Watch out for a new type of malware | 18/02/2019 | GenesisIT,Hull


Genesis Business Systems Blog

What is it?

The Emotet banking Trojan was first identified by security researchers in 2014 and was originally designed as a banking Tɾojan used to steal financial data. But it’s evolved to become a major threat to users everywhere.

Current versions of the Emotet Trojan include the ability to install other malware to infected machines. This malware may include other banking Trojans or malspam delivery services.

How does it evade detection?

“Emotet is polymorphic, which means it can change itself every time it is downloaded, evading signature-based detection.”

Emotet uses several tricks to try and prevent detection and analysis. It also knows if it’s running inside a virtual machine (VM) and will lay dormant if it detects a sandbox environment.

It uses worm-like capabilities to help spread to other connected computers, which helps distribute the malware. This functionality has led the Department of Homeland Security to conclude that Emotet is one of the most costly and destructive malware costing upwards of $1M per incident to clean up.

How does it work?

Emotet also uses C&C servers to receive updates, which works in the same way as the operating system updates on your PC and can happen seamlessly and without any outward signs. This allows the attackers to install updated versions of the software, additional malware such as other banking Trojans, or to act as a dumping ground for stolen information such as financial credentials, usernames and passwords, and email addresses.

How is it spread?

Emotet is a Trojan that is primarily spread through spam emails (malspam). It ransacks your contacts list and sends itself to your friends, family, co-workers and clients. Since these emails are coming from your hijacked email account, the emails look less like spam and the recipients, feeling safe, are more inclined to click bad URLs and download infected files.

The infection may arrive either via malicious script, macro-enabled document files, or malicious link. Emotet emails may be designed to look like a legitimate email and try to persuade users to click the malicious files by using tempting language about “Your Invoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies.

If a connected network is present, Emotet spreads using a list of common passwords, guessing its way onto other connected systems in a brute-force ­attack. If the password to the all-important human resources server is simply “password” then it’s likely Emotet will find its way there.

Another method that Emotet uses to spread is through the EternalBlue/DoublePulsar vulnerabilities, which were responsible for the WannaCry and NotPetya attacks on the NHS. These attacks take advantage of vulnerabilities in Windows that can allow the installation of malware without human interaction.

This ability to self-replicate, like a type of malware we call a worm, causes endless headaches for network administrators across the globe as Emotet spreads itself from system to system.

Who does Emotet target?

To date, Emotet has hit individuals, companies, and government entities across the United States and Europe, stealing banking logins, financial data, and even Bitcoin wallets.

Now that Emotet is being used to download and deliver other banking Trojans, the list of targets is potentially even broader. Early versions of Emotet were used to attack banking customers in Germany. Later versions of Emotet targeted organizations in Canada, the United Kingdom, and the United States.

How can I protect myself from Emotet?

You can protect yourself and your users from Emotet with a robust cyber security program that includes multi-layered protection.

How can Genesis help?

We can help you establish effective cyber security practices for your business. We can review what processes you have in place and advise on any areas of weakness.

If you would like to discuss this further, please contact us on telephone 01482 210999 or email [email protected]