit and the IcedID banking Trojan,” Duncan noted in a recent SANS blog post.
Modular threats like the Emotet family of malware will likely continue to gain in popularity with monetization as the key motivational factor.
Users should always beware of clicking unknown links and opening up documents in emails.
Additional controls to help mitigate these types of threats can include: user web proxies (to block malicious websites or risky categories), email security gateways (to block malicious emails) and advanced anti-malware protections. All of these can help detect and block malware used in these types of attacks.