A new variant of the Feodo banking trojan called Emotet has been identified. It has refined its operation in a number of areas including its ability to spread, prevent analysis and act as a backdoor to further malware installation.
This trojan is distributed through mass spam email campaigns which include an attached macro enabled Word document. The email and attachment are reportedly claiming to be an invoice but upon opening the document the malware is dropped onto the system.
Emotet is capable of intercepting encrypted communications by performing a Man-in-the Browser attack (MitB) capturing log-in credentials for banking and social media accounts, infecting the system with further malware and also stealing money from the compromised bank account(s). Email contacts on the infected system are harvested allowing for targeted campaigns against the contacts of the system’s owner.
It also attempts to spread laterally over the network by attempting to brute force the passwords of any accounts visible to it, including on network shares and locations, and then dropping a self-extracting RAR file onto a compromised host, thus spreading and starting the cycle again.
When the malware detects that it is operating in a sandbox or virtual environment it alters its behaviour to prevent proper analysis and research. It is reported that its behaviour also changes based on geographical location; in the UK it has been seen dropping the Dridex banking trojan on infected systems.
Microsoft Windows – all versions
- Monitor network and proxy logs for indicators of compromise.
- Never open email attachments or links from untrusted sources. If an email looks suspicious the user should try to make contact with the sender by other means to verify their identity.
- Ensure malware definitions are kept up-to-date.
- Make sure that cyber-awareness training is kept up-to-date.
- Ensure that macros are disabled by default.
- Enforce strong password policies on all accounts.