The Emotet Trojan, a thorn in the side of financial institutions and your average individual alike, is back with new techniques and an upsurge in attacks.
According to researchers from Menlo Security, since mid-January 2019, Emotet has been used in a rapid stream of campaigns which have evolved to infect even more systems.
Emotet was first discovered back in 2014 and is now considered one of the most destructive and insidious financial Trojans in existence.
Once known simply as an individual, self-propagating Trojan with little to recommend itself, the threat actors behind the malware, dubbed Mealybug, have created a malware-as-a-service business based on the Trojan in recent years — pivoting the malware to a threat distribution platform available to other cyberattackers.
The modular Emotet software now usually acts as a distribution and packing system for other malicious payloads, but is also able to brute-force computer systems, generate Business Email Compromise (BEC) messages in compromised accounts for the purposes of spam campaigns, create backdoors, and steal financial data.
In recent years, Emotet has been observed in the wild deploying the IcedID banking Trojan, Trickybot, Ransom.UmbreCrypt, and Panda Banker.
A 2018 US-CERT security advisory dubbed Emotet to be “among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.”
Trend Micro researchers warned in November that Emotet now utilizes dual infrastructures and a variety of command-and-control (C2) servers to better protect itself against takedown attempts.
In recent campaigns, Menlo Security says that malicious documents containing Emotet are being distributed via URLs hosted on threat actor-owned infrastructure as well as traditional spam email attachments.
As shown below, Emotet has been tracked in recent months in attacks against healthcare, finance, and the insurance industry, among others.
While 20 percent of the malicious documents sampled were Word documents containing embedded macros as is typical of Emotet, the other 80 percent appeared to be Word documents with a .doc extension — but were actually XML files.
The researchers say this twist has appeared in an effort to avoid both detection and sandbox setups, often used by security teams to reverse-engineer malware code.
“This technique is probably used to evade sandboxes, since sandboxes typically use the true file type and not the extension to identify the application, they need to run in inside the sandbox,” Menlo Security said. “While the true file type is XML, it is still opened in Microsoft Word at the endpoint, thereby prompting the user to enable the malicious embedded macro.”
In total, 10 percent of the overall sample could also not be identified as malicious by standard antivirus software.
The researchers said that in some of the documents viewing the contents of macros were disabled and VBA Projects — created in Excel — were locked, which the team believes was potentially an attempt to “thwart the analysis of the macro’s contents.”
“In the past, we have seen Emotet being delivered through regular macro-infested Word documents, but this technique of disguising an XML document as a Word document seems to be a recent change in the delivery technique,” Menlo says. “With such constant changes in tactics from the Emotet threat actors, we foresee that this campaign will continue to evolve and become more sophisticated.”
The company added that Emotet made its top list of banking Trojans last year and it is expected that the malware will maintain its position throughout 2019.
On Wednesday, Cybereason’s Nocturnus Research team discussed new developments in the Astaroth Trojan, of which the malware has been given the capability to abuse processes in legitimate antivirus software to steal personal and sensitive data.