Ever since the Emotet Trojan was launched against computers worldwide a few years ago criminals have utilized in their attacks. Throughout the years its code has changed and removal attempts may not be always successful. Our article illustrates some of the techniques that victims can use to remove certain strains of the Emotet banking Trojan.
Related Story: Brand New IcedID Banking Trojan Changing the Threat Landscape
Latest Emotet Banking Trojan Moves
Banking Trojans are one of the most widely pieces of malware. Their main goal is to infect the targeted computers and take hold of sensitive banking information which is then reported to the malware operators. There are several strategies that the criminals can utilize. The first one is the installation of advanced spying modules that give the attackers the ability to monitor the actions of the victims in real time, as well as record their mouse movement and keystrokes.
Another type of attack involves the superimposition of false applications and forms that appear as legitimate online services. If the targets enter their personal data all of that information is relayed to the hackers which immediately enter the details into the services and withdraw all accessible money.
Recently the Emotet banking Trojan has been updated to include a dangerous new component which has caused serious concerns among the security community. The malware is now able to extract data even over secured connections. The files can be easily sent using the most popular infection methods and the last major attacks proved that it remains one of the most popular payloads. Victims include end users from countries from Europe, The Middle East, North America and Asia.
Emotet Banking Trojan Attack Mechanisms
One of the newer strains associated with Emotet is its modular design. The malware is usually delivered via spam email messages that utilize social engineering techniques. The hackers pretend to be shipping companies or financial institutions and send out links and attachments files that pose as notifications or invoices. Once they are opened by the victims the infection occurs.
The Emotet banking Trojan then contacts hacker-controlled servers and downloads the main engine from there. The infection process is conducted in two separate phases – a conditional preparatory stage and the actual malware modification. Malicous code is injected into many legitimate applications and the operating system.
When the Emotet banking Trojan is delivered through Microsoft Office payloads the operators have devised numerous ways that the malware can be packaged. Popular forms include rich text documents, presentations, archives, spreadsheets and databases. Once they are opened scripts automatically start to download and execute code downloaded from remote servers. In some instances a notification prompt can be displayed that asks the users to give permission for this to happen.
Some of the newer versions of Emotet automatically execute when web browsers are opened. All network traffic is logged and sent to the hacker operator in real time and this is true even when it comes to secured network connections.
The security researchers note that extensive settings modifications are done to the Windows registry and other critical components of the operating system. It can also be used to download other threats to the compromised machines.
Emotet Banking Trojan Now Bundles Advanced Attack Capabilities
Some of the newer releases of the Emotet banking Trojan have been spotted to include a modular engine. The hackers can specify what additional components to send to the victim machines based on the reconnaissance data acquired during the preliminary infection stage. A partial list includes the following modules: Spamming module, Network worm propagation, Mail password viewer and a web browser password viewer. Emotet Trojan instances have the ability to interact with the hacker servers in an intelligent way by following both prerecorded patterns and receiving new instructions from the operators.
The Emotet banking Trojan can be updated extensively with additional components as well. Depending on the hacker collectives they can be of different types and encompassing various stages of the infection sequence. For example the hackers can devise new intrusion techniques, hacking tools or stealth protection features.
Newer samples have been found to interact directly with the Windows Mount Point Manager which gives the criminals the ability to target non-system partitions as well. This includes any external hard drives, removable storage devices and network shares. Such techniques give the hackers the ability to access a wider amount of data in later infection processes.
When network activity has started and the hackers utilize fake web agents the Emotet banking Trojan has the ability to mask itself as any one of the popular web browsing applications. The list includes: Mozilla Firefox, Google Chrome, Microsoft Edge, Internet Explorer, Opera and Safari.
Post-infection processes can also include data extraction from the compromised host. This includes information such as the regional user settings. The harvested values are used by the hackers along with the system data to recognize and filter the compromised machines based on their geographical location and user preferences. This is used to present various messages in a localized language if such are configured in later stages.
Emotet Trojan Security Measures
Newer versions of the Emotet banking Trojan use a template security check which looks for certain usernames and hostnames that signal an active sandbox, virtual machine or debugging environment. When such strings are detected the Emotet banking Trojan might stop even before the preliminary information gathering stage has been reached. Examples include the following names: “admin”, “VirtualBox”, “VMWare”, “[ID]-PC” and etc.
Effectively by placing signs and files that are attributed to sandbox or debugging systems. The users can attempt to create the following files:
- C:\a\foobar.bmp
- C:\a\foobar.gif
- C:\a\foobar.doc
- C:\email.doc
- C:\email.htm
- C:\123\email.doc
- C:\123\email.docx
It seems that the Emotet banking Trojan looks for a series of files located in folders that are associated with threats like the “C:\a” and “C:\123” and the main C partition.
We highly recommend that users employ a professional-grade solution to protect themselves from advanced forms of the Emotet banking Trojan that may use other techniques.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter