Site icon Panda Security Mediacenter

EMOTET reemerges after months in hiding

emotet

First identified in 2014, Emotet has continued to infect systems and compromise users until now, which has kept it in the news far longer than other threats from the same year.

The last version of Emotet was seen back in February, when it was distributed across WLAN networks, highlighting how this malware had evolved from a banker Trojan aimed at stealing financial details to a global threat to all users.

Now, this polymorphic malware, which is able to adapt itself every time it is downloaded in order to evade detection, is once again on the rampage after five months in hiding.

How to protect against Emotet

 Criminals are again using email as an attack vector

In this latest reappearance, Emotet has returned to one of its favorite attack vectors: a massive spam campaign with malicious links or attachments. Looking back over its history, malspam has been the prime channel through which Emotet has spread. Malware hacks your contact list and sends itself out to all your friends, associates, relatives, etc. As these emails come from your address, they don’t appear to be spam, and the recipients will be likely to feel safe when clicking the links or downloading infected files.

What are the files like? Once again, the attackers sent thousands of emails with invoices, reports, delivery receipts, and even job offers.

Who do these emails target? The messages are mainly sent out to companies, and once a system is infected, it is often used to continue sending out these messages to the contacts in the address book.

One characteristic of Emotet is that it downloads several modules that allow it to launch a wide variety of malicious actions, especially on corporate networks. These include lateral movement across systems on the same network, theft of credentials and cookies stored in browsers, theft of bank credentials and credentials for remote desktop applications such as OpenSSH, VNC and Putty, and the theft of databases belonging to Windows Active Directory services.

Moreover, current versions of Emotet incorporate the option to install other malware on infected devices. This malware can also include other banker Trojans or malspam delivery services. Until a few months ago, the Ryuk ransomware was typically used, although since its reappearance, Emotet has spread other malware on networks,  such as  Conti. Criminals can thereby steal confidential information and demand a ransom.

How to protect against Emotet

 

Exit mobile version