SoylentNews is people
SoylentNews
Submission Preview
Emotet Trojan Evolves Since Being Reawakend, Here is What We Know
Story automatically generated by StoryBot Version 0.2.2 rel Testing.
Storybot ('Arthur T Knackerbracket') has been converted to Python3
Note: This is the complete story and will need further editing. It may also be covered
by Copyright and thus should be acknowledged and quoted rather than printed in its entirety.
FeedSource: [BleepingComputer]
Time: 2019-09-19 19:46:28 UTC
Original URL: https://www.bleepingcomputer.com/news/security/emotet-trojan-evolves-since-being-reawakend-here-is-what-we-know/ [bleepingcomputer.com] using UTF-8 encoding.
Title: Emotet Trojan Evolves Since Being Reawakend, Here is What We Know
--- --- --- --- --- --- --- Entire Story Below --- --- --- --- --- --- ---
Emotet Trojan Evolves Since Being Reawakend, Here is What We Know
Arthur T Knackerbracket has found the following story [bleepingcomputer.com]:
New TortoiseShell Group Hacks 11 IT Providers to Reach Their Customers
400 Million Medical Radiological Images Exposed on the Internet
Beware of Venmo Scams Targeting Users via Text Messages
TFlower Ransomware - The Latest Attack Targeting Businesses
Windows 10 Insider Build 18985 Released With Improved Bluetooth Pairing
Thinkful Resets All User Passwords After Security Breach
Emotet Trojan Evolves Since Being Reawakend, Here is What We Know
Celebrity Instagram Accounts Being Hacked to Push Scams
AuroraDecrypter
FilesLockerDecrypter
360 Total Security
Skype Classic
AdwCleaner
ComboFix
RKill
Junkware Removal Tool
Remove the IObyte System Care PUP
Remove the Your Windows 10 is not updated Tech Support Scam
Remove the Your Windows 10 is damaged and irrelevant Tech Support Scam
Remove the Searchgeniusapp.com Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to Use Windows Defender to Scan a Folder for Malware
How to Find the Windows Defender Version Installed in Windows 10
How to Enable the Windows 10 Tamper Protection Security Feature
How to Export a Registry Key in Windows
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
eLearning
IT Certification Courses
Gear + Gadgets
Security
With the reawakening of the Emotet botnet, the distribution methods, payloads, malicious document templates, and email templates continue to evolve. This article will go over some of the changes that have been observed by various security researchers over the past couple of days.
After months of inactivity, Emotet came back to life [bleepingcomputer.com] on Monday as it started churning out spam emails that push malicious attachments to unsuspecting users. While formerly a banking Trojan that would steal login credentials, the Emotet Trojan is now used as a distribution vehicle for other malware.
Only after a few days, researchers have already started to see Emotet split into different distributions and employ new document templates designed to further trick users into enabling malicious Word macros.
When the Emotet botnet came back to life again, it was using a malicious Word document template that asked you to "Accept the license agreement" by clicking on the "Enable Content" button. Doing so, would enable macros embedded in the document that would then install the Emotet Trojan on the recipient's computer.
As seen by Microsoft [twitter.com] and security researchers such as JamesWT [twitter.com], Joseph Roosen [twitter.com], Brad Duncan [twitter.com], ps66uk [twitter.com], and others, Emotet has changed its malicious document template to use a new "Protected View" lure. This lure tells the potential victims that the "action can't be completed because the file is open in Protected View. Some active content has been disabled. Click Enable Editing and Enable Content."
Just like the previous template, if you click Enable Editing and then Enable Content, the embedded macros will run a script that installs Emotet onto the computer.
While most of the Emotet spam we have seen includes attachments, some are also including links that can be used to download the malicious document.
For example, below is an Emotet spam that includes a malicious Word document attachment.
JamesWT also shared an email sample with BleepingComputer that was sent to Italian speaking recipients that includes a link that can be used to download the malicious document.
This means that filtering for attachments alone is not going to be a foolproof protection.
While most reports of the new Emotet campaigns have focused on the malicious attachments spawning PowerShell, some of the spam being sent out also uses WScript to execute a JScript script to install a malicious payload.
For example, below is an example of the PowerShell command that was executed by an Emotet attachment when it came back to life on September 16th, 2019.
Unfortunately, there is no way to disable encoded commands being executed by PowerShell. You can, though, disable PowerShell script execution if not needed in your environment by using this command from a PowerShell Administrator prompt:
Since Monday, JamesWT has also shared spam emails that contain attachments utilizing WScript instead. When the attachments are opened and macros enabled, a JSE (JScript Encoded) file will be created in the %UserProfile% folder and then executed with WScript as shown below.
Below you can see the obfuscated JSE file that is being launched.
Knowing this, if you do not have any use for running JScript files locally, you can disable the WScript engine as an extra layer of protection.
This can be achieved by creating an Enabled value and setting it to 0 under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings Registry key.
Alternatively, you can use the following Registry file to create the value for you.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
"Enabled"=dword:00000000
Recently, the Emotet tracking group named Cryptolaemus [twitter.com] tweeted that Emotet has split into three "Epochs" labeled E1, E2, and E3.
When trying to research what Epochs are in relation to Emotet, there was not much detailed info, so I reached out to Emotet guru Joseph Roosen [twitter.com] who was kind enough to explain them to me.
Epochs are subgroups of the overall Emotet botnet that utilize their own infrastructure such as different command & control servers, distribution methods, payloads, and even assigned bots. According to Roosen, these Epochs may be used to target different countries, deliver different payloads, or to act as redundant infrastructure.
To provide some context, Roosen shared an explanation of what he was seeing in March 2019.
"In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications. Epoch 1 is currently the larger of the two botnets (MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period. This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same time period."
It is speculated that Emotet is a large botnet operated by a single group that is known as TA542 by ProofPoint [proofpoint.com] or Mummy Spider by CrowdStrike [crowdstrike.com].
This group then "rents" out malware distribution through the Emotet botnet to other threats actors. For example, it has been thought [bleepingcomputer.com] that the threat actor group behind TrickBot is renting distribution from the Emotet botnet.
These different "renters" may get their own Epoch to host their distribution campaigns or the Epochs could be used to push different volumes of paid distribution.
Roosen told BleepingComputer that out of the known Epochs, only Epoch 1 was dropping the Dreambot Trojan yesterday.
With the varied payloads, potential renters, and wide distribution, Emotet is a threat that all administrators, security professionals, and users need to keep an eye on.
Not a member yet? Register Now [bleepingcomputer.com]
Most Cyber Attacks Focus on Just Three TCP Ports
Windows Defender Antivirus Scans Broken After New Update
To receive periodic updates and news from BleepingComputer [soylentnews.org], please use the form below.
Copyright @ 2003 - 2019 Bleeping Computer® LLC [bleepingcomputer.com] - All Rights Reserved
Not a member yet? Register Now [bleepingcomputer.com]
-- submitted from IRC
