Experts noticed that this week Emotet resumed its activity and after a three-month “rest” began to send malicious spam again. So far, information security specialists have not found any additional payloads.

It looks like the malware is just collecting data for future spam campaigns.

Let me remind you that we also wrote that Emotet Malware Operators Found a Bug in Their Bootloader.

The resumption of malware activity was reported by Cofense analysts and specialists from the Cryptolaemus group, which includes more than 20 experts from around the world, who united in 2018 for a common goal – to fight Emotet.

The researchers recalled that the last Emotet spam campaign was observed in November 2022, and then spamming lasted only two weeks. Now the malware has continued to recover and collects new credentials for use, as well as stealing information from address books for targeting.

This time, instead of using chained response emails, as in the previous campaign, the attackers are using emails that mimic various invoices.

ZIP archives containing intentionally “bloated” Word documents larger than 500 MB are attached to such emails. Documents are deliberately filled with unused data to make the files bigger and harder for antivirus solutions to scan and detect malware.

In fact, such documents contain many macros that download the Emotet loader as a DLL from compromised sites (mostly hacked WordPress blogs). After downloading, the malware will be saved in a folder with a random name in %LocalAppData% and launched using regsvr32.exe.

At the same time, the malware DLL file is also deliberately increased to 526 MB in order to prevent security software from identifying the file as malicious. As noted by Bleeping Computer, this method of evading detection works great: according to VirusTotal, so far the malware has been detected by only one provider of security solutions out of 64. At the same time, this provider defines the threat only as Malware.SwollenFile.

Once launched on an infected device, Emotet will run in the background, waiting for commands from its operators, which will likely result in additional payloads being installed. Although Cofense experts note that they have not yet observed any additional payloads, and now the malware seems to be simply collecting data for future spam campaigns.

The post Emotet Has Resumed Activity after a Three-Month Break appeared first on Gridinsoft Blog.

So far, Emotet is not delivering additional payloads to the infected devices of victims, so it is not yet possible to say exactly what this malicious campaign will lead to.

Let me remind you that we also wrote that Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware.

One of the first to notice the resumption of Emotet activity was experts from the Cryptolaemus group, which includes more than 20 information security specialists from around the world, who in 2018 united for a common goal – to fight Emotet. According to them, the malware, which had been idle since June 13, 2022, suddenly resumed its work in the early morning of November 2 and began sending spam around the world.

Proofpoint expert and Cryptolaemus contributor Tommy Madjar report that a new spam campaign is using previously stolen email threads to spread malicious Excel attachments. Among the samples already uploaded to VirusTotal, you can find attachments aimed at users from all over the world, written in different languages and with different file names. Malicious documents are disguised as various invoices, scans, electronic forms, etc.

Bleeping Computer journalists list the names of some of the malicious honeypot files:

1. Scan_20220211_77219.xls
2. fattura novembre 2022.xls
3. BFE-011122 XNIZ-021122.xls
4. FH-1612 report.xls
5. 2022-11-02_1739.xls
6. Fattura 2022 – IT 00225.xls
7. RHU-011122 OOON-021122.xls
8. Electronic form.xls
9. Rechnungs-Details.xls
10. Gmail_2022-02-11_1621.xls
11. gescanntes-Document 2022.02.11_1028.xls

The researchers note that this Emotet campaign features a new template for Excel attachments, which contains revised instructions for users to bypass Microsoft Protected View.

A malicious Excel file tells the user how to proceed

The fact is that Microsoft adds a special Mark-of-the-Web (MoTW) flag to files downloaded from the Internet (including email attachments). And when a user opens a Microsoft Office document containing the MoTW flag, it opens in Protected View mode, which prevents the execution of macros that install malware.

Therefore, Emotet operators now instruct users to copy the file to the trusted Templates folders, as this will bypass Protected View restrictions (even for a file marked MoTW).

If a malicious attachment is launched from the Templates folder, it immediately executes macros that download the Emotet malware to the victim’s system. The malware is loaded as a DLL into several folders with random names in %UserProfile%\AppData\Local, and then the macros run the DLL using regsvr32.exe.

