Researchers have discovered a new variant of the Emotet Trojan. The variant is said to utilize features that can aid the malware to propagate over internal networks.
Update November 2017: The Emotet banking Trojan has been updated to include a dangerous new component which has caused serious concerns among the security community. The malware is now able to extract data even over secured connections. The virus files can be easily sent using the most popular infection methods and the last major attacks proved that it remains one of the most popular payloads. Victims include end users from countries from Europe, The Middle East, North America and Asia. Learn how to protect from Emotet Trojan now.
What is the Emotet Trojan?
Lately, the trojan has been observed in a Fidelis Cybersecurity blog post to have evolved, also suggesting the actors behind the evolution may have been inspired by the Wannacry and NotPetya malware attacks which utilized worm-like capabilities to rapidly spread across networks.
There has been a spike in Emotet cases in the past week, confirmed SophosLabs who have blocked it from customer computers. The trojan itself is designed to steal a user’s online banking details. Although it is predominantly considered a trojan, Emotet also contains the necessary functionality features to be classified as a worm. The difference is that a trojan requires some degree of social engineering to trick an individual into enabling the infection whereas a worm can spread from one system to another without the aid of a user. When the Emotet trojan downloads, it then follows on to execute other payloads. And although it may not be a worm yet, it certainly has the potential to download and execute another component so it can spread itself to other systems.
How Does Emotet Work?
The infection begins with distribution via email spam. The chain of events is carried out in the following order:
- A spam email with a download link in it is sent to the victim’s inbox.
- The download link itself points to a Microsoft Word document.
- A VBA code that decodes and launches a Powershell script is found within the document once it has been downloaded.
- This results in the Powershell script attempting to download and run Emotet from multiple URL sources.
A self-extracting WinRAR archive contains all the necessary Emotet components. The WinRAR archive is bundled with a large dictionary of weak and commonly used passwords.
Emotet gains access by using the password dictionary to gain access to network systems. Once access is gained, it copies itself to hidden C$ or Admin $ shares. The copy tends to be given the filename of my.exe; however, other filenames are also said to have been used.
The trojan contains an embedded list of strings from which it can choose two words to add to the filename it will essentially use at the when infection is initiated. The strings chosen by the trojan are seeded using the hard disk volume ID. This effectively leads to the same hard disk always displaying the same filename for each infected system.
A self-updating component is also downloaded to ensure the trojan is capable of continuously download the latest copy of itself and other modules. This component is stored as “/%windows%\
Other modules that this component downloads are in effect used to gather credentials from other knows applications or in other cases harvest email addresses from outlook PST files to use them in targeted spam.
When the main Emotet component is updated by the updater component, the parent file is replaced using the same filename made up of the same strings chosen earlier on. The malware then installs and runs the newly updated exe as a Windows service.
Researchers have recently also discovered Dridex and Qbot infections on Emotet-infected systems. There is a high possibility that Emotet’s ability to download and execute other payloads is in fact currently being used to deploy further geo-targeted payloads.
Defensive Measure You Can Take Against Emotet
Since its detection, the attacker responsible for the Emotet outbreak has responded by creating new variants of the trojan as attacks persist, hence taking advantage of the malware’s updating feature. The IP address from which payloads were being downloaded has also been changed as a response since the malware caught researcher’s attention.
Emotet’s components are detected as:
- Mal/Emotet
- HPmal/Emotet
- Troj/EmotetMem-A
To guard against malware exploiting any Microsoft vulnerabilities in general:
- Carry out regular updates and apply them quickly.
- If possible, replace older Windows systems with the latest version.
Other Advice includes:
- If you receive a Word document through email without knowing the sender, do not open it.
- Lock down file sharing across your network.
- Use recommended password practices.
- Make sure users do not have default admin access.
- Block macros in Office documents.
- Consider strict email gateway settings.
- Use an anti-virus with an on-access scanner (also known as real-time protection).