Story image

EMOTET banking malware returns with a wider scope & vengeance

12 Sep 17

The EMOTET banking malware has emerged with a wider target scope than ever before, three years after it was originally found.

The original malware primarily targeted the banking sector and monitored network activity in order to steal information. It was distributed through spam messages disguised as invoices and bank transfers.

Trend Micro researchers discovered the new Emotet variants in August. The variants were detected as TSPY_EMOTET.AUSJLA, TSPY_EMOTET.SMD3, TSPY_EMOTET.AUSJKW and TSPY_EMOTET.AUSJKV.

Researchers believe that the new variants have been created to target new geographic regions and new business sectors, although its functions as an information stealer remain the same.

Smart Protection Network data showed that the malware is targeting a number of industries, including healthcare and hospitality. Most of the malware is targeting the US, however the UK and ‘other’ countries made up 12% of targets respectively.

Because the malware has been dormant for so long, researchers believe that the new wave of attacks are attempting to catch targets off guard, thus increasing affect effectiveness.

“For a malware with email-spamming and lateral-movement capabilities, infecting business systems and acquiring corporate e-mails translates to larger and more effective spam targeting and a higher chance of gaining information. For a malware with email-spamming and lateral-movement capabilities, infecting business systems and acquiring corporate e-mails translates to larger and more effective spam targeting and a higher chance of gaining information,” Trend Micro researchers say.

The new variants are also using botnets to deliver spam. Like the original Emotet, the variants mimic an invoice or payment notification in order to trick users into clicking a malicious URL. That URL downloads a document with a malicious macro, which is launched when clicked.

The macro runs PowerShell commands that distribute the malware into the system. It will establish itself as a system service and ensure it runs at startup every time, researchers say.

It can then make the infected system part of its botnet, deliver payloads such as Dridex, steal usernames and passwords and harvest email information.

 The Emotet malware can also spread through network propagation and compromised URLs for command & control purposes.

“The malware can also turn the infected system into part of a botnet that sends spam emails intended to spread the malware even further. This allows the trojan to spread quickly, as the more systems it can potentially infect, the faster it will propagate. The malware is also capable of harvesting email information and stealing username and password information found in installed browsers,” researchers conclude.

Multilayered security is recommended for protection against threats such as Emotet.

Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.