The malware will then run in the background, connecting to the attackers’ control server to receive further instructions or install additional payloads. Let me remind you that earlier Emotet distributed the TrickBot Trojan, and was also caught installing Cobalt Strike beacons.

History of Emotet:

Emotet appeared in 2014, but only in the 2020s did it become one of the most active threats among malware.

The malware was distributed mainly through email spam, malicious Word, and Excel documents, etc. Such emails could be disguised as invoices, waybills, account security warnings, invitations to a party, or information about the spread of the coronavirus. In a word, hackers will carefully follow global trends and constantly improve their bait emails.

Although Emotet once started as a classic banking Trojan, the threat has since evolved into a powerful downloader with many modules. Its operators have begun to cooperate with other criminal groups actively.

Having penetrated the victim’s system, Emotet used the infected machine to send spam further and installed various additional malware on the device. Often these were bankers such as TrickBot, miners, infostealers, as well as cryptographers like Ryuk, Conti, ProLock.

Europol called Emotet “the most dangerous malware in the world” and also “one of the most prominent botnets of the last decade.”

An attempt to eliminate the botnet, undertaken by law enforcement officers in 2021, was unsuccessful. At the end of the year, the malware returned to service, teaming up with Trickbot to “get back on its feet.”

However, experts warned about the active growth of Emotet, and last summer, it was noticed that the malware acquired its own module for stealing bank cards.

The post Emotet Botnet Resumed Activity after Five Months of Inactivity appeared first on Gridinsoft Blog.

Let me remind you, by the way, that at the end of last year we wrote that Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware.

Emotet’s main vector of distribution is spam emails with malicious attachments. When a victim opens a malicious document, malicious macros or scripts are loaded onto their system with the Emotet DLL.

Once downloaded, the malware looks for and steals email addresses for use in future phishing campaigns and downloads additional payloads like Cobalt Strike or other malware, including ransomware.

On Friday, April 22, Emotet operators launched a new spam operation with a password-protected ZIP file attached. It contained a Windows LNK (Quick Access Link) file disguised as a Word document.

After double-clicking on the shortcut link, a search command was executed in the file for a special string with Visual Basic Script code. This code was then added to a new VBS file that ran on the system.

As Cryptolaemus researcher Joseph Roosen told BleepingComptuer, Emotet operators stopped the new operation on Friday night when they discovered that the system was not infected due to a bug. However, they quickly fixed the bug and started spamming again on Monday.

This time, the shortcut link contains the actual file name, the command is executed, and the VBS file is created as expected. Emotet is freely loaded and executed on the attacked system.

The post Emotet Malware Operators Found a Bug in Their Bootloader appeared first on Gridinsoft Blog.

TrickBot is one of the most famous and “successful” malware to date. The malware was first noticed back in 2015, shortly after a series of high-profile arrests that significantly changed the composition of the Dyre hack group.

Over the years, TrickBot has evolved from a classic banking trojan designed to steal funds from bank accounts to a multifunctional dropper that spreads other threats (from miners and ransomware to infostealers).

In the fall of 2020, a large-scale operation was carried out aimed at eliminating TrickBot. It was attended by law enforcement agencies, specialists from the Microsoft Defender team, the non-profit organization FS-ISAC, as well as ESET, Lumen, NTT and Symantec.

At that time, many experts wrote that although Microsoft managed to disable the TrickBot infrastructure, most likely the botnet would “survive”, and eventually its operators would put new control servers into operation, continuing their activity. Unfortunately, that is exactly what happened. Recently, TrickBot has been linked to the resurgence of the Emotet botnet, Diavol ransomware operations, and Conti ransomware.

IBM Trusteer analysts report that TrickBot now has several new layers of protection designed to bypass antivirus products and protect against scrutiny.

The researchers write that TrickBot developers use several levels of obfuscation and base64 for scripts, including minification, string extraction and replacement, dead code injection, and so-called monkey patching. Currently, TrickBot even has too many levels of obfuscation, which makes its analysis slow and often gives unreliable results.

