Trend Micro researchers first spotted the banking malware using network sniffing to steal data back in 2014 and recently spotted an increase in activity in August 2017 coming from new variants that all had the potential to unleash different types of payloads, according to a 7 September blog post.
The latest versions were spotted TSPY_EMOTET.AUSJLA, TSPY_EMOTET.SMD3, TSPY_EMOTET.AUSJKW, and TSPY_EMOTET.AUSJKV and each had the potential to drop different malicious payloads. Researchers attributed the malware's resurfacing to two main possible reasons first, the authors behind the attacks may be targeting new regions and because and second, because the new variants are using multiple ways to spread.
Earlier EMOTET variants primarily targeted the banking sector while newer variants have been spotted targeted various industries including manufacturing, food and beverage, and healthcare. The newer variants are also spreading primarily through spam botnets as well as via a network propagation module that brute forces its way into an account domain using a dictionary attack. Some variants also use compromised URLs as C&C servers likely helped it spread as well.
The bulk of infections are in the US which account for 58 percent of all detected infections, while Great Britain and Canada were at 12 percent and eight percent respectively.
The new EMOTET variants often are sent via phishing emails claiming to be an invoice or payment notification with the body of the email containing a malicious URL. Clicking the link will download a document containing malicious macros designed to execute a PowerShell command line responsible for downloading the trojan.
“The malware will attempt to ease its entry into the system by deleting the Zone Identifier Alternate Data Stream (ADS), which is a string of information that describes the Internet Explorer Trust Settings of the file's download source,” researchers said in the post. “This is one way for the system to find out if a downloaded file is from a high-risk source, blocking the download if it is detected as such.”
The trojan will then register itself as a system service and add registry entries to ensure that it is automatically executed at every system startup, the post said.
In addition to the malicious payload, the trojan's command and control server is also responsible for sending modules that will perform spamming module routines, network worm module routines mail password viewer routines, and web browser password viewer routines.
To address these issues, researchers recommend the use of multilayered and proactive approach to security as well as endpoint solutions.