Seqrite has recently revealed the developments regarding the Emotet Trojan malware. Security researchers at Seqrite have identified an evolution in the infamous Banking Trojan which wreaked havoc four years ago, tracking its transformation into a complex threat distributor distributing multiple attack payloads.
The Emotet malware campaign has been around for a long while and has continuously utilised different attack techniques and complex variants to compromise the security profile of the victim. Having utilised PDF and JS file attachments in emails to deliver the attack payload in 2017, the recent spread of the Emotet malware has been through MS Office Word documents containing heavily obfuscated macros. Seqrite has successfully detected and blocked more than 1.5 lakh instances of the spam email targeting businesses and individuals in the last one month alone, protecting them through advanced threat detection it utilises for identifying such campaigns.
Speaking on the discovery, Sanjay Katkar, Joint Managing Director and Chief Technology Officer, Quick Heal Technologies Limited, said, “Threat actors today are modifying older malware to deliver new-age attack payloads. The recent evolution and outbreak of the Emotet Trojan is the perfect example of how rapidly the global threat landscape has been evolving. Combating these sophisticated attacks requires greater security awareness from the end-users as well as state-of-the-art security solutions, such as Seqrite, with proven capabilities to defend against such threats. We will continue to actively track the re-emergent threat of the Emotet Trojan to understand how to better protect our customers against such innovative attack vectors.”
According to the security researchers at Seqrite, the Emotet Trojan is delivered through phishing emails containing subject lines such as ‘Invoice’, ‘Delivery Details’, ‘Shipment Details’, and ‘Payment Details’ etc. in order to trick the victim into opening the email and downloading the attachment. When the document is downloaded, the macro is de-obfuscated to reveal a PowerShell script and a list of malicious URLs. The script then downloads the Emotet malware from URLs and saves it by generating random file names with an *.exe extension.
Once executed, the malware renames its instance and creates a second self-executable copy of itself using random combinations from a pre-defined list of words. The parent process then proceeds to check if the process has spawned by itself; if the process has not spawned, it creates one mutex, closes the parent process, and runs itself as an individual instance. If spawned, the second process lists out all the running processes and stores them in memory, before enumerating each process and encrypting data to send out to the malicious server in POST request.
Security measures to follow
Seqrite advises users against opening any link in the mail body which has been sent by an unknown source, or to download any attachments received from an untrusted source. Any documents downloaded from un-trusted sources should also not have macros enabled, or opened with the editing mode. Seqrite further recommends installing comprehensive security solutions and turning on their email protection features to more accurate and up-to-date security against sophisticated threats.