In addition, during the injection of malicious scripts into web pages (to steal credentials), the injections do not use local resources on the victim’s machine, but rely solely on the servers of the attackers themselves. As a result, analysts cannot extract malware samples from the memory of infected machines. At the same time, TrickBot interacts with its control servers via HTTPS, which also makes it difficult to learn.

In addition, injection requests contain parameters that mark unknown sources, i.e. researchers cannot simply get malware samples from the attackers’ control server from any endpoint.

If earlier TrickBot tried to determine if it was being investigated by checking the host’s screen resolution, it now looks for signs of code beautify. This term usually refers to the transformation of obfuscated and other code into content that is easier to read by the human eye and, therefore, it is easier to find what you need in it. So, in the latest versions of TrickBot, regular expressions are used, which allow you to notice if one of the scripts has been “embellished”, because it usually indicates that the information security researcher is analyzing malware. To prevent disclosure TrickBot provokes a crash in the browser.

Let me remind you that we also reported that Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware.

The post TrickBot causes crashes on the machines when cybersecurity experts studying it appeared first on Gridinsoft Blog.

Microsoft patched 67 vulnerabilities in its products this month, seven of which are classified as critical and 60 are classified as important. Separately, Microsoft has fixed 16 bugs in Microsoft Edge for a total of 83 bugs.

Interestingly, according to ZDI data, the latest set of fixes increased the total number of bugs fixed in 2021 to 887, which is almost 30% less than in 2020.

One of the major fixes this month is the patch for CVE-2021-43890 (7.1 CVSS). This vulnerability in the Windows AppX Installer is reportedly already under attack. Microsoft says the bug can be exploited remotely by low-privilege attackers without user interaction. In particular, the problem is already being used to distribute various malicious programs, including the Emotet, TrickBot and BazarLoader malware.

Bleeping and Computer reports that Emotet malware has recently spread using malicious Windows App Installer packages disguised as Adobe PDF. While Microsoft does not directly link CVE-2021-4389 to this campaign, the details the experts have shared with the community are completely consistent with the tactics used in the recent Emotet attacks.

Five other zero-day vulnerabilities that were patched in December were not seen in hacker attacks:

• CVE-2021-43240 (CVSS: 7.8) – privilege escalation in NTFS Set Short Name;
• CVE-2021-43883 (CVSS: 7.8) – Windows Installer privilege escalation;
• CVE-2021-41333 (CVSS: 7.8) – Windows Print Spooler privilege escalation;
• CVE-2021-43893 (CVSS: 7.5) – privilege escalation in Windows Encrypting File System (EFS);
• CVE-2021-43880 (CVSS: 5.5) – Windows Mobile Device Management privilege escalation.

Let me remind you that we also wrote that Emotet now installs Cobalt Strike beacons.

The post Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware appeared first on Gridinsoft Blog.

Let me remind you that usually Emotet installs TrickBot or Qbot malware on the victim’s machines, and that one already deploys Cobalt Strike and performs other malicious actions. Now, the Cryptolaemus research group has warned that Emotet skips the installation of TrickBot or Qbot and directly installs Cobalt Strike beacons on infected devices.

Cryptolaemus is a group of more than 20 information security specialists from all over the world, who united back in 2018 for a common goal – to fight against Emotet malware.

This information was confirmed to the journalists of Bleeping Computer by the specialists of the information security company Cofense.

While Cobalt Strike was trying to contact the lartmana[.]сom domain, and shortly thereafter, Emotet was deleting the Cobalt Strike executable.”

In fact, this means that attackers now have immediate access to the network for lateral movement, data theft, and rapid ransomware deployment. The rapid deployment of Cobalt Strike is expected to speed up the deployment of ransomware on compromised networks as well.

Cofense experts, in turn, report that it is not yet clear whether what is happening is a test of the Emotet operators themselves, or if it is part of a chain of attacks by another malware that cooperates with the botnet.

Let me remind you that I also reported that Trojan Emotet is trying to spread through available Wi-Fi networks.

