Login

***harlan4096***

Quote:

Emotet has cropped up again, and this time, there's more to the story

One of the longest-running and more lethal malware strains has once again returned on the scene. Called Emotet, it started out life as a simple banking Trojan when it was created back in 2014 by a hacking group that goes by various names, including TA542, Mealybug and MUMMY SPIDER.

Its history has been tracked by researchers, such as this timeline from Proofpoint.

As you can see, it has been through numerous enhancements and improvements. By 2017, its creators had expanded its attacks to deliver various banking trojans (including Qakbot and TrickBot) and steal browser stored passwords. Compromised PCs would be recruited to help form a botnet that was then used to launch additional phishing attacks. A report from Bromium issued in June 2019 tracked its evolution up until that moment in time. The report documents how Emotet’s owners or operators have shifted their strategy from stealing bulk data to selling their malware as a service for others to ply their trade.

What made Emotet interesting was its well-crafted obfuscation methods. It was one of the early malware samples to deploy polymorphic code to vary its size and attachments, meaning that it would change its form and procedures to try to evade detection. It also used multi-state installation procedures and encrypted communications channels. Over the years, it has had some very clever lures, such as sending spam emails containing either a URL or an attachment, and purport to be sending a document in reply to existing email threads. IBM’s X-Force found one variation that uses the COVID-19 virus as part of its phishing lure.

Over time, Emotet has expanded to encompass three different botnet infrastructures, again to make it harder to repel. And to make their
phishing lures more believable, they would translate their message subjects, filenames and contents to match the destination countries of their targets, producing not only English but German, Chinese and Spanish versions. Earlier this year, researchers discovered a new module that allows the malware to find open (or easily guessed passwords of) nearby WiFi networks to infect.

We covered Emotet most recently back in late 2018. Now, it seems to be back in use. Earlier this year, it had a five-day run that delivered nearly two million phishing emails. And in July, another variation was observed sending out at least 250,000 phishing lures, mostly aimed at US and UK users. Malwarebytes has samples of the emails used and more specifics of its operation. It appears to be using a new Word template for its infected attachment, but not much else.
...

Login
Username/Email:
Password:	Lost Password?
	Remember me