Security Alert: Emotet Trojan Returns with New Waves of Spam Campaigns

Guess who decided to show up? No, it’s not Santa Claus :-), it’s the Emotet banking trojan that’s been around for a while and aims to harvest users’ sensitive financial information. Be careful! For the past days, researchers have been analyzing several spam campaigns containing the Emotet banking trojan and found that the malware authors have been using payloads to perform malicious actions. One of these campaigns is delivered with the following content (sanitized for your own protection) From: [Spoof / Forwarded Sender Address] Subject Line: Final Notice re: Invoice [% 5 digits%] Users were lured into clicking and downloading one of the following sites which have been sanitized for your own protection: http://www.cableweb[.]org/Overdue-payment/ http://logoswift[.]net/Invoice/ http://www.exxecutive[.]com/Invoice-Number-35464/ https://enterpriseupdates.teamwork[.]com/Sales-Invoice/ http://www.chooseordie[.]me/Outstanding-Invoices/ http://www.finditinfondren[.]net/INCORRECT-INVOICE/ Basically, the malware is spread using phishing emails like the example from above, disguised as invoices from various financial companies.

How the malware is delivered:

The malware is dropped to [% AppData%] \ local \ microsoft \ windows \ certproc.exe on the users’ computers which tries to modify the Windows registry database by infiltrating a malicious code after restarting the machine. The particularity of this strain of malware is given by the fact that is targeting the device’s administrator-level accounts and check to see if administrator rights are on the computer or not. Without administrator rights, a user can’t locally access or enable applications. This means that the malware is dropped on this folder (appdata \ local \) on a computer that does not have administrator rights and copies it using a dynamic file name. This dynamic file name is generated by using the serial number available on the hard drive and is formed by a template based on two random strings. After that, Emotet will inject malicious code by exploiting Windows atom tables (which are used for sharing/exchanging data and store strings and corresponding identifiers) and Asynchronous Procedure Calls (APC – a function that executes without synchronization in the context of a particular threat). The technique used is also known as “AtomBombing”, and is a new code injection technique which often goes undetected by antivirus solutions. How an AtomBombing code injection attack works Source: Enisa.europa.eu The online attackers target admin passwords and break them through brute force attacks. Basically, they try trial and error methods to guess users’ personal information. Also, Emotet malware is using a self-replicating worm (used also in the Wannacry and NonPetya attacks) with which makes it spread very quickly. Emotet can also use Command and Control servers (C&C) to launch an attack and send malicious commands. Communication with the C&C server is controlled through a Windows ‘CreateTimerQueueTimer’ API to send essential data such as computer name, processor or operating system along with all the processes running on the computer. It tries every 15 minutes to communicate with the malicious servers, which allows Emotet to update the infection and spread throughout a local network. Here are the C&C servers (sanitized for your own protection) involved in this campaign: 5,230,193 [.] 41: 8080 46.4.192 [.] 185: 8080 107 170 177 [.] 153: 8080 Heimdal Security has proactively blocked these vulnerable domains, which means that you’re safe against the attack if you use Thor Foresight. VirusTotal said that 31 antivirus engines of 59 initially managed to detect this spam campaign. During other spam campaigns, users were tricked into clicking on a compromised webpage that redirected them on an Emotet download server like this one (sanitized for your own protection): http: //www.bestnewreditcard [.] com / 00hnJ / Here’s how these spam emails, which have been arbitrarily sent to users, look like: From: [Spoof / Forwarded Sender Address] Subject Line: Outstanding INVOICE [4 letters] / [6 digits] / [3 digits] Content: (sanitized for your own protection) http: //www.galacticpizza [.] com / Order Confirmation / 1ststreetcollisionny [.] Com 30jours [.] Org 365daysofselfcare [.] Com 4seek [.] Networks 58yf [.] Networks 9251925 [.] Ru aartslundsjo [.] see Heimdal Security proactively stopped and blocked these infected domains. According to Virus Total, 22 software products have detected this new variant of Emotet trojan. There are various infection methods that aim to spread banking Trojans, such as social engineering, phishing, and spam emails, or exploit kits that could easily take advantage of software flaws and infect users’ computers. What should you do?

Use this protection guide to better fight against banking trojans

Because this type of malware usually evades detection in the first place, you need to take all the security measures needed to fight back.

• Immediately update your Windows operating system, because there’s the first place where cybercriminals look for and exploit software vulnerabilities. Also, keep all your applications and programs up to date and make sure you have the latest updates on your PC;
• Always have a backup with all your important data on external sources like a hard drive or in the cloud (Google Drive, Dropbox, etc.) to store it. This  guide will help you how to do this;
• We’ll keep reminding you to set strong and unique passwords to enhance protection for your accounts. Our dedicated security guide will show you how to secure and better manage your passwords.
• Do not open emails or click on attachments/files that look suspicious to you, because hackers will continue to use innovative methods to infect your computer;
• You know that prevention is the cure, so avoid visiting suspicious websites or downloading something from these sites. Also, access safe pages that use “https”;
• Make sure you have a reliable antivirus program installed on your computer to protect your valuable data from online threats;
• Consider adding multiple layers of protection and use also a proactive cybersecurity software solution;
• Probably one of the best security measure you can use is learning how to easily detect such online threats. We recommend these free educational resources to gain more knowledge in the cybersecurity industry.

*This article features cyber intelligence provided by CSIS Security Group researchers.