Watch out for Emotet, the trojan that’s nearly a worm

Készült: 2017. augusztus 10

Network worms and Trojan malware are back with a vengeance. A good example is WannaCry, which infected hundreds of thousands of computers across the globe in May. Now comes Emotet – malware with worm and trojan characteristics that exploits weak admin passwords to spread across a victim’s network.

SophosLabs has seen a surge in Emotet cases in the past week and has blocked it from customer computers. Its payload is a form of banking Trojan designed to steal a user’s online banking details. Labs researcher Tad Heppner described it this way:

Emotet is a trojan although it also contains the functionality necessary to be classified as a worm.  The primary distinction is that a trojan requires some degree of social engineering to trick a human into enabling the spread of the infection whereas a worm can spread to other systems without the aid of a user. Emotet downloads then executes other payloads, so even though its core component is not directly a worm, it does have the potential to download and execute another component to spread itself to other systems.

How it works

The initial infection is distributed via email spam.  Researchers pieced together the following sequence of events:

  • A spam email containing a download link arrives in the victim’s inbox.
  • The download link points to a Microsoft Word document.
  • The downloaded document contains VBA code that decodes and launches a Powershell script.
  • The Powershell script then attempts to download and run Emotet from multiple URL sources.

The Emotet components are contained in a self-extracting WinRAR archive bundled with a large dictionary of weak and commonly used passwords. (Note: WinRAR is a Windows file compression tool.)

The password dictionary is used to gain access to networked systems. Once it gains access, it copies itself to hidden C$ or Admin$ shares.  The copy is often given the filename my.exe, but other filenames have been used.

Emotet contains an embedded list of strings from which it chooses two words to meld into the filename it will use at the time of initial infection.  The strings chosen are seeded using the hard disk volume ID. As a result, the same hard disk will always result in the same filename for each infected system.

It also downloads a self-updating component capable of downloading the latest copy of itself and other modules.  This component is saved as %windows%\<filename>.exe, where the filename is comprised of 8 hexadecimal digits.

Some of the other modules this component downloads are used to harvest credentials from other known applications or to harvest email addresses from outlook PST files for use with targeted spam.

When the updater component updates the main Emotet component, it replaces the parent file using the same filename comprised of the same strings chosen earlier.  It then installs and runs the updated exe as a Windows service.

Recent Dridex and Qbot infections have also been discovered on Emotet-infected machines. It’s possible that Emotet’s ability to download and execute other payloads is currently being used to deploy geotargeted payloads.

Defensive measures

The attacker behind this outbreak has reacted to Sophos’ detections by creating new variants as the attacks persisted, taking advantage of the Emotet updating feature. They also changed the IP addresses they were downloading payloads from.

Nevertheless, Sophos is protecting customers from the threat and has created a Knowledge Base Article with a full breakdown of variants detected.

SophosLabs detects Emotet components as:

  • Mal/Emotet
  • HPmal/Emotet
  • Troj/EmotMem-A

To guard against malware exploiting Microsoft vulnerabilities in general:

  • Stay on top of all patch releases and apply them quickly.
  • If at all possible, replace older Windows systems with the latest versions.

Other advice:

  • If you receive a Word document by email and don’t know the person who sent it, don’t open it.
  • Block macros in Office documents.

  • Lock down file sharing across the network.

  • Make sure users do not have default admin access.

  • Enforce password best practices.

  • Use an anti-virus with an on-access scanner (also known as real-time protection).

  • Consider stricter email gateway settings.

  • Never turn off security features because an email or document says so.

Source: Naked Security



Nincs esemény létrehozva még.

mySec talk #7 (ITBN)

Erősen ragaszkodik a Fobus nevű androidos kártevő a megkaparintott eszközhöz

Kiberbűnözők tesztelik az androidos felhasználók éberségét egy olyan kártékony alkalmazás mobileszközre tört

Támadásban a banki kártevők

999, a banki kártevőkhöz köthető, közelmúltban történt eset elemzését követően a kutatók megállapították,

Gyermekfotók a Facebookon

Egyre több szülő hajlandó hazudni is gyermeke életkoráról a Facebookon, csak azért, hogy készíthessen egy profil

Így változtunk Snowden óta

A Snowden-féle események és hatásai miatt ma már semmi nem olyan, mint korábban volt. Az ezzel kap

Jelszó emlékeztető - felejtsük el!

Sokan emlékezhetnek még a Sarah Palin esetre, amelynek tulajdonképpen az volt a lényege, hogy ismert

Alig egy hét múlva Hacktivity

Október 21–22-én, immáron 13. alkalommal gyűlnek össze az etikus

Az újságírója lett az „Év információbiztonsági újságírója”

A Hétpecsét Információbiztonsági Egyesület 2006-ban alap&iac

Boldog Új Évet Kívánunk! - 2016.

Az nevében Minden Kedves Olvasónknak Egészségben, siker

Ez történt 2015-ben

Nem volt eseménytelen esztendő a 2015. - sem. A legizgalmasabb incidense

mySec Információ