Emotet Info-stealer Returns, with New Tactics

Written by

The espionage malware Emotet is back, just in time to put some Grinch into the holiday proceedings.

On November 9, 2017, the Cylance Threat Guidance team received a request to analyze a malicious document intended to infect a targeted system with the Emotet infostealer, a variant of the Feodo Trojan family.

Emotet first emerged in 2014 as a trojan designed to steal banking credentials from targets in Austria and Germany. This latest offensive shows it spreading beyond financial targets and into the US and other arenas, while adding new capabilities, including a new dropper using CreateTimeQueueTimer; sandbox awareness; and anti-analysis capabilities.

In the analyzed sample, a Microsoft Word Document that contains a malicious macro program which was developed to download Emotet, which then searches the targeted system for sensitive information that will be exfiltrated to the command and control (C2) servers under the attackers’ control.

The attacker then can sell the information harvested, or login into the account themselves to steal more information. Emotet also can spread itself to other systems by stealing an address book from one computer on the network.

“As the holiday season is upon us, extra care should be taken when interacting with emails that contain attachments purporting to be invoices or other business communications or links to similar documents, tactics attackers favor with the hope that distracted targets may let their guard down,” Cylance warned, in a threat spotlight. It added, “To avoid being the victim of the Emotet campaign, organizations should ensure that basic security best practices are being adhered to, particularly around the handling of email with attachments and/or URL links.”

Back in September, Trend Micro found another resurgence in Emotet, which it chalked up to two main drivers.

“While the motivation behind Emotet—information theft—remain the same…the authors behind this attack may be targeting new regions and industries,” it said. “While the earlier variants of Emotet primarily targeted the banking sector, our Smart Protection Network (SPN) data reveals that this time, the malware isn’t being picky about the industries it chooses to attack. The affected companies come from different industries, including manufacturing, food and beverage, and healthcare. Again, it is possible that due to the nature of its distribution, Emotet now has a wider scope.”

This latest campaign would appear to back that theory up.

The United States, United Kingdom, and Canada made up the bulk of the target regions this fall, with the US taking up 58% of all detected infections, and Great Britain and Canada at 12% and 8% respectively, Trend Micro said.

What’s hot on Infosecurity Magazine?