The primary way that the Trojan Emotet spreads is through spam emails (malspam). The virus can spread through a malicious link, macro-enabled document files, or script. Emotet emails may contain recognizable logos to look genuine. To entice visitors to click the malicious files, Emotet may use engaging content regarding Your Invoice, Payment Details, or an upcoming arrival from reputable courier companies. Emotet receives updates from C&C servers as well. This enables the hackers to update the program, add new infections, such as banking Trojans, or serve as a repository for data breaches involving credit card numbers, usernames, passwords, and email addresses. This can occur effortlessly without any visible symptoms and functions similar to operating system upgrades on your PC.
Emotet is mainly transmitted through spam. After going through your contacts list, Emotet sends messages to your friends, family, coworkers, and clients. The fact that the emails look less spammy since they come from your stolen email account makes the receivers feel safer, increasing their likelihood of clicking on risky links and downloading harmful files. If a network is present, Emotet spreads and conducts a brute-force attack to access newly connected machines using a list of well-known passwords. If the password for the virtual human resources server is only the password, Emotet will undoubtedly wind up there.
For Emotet, everyone is a target. Emotet has so far targeted people, businesses, and governmental organizations all around Europe and the United States, stealing banking logins, financial information, and even Bitcoin wallets. The list of targets may now be substantially longer because Emotet is now being used to download and deploy more banking Trojans. German banking clients were attacked using early versions of Emotet. Canadian, British, and American organizations were the targets of later iterations of Emotet.
Could you update your PC and endpoints with the most recent Windows patches? Don’t click a dubious-looking link or download suspicious attachments. If you open those suspicious emails, Emotet can gain access to your machine or network first. Please give me some time to teach your users how to identify spam. Inform yourself and your users on how to create a secure password. Start utilizing two-factor authentication while you’re at it.
Threat actors connected to the infamous Emotet virus are continually adapting their tactics, according to new research from VMware on the emotet delivery and evasion techniques utilized in recent attacks. Emotet was initially identified in June 2014 as a banking trojan by the threat actor Mummy Spider (also known as TA542). Before its development in 2016 into an all-purpose loader that can distribute second-stage payloads like ransomware. Moreover, covert command-and-control (C2) infrastructure.
In a study from The Hacker News, researchers from VMware’s Threat Analysis Unit (TAU) noticed this. The virus’s long-standing success is partly due to the ongoing modification of its execution chain. Another trait of emoticon attack pathways is using several attack paths to go unnoticed over lengthy periods. A PowerShell-enabled Excel 4.0 (XL4) macro and an XL4 macro were both used to disseminate the Emotet payload. Additionally, according to VMware, a Visual Basic Application (VBA) macro used PowerShell in three separate attack sets in January 2022.
Additionally, 10,235 Emotet payloads discovered in the wild between March 15, 2022, and June 18, 2022, utilized Epoch 5 C2 servers. Aside from the modifications to the C2 IP addresses and execution chains, Emotet has also been disseminating two new plugins: one is intended to collect credit card information from the Google Chrome browser, and the other is a spreader module that moves laterally using the SMB protocol.
Most of the servers’ IP addresses were in the United States, Germany, and France. In contrast, most Emotet modules were hosted in France, Singapore, Ghana, Korea, Thailand, and India. It is advised to create network segmentation, impose a Zero Trust model, and swap out the default authentication techniques with stronger ones to defend against attacks like Emotet.
Source: TheHackerNews, VMware
