Emotet Malware Alert: US-CERT TA18-201A

Topic

New Reply

Alert TA18-201A: Emotet Malware
https://www.us-cert.gov/ncas/alerts/TA18-201A

Original release date: July 20, 2018

 
Systems Affected: Network Systems

Overview
Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.

This joint Technical Alert (TA) is the result of Multi-State Information Sharing & Analysis Center (MS-ISAC) analytic efforts, in coordination with the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC).
Description

Emotet continues to be among the most costly and destructive malware affecting SLTT governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.

Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.

Emotet is disseminated through malspam (emails containing malicious attachments or links) that uses branding familiar to the recipient; it has even been spread using the MS-ISAC name. As of July 2018, the most recent campaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices purportedly from MS-ISAC. Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro-enabled Microsoft Word document included in the malspam. Once downloaded, Emotet establishes persistence and attempts to propagate the local networks through incorporated spreader modules.

 
Read the full alert here
Further information on Emotet from Wikipedia

2 users thanked author for this post.

Bill C., Elly

Reply | Quote

Replies

Source Code for Exobot Android Banking Trojan Leaked Online
By Catalin Cimpanu | July 23, 2018

 
The source code of a top-of-the-line Android banking trojan has been leaked online and has since rapidly spread in the malware community, worrying researchers that a new wave of malware campaigns may be in the works.

This malware’s name is Exobot, an Android banking trojan that was first spotted at the end of 2016, and which its authors mysteriously abandoned by putting its source code for sale in January this year.
…
Security researchers from ThreatFabric have told Bleeping Computer that the Exobot trojan source code we received had actually leaked online in May when one of the users who bought it from the original author decided to share it with the community.
…
So not only is Exobot’s source code freely accessible, but its also of pretty effective, just like the BankBot code was top-of-the-line when it was leaked in 2016. In the coming months, we may see Android malware devs slowly migrating their campaigns from BankBot to Exobot, as few will decline a “free upgrade” to a better code.

 
Read the full article here

1 user thanked author for this post.

Elly

Reply | Quote

(1) Exobot: So… those of us who do not use smartphones, let alone Android in any way whatsoever we are aware of should be OK? Or is Android also present in, let’s say, Google searches or when using Chrome, two things that many of us regularly do?

(2) Emotet: Is it correct to assume that this is a danger to anyone connected to the Internet, regardless of operating system?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

To me, the key point is that banking trojans are in the wild, and we should all ensure we are very careful in our “cybersecurity hygiene”, i.e. not clicking on unexpected links or attachments, getting updates from genuine sources only, checking for unexpected program changes, etc.

It’s just another reason for us to be vigilant in our use of technology, being aware of the risks. 🙂

1 user thanked author for this post.

Elly

Reply | Quote

Hmm… Yes, of course, by am still curious about questions (a) and (b).

And, while at it, I may also point out that ever since the dawn of ATMs our banking cyber security has been on the shaky side. Or even further back, since credit cards (i.e. when “cyber” was a prefix to things ‘cybernetic’, in use only among some mathematicians, computer scientists and system theorists). Or even since checks (with your signature on them, a forger can, potentially, have a really good time with a little bit of work, same as with credit card slips). So, unfortunately, being careful and practicing good online hygiene are highly advisable, but not infallible strategies. Nothing you did not know already, but I just felt like putting it down here in so many words.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Just a Reminder ( In yes an old thread) But as ESET product detection graphics shows this is on the rise.

https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/

As noted in the article is the downloads that might be used involve Office 365 Programs

Reply | Quote