The post Emotet now installs Cobalt Strike beacons appeared first on Gridinsoft Blog.

Experts discovered Qbot in 2008; over the years, it has evolved from an ordinary info-stealer into a real “Swiss knife” for hackers.

Today, Qbot is capable of, for example, delivering other types of malware to the infected system, and can even be used to remotely connect to the target system to carry out banking transactions using the victim’s IP address.

As a rule, Qbot spreads in a classic way: through phishing emails that contain dangerous attachments or lure users to malicious sites controlled by hackers – say the researchers

Check Point experts remind that the updated version of Qbot can steal emails from its victims and then use them to send spam, thereby creating more believable decoys.

Between March and August 2020, Check Point researchers discovered several campaigns with an updated version of Qbot, including a campaign where malware was masked using Emotet. According to experts, in July 2020, this campaign affected 5% of organizations in the world.

Attackers are always looking for ways to improve malware. Now they are investing heavily in developing Qbot – it can be used to steal data massively from organizations and ordinary users. We have already seen active malicious spam campaigns that Qbot has been distributing. We also noted that sometimes Qbot is spread using another Trojan, Emotet – says Vasily Diaghilev, head of Check Point Software Technologies

Overall, in August 2020, the top most active malware looked like this:

• Emotet is an advanced self-spreading modular Trojan. Was once an ordinary banker but has recently been used to distribute malware and campaigns. New functionality allows sending phishing emails containing malicious attachments or links.
• Agent Tesla – Advanced Remote Access Trojan (RAT). AgentTesla has been infecting computers since 2014, acting as a keylogger and password stealer.
• FormBook is an info-stealer first discovered in 2016. It is marketed as MaaS in underground hacking forums due to its advanced evasion techniques and relatively low cost. FormBook collects credentials from various browsers, takes screenshots, monitors, and logs keystrokes, and can download and execute files as ordered from the command server.

Let me remind you that Emotet topped the rating of the most common threats in 2019 and, it seems, is not going to lose its positions.

Companies must consider introducing security solutions to prevent such content from reaching users. It is important to remind employees to be very careful when opening emails, even if they appear to come from a trusted source at a glance.

The post Qbot Trojan Entered The Top Of The Most Widespread Malware appeared first on Gridinsoft Blog.

Let me remind you that Microsoft has been implementing a systematic refusal to use the outdated SMBv1 for a long time. So, since 2016, the company has advised administrators to withdraw from SMBv1 support since this version of the protocol is almost 30 years old and does not contain the security improvements that were added in later versions.

Security enhancements include encryption, integrity checks before authentication to prevent man-in-the-middle (MiTM) attacks, blocking insecure guest authentication, and more.

Now the Exchange Team has once again reminded administrators of the insecurity of using SMBv1 because various malware still actively abuses them. Some vulnerabilities in SMB are exploited by EternalBlue and EternalRomance, as well as by TrickBot, Emotet, WannaCry, Retefe, NotPetya, Olympic Destroyer, and so on. In addition, known SMB problems can be used to spread the infection to other machines, perform destructive operations, and steal credentials.

In this regard, Microsoft experts strongly recommend disabling the obsolete version of SMB on Exchange 2013/2016/2019 servers.

The company says they did not check if the Exchange 2010 server was working correctly with SMBv1 disabled. And they are advised to upgrade from Exchange 2010 to Office 365 or a newer version of Exchange Server.

On this week, as part of the “Tuesday of updates” Microsoft fixed 99 bugs in its relatively products, including the sensational 0-day in Internet Explorer, but at the same time, the discontinuation of support for old products causes a very mixed reaction from users.

The post Microsoft recommends Exchange administrators to disable SMBv1 appeared first on Gridinsoft Blog.

Researchers say that to detect the nearest Wi-Fi networks, the malware uses wlanAPI.dll on an already infected machine. Having discovered an available network, Emotet tries to brute force the credentials in order to access it. If an attempt is successful, the malware searches on the new network for any Windows machines that can also be infected.

