Heimdal PRO - The next-gen multi-layered
protection for your PC, NOW at 70% OFF

It's time to take control of your data

€54 €16.2 Get it now 70 % OFF

1 year / up to 4 PCs

CYBER SECURITY ENTHUSIAST

Guess who decided to show up? No, it’s not Santa Claus :-), it’s the Emotet banking trojan that’s been around for a while and aims to harvest users’ sensitive financial information. Be careful!

For the past days, researchers have been analyzing several spam campaigns containing the Emotet banking trojan and found that the malware authors have been using payloads to perform malicious actions.

One of these campaigns is delivered with the following content (sanitized for your own protection)

From: [Spoof / Forwarded Sender Address]

Subject Line:

Final Notice
re: Invoice [% 5 digits%]

Users were lured into clicking and downloading one of the following sites which have been sanitized for your own protection:

http://www.cableweb[.]org/Overdue-payment/

http://logoswift[.]net/Invoice/

http://www.exxecutive[.]com/Invoice-Number-35464/

https://enterpriseupdates.teamwork[.]com/Sales-Invoice/

http://www.chooseordie[.]me/Outstanding-Invoices/

http://www.finditinfondren[.]net/INCORRECT-INVOICE/

Basically the malware is spread using phishing emails like the example from above, disguised as invoices from various financial companies.

How the malware is delivered:

The malware is dropped to [% AppData%] \ local \ microsoft \ windows \ certproc.exe on the users’ computers which tries to modify the Windows registry database by infiltrating a malicious code after restarting the machine.

The particularity of this strain of malware is given by the fact that is targeting the device’s administrator-level accounts and check to see if administrator rights are on the computer or not. Without administrator rights, a user can’t locally access or enable applications.

This means that the malware is dropped on this folder (appdata \ local \) on a computer that does not have administrator rights and copy it using a dynamic file name. This dynamic file name is generated by using the serial number available on the hard drive and is formed by a template based on two random strings.

After that, Emotet will inject malicious code by exploiting Windows atom tables (which are used for sharing/exchanging data and store strings and corresponding identifiers) and Asynchronous Procedure Calls (APC – a function that executes without synchronization in the context of a particular threat). The technique used is also known as “AtomBombing”, and is a new code injection technique which often goes undetected by antivirus solutions.

How an AtomBombing code injection attack works

AtomBombing

Source: Enisa.europa.eu

The online attackers target admin passwords and break them through brute force attacks. Basically, they try trial and error methods to guess users’ personal informations. Also, Emotet malware is using a self-replicating worm (used also in the Wannacry and NonPetya attacks) with which makes it to spread very quickly.

Emotet can also use Command and Control servers (C&C) to launch an attack and send malicious commands.

Communication with the C&C server is controlled through a Windows ‘CreateTimerQueueTimer’ API to send essential data such as: computer name, processor or operating system along with all the processes running on the computer. It tries every 15 minutes to communicate with the malicious servers, which allows Emotet to update the infection and spread throughout a local network.

Here are the C&C servers (sanitized for your own protection) involved in this campaign:

5,230,193 [.] 41: 8080
46.4.192 [.] 185: 8080
107 170 177 [.] 153: 8080

Heimdal Security has proactively blocked these vulnerable domains, which means that you’re safe against the attack if you use Heimdal PRO. VirusTotal said that 31 antivirus engines of of 59 initially managed to detect this spam campaign.

Virus Total AV detection

During another spam campaigns, users were tricked into clicking on a compromised webpage that redirected them on an Emotet download server like this one (sanitized for your own protection):

http: //www.bestnewreditcard [.] com / 00hnJ /

Here’s how these spam emails, which have been arbitrarely sent to users, look like:

From: [Spoof / Forwarded Sender Address]

Subject Line:
Outstanding INVOICE [4 letters] / [6 digits] / [3 digits]

Content: (sanitized for your own protection)
http: //www.galacticpizza [.] com / Order Confirmation /

1ststreetcollisionny [.] Com
30jours [.] Org
365daysofselfcare [.] Com
4seek [.] Networks
58yf [.] Networks
9251925 [.] Ru
aartslundsjo [.] see

Heimdal Security proactively stopped and blocked these infected domains. According to Virus Total, 22 software products have detected this new varian of Emotet trojan.

There are various infection methods that aim to spread banking Trojans, such as social engineering, phishing and spam emails, or exploit kits that could easily take advantage of software flaws and infect users’ computers. What should you do?

Use this protection guide to better fight against banking trojans

Because this type of malware usually evades detection in the first place, you need to take all the security measures needed to fight back.

  • Immediately update your Windows operating system, because there’s the first place where cyber criminals look for and exploit software vulnerabilities. Also, keep all your applications and programs up to date and make sure you have the latest updates on your PC;
  • Always have a backup with all your important data on external sources like a hard drive or in the cloud (Google Drive, Dropbox, etc.) to store it. This  guide will help you how to do this;
  • We’ll keep reminding you to set strong and unique passwords to enhance protection for your accounts. Our dedicated security guide will show you how to secure and better manage your passwords.
  • Do not open emails or click on attachments/files that look suspicious to you, because hackers will continue to use innovative methods to infect your computer;
  • You know that prevention is the cure, so avoid visiting suspicious websites or downloading something from these sites. Also, access safe pages that use “https”;
  • Make sure you have a reliable antivirus program installed on your computer to protect your valuable data from online threats;
  • Consider adding multiple layers of protection and use also a proactive cyber security software solution;
  • Probably one of the best security measure you can use is learning how to easily detect such online threats. We recommend these free educational resources to gain more knowledge in the cybersecurity industry.

*This article features cyber intelligence provided by CSIS Security Group researchers.

emotet trickbot internet worm
2017.08.08 INTERMEDIATE READ

Emotet and Trickbot Banking Trojans Acquire Internet Worm Capabilities

banking Trojan
2017.06.16 SLOW READ

How A Banking Trojan Does More Than Just Steal Your Money

Financial Data Protection
2016.04.19 INTERMEDIATE READ

15 Steps to Maximize your Financial Data Protection [Updated]

Comments

After exploring a handful of the blog articles on your web page, I seriously appreciate your way of blogging.
I saved it to my bookmark webpage list and
will be checking back soon. Please visit my website as well and ttell me your opinion.

Hello everybody, here eᴠery one іs sharing such knowledge, thuѕ it’s nice to read this webpage, and I used
tߋ gօ to see this website every day.

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP
Heimdal PRO - The next-gen multi-layered
protection for your PC, NOW at 70% OFF

It's time to take control of your data

€54 €16.2 Get it now 70 % OFF

1 year / up to 4 PCs