Headline
Emotet Banking Trojan Resurfaces, Skating Past Email Security
The malware is using spreadsheets, documents, and other types of Microsoft Office attachments in a new and improved version that is often able to bypass email gateway-security scanners.
Malware botnet Emotet has resurfaced in a more advanced form after having been taken down by joint international task force in January 2021.
A prolific threat throughout the pandemic, the Emotet malware began as a banking trojan in 2014, and its operators were one of the first criminal groups to provide malware-as-a-service (MaaS).
While it is still utilizing many of the same attack vectors it exploited in the past, Emotet’s return has been accompanied by a boost in effectiveness in collecting and utilizing stolen credentials. The report noted that these stolen credentials are also being weaponized to further distribute the malware binaries.
“The attacks are using hijacked email threads and then using those accounts as a launch point to trick victims into enabling macros of attached malicious office documents,” a Thursday report from Deep Instinct explained.
In addition, Emotet is utilizing 64-bit shell code, as well as more advanced PowerShell and active scripts, with nearly a fifth of all malicious samples exploiting the 2017 Microsoft vulnerability CVE-2017-11882.
The attacks have focused largely on victims in Japan, with an expanded focus on targets in the United States and Italy starting from March this year.
The Deep Instinct team also wrote a detailed blog post on the technical details of what they found back in November.
Chuck Everette, Deep Instinct’s director of cybersecurity advocacy, says the company’s Threat Research Team has been monitoring the re-emergence of Emotet since Q4 of last year.
“We use internal code and binary similarity algorithms on our cloud backend to associate and correlate new variants of a select set of campaigns which we monitor very closely, Emotet being one of them,” he explains.
In particular, several static evasion methods are very characteristic of Emotet, and upticks in those in new variant waves are very indicative of Emotet activity, Everette tells Dark Reading.
“These attacks definitely have similar characteristics that they’ve had in the past,” he says. “They now, however, have some new and improved techniques and tactics.”
One of them, Everette noted, is the streamlining of the product and removal of the middle stage of the attack.
Additionally, they’ve switched from non-secure HTTP to secured HTTPS communications, and they’ve also added in code obfuscation techniques to the payload.
“The Emotet Gang are professionals. They know how to run a successful phishing campaign and have now upped their game with new sophisticated attack techniques,” Everette says. “However, the primary delivery method is still phishing emails, and the human factor is the weakness.”
He advises organizations to be continuously diligent about cybersecurity awareness by training their employees, as well as monitoring and adding prevention capabilities to keep these types of phishing attacks out of their environment.
“If you make yourself more difficult to attack than another company, they will go after the easier target,” he says. “Make sure you’re the harder target to penetrate. Educate your employees.”
Emotet & TrickBot: Together Again?
Regarding Emotet’s previous ties to the TrickBot trojan, Everette acknowledged that there’s quite a bit of speculation around the status of the relationship now, but the most common thought is that there’s a continued collaboration between these cybercriminal entities.
“TrickBot and Emotet have a long history of collaboration,” he said. “As we know, with the rise and fall of the cyber gangs, members often move between organizations. This creates alliances and knowledge-sharing. With Emotet and TrickBot, it’s just one of these alliances that has lasted and weathered several take-down attempts.”
From his perspective, Emotet is no different than other cyber-gangs that have been taken down — 90% of these cyber gangs resurrect in one way or another.
“The major difference with Emotet is, you’re still using a good majority of the original code, given more sophisticated techniques, and they seem to be keeping the same name,” Everette said. “Their operations have not changed, because they were highly successful in the past.”
He added that there are also indicators that the group has moved some of its infrastructure out of the European arena and down to South America, mainly Brazil.
Related news
The long-active, India-sponsored cyber-threat group targeted multiple entities across Asia, Africa, the Middle East, and even Europe in a recent attack wave that demonstrated the use of a previously unknown post-exploit tool called StealerBot.
Users of Chinese instant messaging apps like DingTalk and WeChat are the target of an Apple macOS version of a backdoor named HZ RAT. The artifacts "almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form of shell scripts from the attackers' server," Kaspersky researcher Sergey Puzan said. HZ RAT was first
The North Korea-linked threat actor known as Kimsuky has been linked to the use of a new malicious Google Chrome extension that's designed to steal sensitive information as part of an ongoing intelligence collection effort. Zscaler ThreatLabz, which observed the activity in early March 2024, has codenamed the extension TRANSLATEXT, highlighting its ability to gather email addresses, usernames,
USBs have something the newest, hottest attack techniques lack: the ability to bridge air gaps.
Attackers are weaponizing an old Microsoft Office vulnerability as part of phishing campaigns to distribute a strain of malware called Agent Tesla. The infection chains leverage decoy Excel documents attached in invoice-themed messages to trick potential targets into opening them and activate the exploitation of CVE-2017-11882 (CVSS score: 7.8), a memory corruption vulnerability in Office's
A new variant of the Agent Tesla malware has been observed delivered via a lure file with the ZPAQ compression format to harvest data from several email clients and nearly 40 web browsers. "ZPAQ is a file compression format that offers a better compression ratio and journaling function compared to widely used formats like ZIP and RAR," G Data malware analyst Anna Lvova said in a Monday analysis.
Targets located in Azerbaijan have been singled out as part of a new campaign that's designed to deploy Rust-based malware on compromised systems. Cybersecurity firm Deep Instinct is tracking the operation under the name Operation Rusty Flag. It has not been associated with any known threat actor or group. "The operation has at least two different initial access vectors," security researchers
By Waqas KEY FINDINGS Organizations should take steps to protect themselves from this campaign by keeping software up to date,… This is a post from HackRead.com Read the original post: Rust Implant Used in New Malware Campaign Against Azerbaijan
By Deeba Ahmed FortiGuard Discovers Phishing Campaign Distributing New Agent Tesla Variant to Windows Devices. This is a post from HackRead.com Read the original post: New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs
Hello everyone! This month I decided NOT to make an episode completely dedicated to Microsoft Patch Tuesday. Instead, this episode will be an answer to the question of how my Vulnerability Management month went. A retrospection of some kind. Alternative video link (for Russia): https://vk.com/video-149273431_456239134 GitHub exploits and Vulristics This month I made some improvements […]
CISA’s Known Exploited Vulnerabilities Catalog has become a valuable repository of vulnerabilities to be patched. A pair of reports analyze the vulnerabilities under attack to understand the kind of threats organizations should be prioritizing.
Fake travel reservations are exacting more pain from the travel weary, already dealing with the misery of canceled flights and overbooked hotels.
A financially motivated cybercrime group has been linked to an ongoing wave of attacks aimed at hospitality, hotel, and travel organizations in Latin America with the goal of installing malware on compromised systems. Enterprise security firm Proofpoint, which is tracking the group under the name TA558 dating all the way back to April 2018, called it a "small crime threat actor." "Since 2018,
The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.
Over a dozen military-industrial complex enterprises and public institutions in Afghanistan and Europe have come under a wave of targeted attacks since January 2022 to steal confidential data by simultaneously making use of six different backdoors. Russian cybersecurity firm Kaspersky attributed the attacks "with a high degree of confidence" to a China-linked threat actor tracked by Proofpoint
By Deeba Ahmed Research reveals that around 80% of all malware attacks used MS Office flaws. Atlas VPN has shared its… This is a post from HackRead.com Read the original post: Microsoft Office Most Exploited Software in Malware Attacks – Report
The dangerous malware appears to be well and truly back in action, sporting new variants and security-dodging behaviors in a wave of recent phishing campaigns.
An "aggressive" advanced persistent threat (APT) group known as SideWinder has been linked to over 1,000 new attacks since April 2020. "Some of the main characteristics of this threat actor that make it stand out among the others, are the sheer number, high frequency and persistence of their attacks and the large collection of encrypted and obfuscated malicious components used in their
Notable new infection chain uses PDF to embed malicious files, load remote exploits, shellcode encryption, and more, new research shows.
Microsoft Word also leveraged in the email campaign, which uses a 22-year-old Office RCE bug.
An espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021. Cybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the Bitter APT based on overlaps in the command-and-control (C2)
Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other... [[ This is only the beginning! Please visit the blog for the complete entry ]]