“All accounts on such potentially accessible devices are scanned, and the malware tries to penetrate into the administrator and other user accounts with brute force. If the hack is successful, Emotet delivers a payload to the machine in the form of a service.exe file and creates a Windows Defender System Service for secure establishing in the system”, – report experts of Binary Defense.

To infect other devices via Wi-Fi, the Trojan, among other things, uses the worm.exe binary, the studied sample of which is dated April 2018. It contained the hard-coded IP address of the management server previously seen in connection with Emotet. Experts suggest that malware used Wi-Fi distribution and went unnoticed for almost two years.

Researchers believe that this may be partially explained by the fact that this binary is rarely used. Therefore, specialists for the first time discovered it on January 23, 2020, although Binary Defense closely watched the actions of Emotet from August 2019, when the malware restored activity after the break.

“It is likely that the worm component is not used at all if the malware knows that it is dealing with a virtual machine or working in a sandbox”, – say Binary Defense engineers.

Another executable file that uses trojan for distribution via Wi-Fi is service.exe. It also has a curious feature: although it uses port 443 Transport Layer Security (TLS) to communicate with the management server, in fact, the connection occurs through unencrypted HTTP.

Analysts at Binary Defense recommend the use of strong passwords to protect wireless networks so that an Emotet-like malware could not easily penetrate the network.

Emotet is one of the most active trojans currently distributed via email spam through malicious Word documents. Such letters can be masked as invoices, invoices, account security warnings, party invitations, and even information on the spread of the coronavirus.

Overall, hackers are closely monitoring global trends and constantly improving their bait letters.

Any.Run, an interactive service for automated malware analysis, has compiled a list of the 10 most common threats downloaded to this platform. The Trojan Emotet topped this 2019 threat rating.

Having penetrated the victim’s system, Emotet uses the infected machine for further spamming and also installs additional malware on the device. Often this is the Trickbot banker (which steals credentials, cookies, browser history, SSH keys, and so on), as well as Ryuk ransomware.

The post Trojan Emotet is trying to spread through available Wi-Fi networks appeared first on Gridinsoft Blog.

For already three months, the Emotet Trojan has occupied one of the leading positions among malware: in December, Emotet affected 13% of organizations worldwide, comparing with 9% in November.

Basically, the trojan is distributed through spam mailings, which exploit the most relevant topics in the headings today. In December, for example, among them were: “Support Greta Thunberg – Time Person of the Year 2019” and “Christmas Party!”.

“The emails in both campaigns contained a malicious Microsoft Word document. When it is opened, it tried to download Emotet on the victim’s computer. Ransomware and other malware can spread through Emotet”, – reported Check Point specialists.

In December also significantly increased use of remote command injection via HTTP: 33% of organizations worldwide suffered this. If the criminals managed to exploit the vulnerability, the DDoS botnet payload entered the victims’ machines. The malicious file used in the attacks also contained a number of links to payloads, exploiting vulnerabilities in different IoT devices.

Devices of manufacturers such as D-Link, Huawei and RealTek were potentially vulnerable to these attacks.

“Over the past three months, the main threats have been universal multipurpose malware, such as Emotet and xHelper. They give cybercriminals many opportunities to monetize attacks, as they can be used to distribute ransomware or spread new spam campaigns. The goal of criminals is to penetrate and gain a foothold in the largest possible number of organizations and devices, so that subsequent attacks are more profitable and destructive. Therefore, it is very important that organizations inform their employees about the risks of opening and downloading email attachments or clicking on links that do not come from a reliable source”, – say experts at Check Point Software Technologies.

The most active threats of December 2019:

• Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet used to be a banking Trojan, but recently has been used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
• XMRig – XMRig is an open-source CPU mining software used for mining Monero cryptocurrency, first seen in-the-wild on May 2017.
• Trickbot – Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.

The most active mobile threats in December 2019:

• xHelper – active since March 2019, and was used to download other malicious applications and display ads. The application is able to hide from the user and antivirus programs, and reinstall itself if the user uninstalls it.
• Guerilla – a clicker that can interact with the management server, download additional malicious plugins and aggressively boost clicks on ads without the consent or knowledge of the user.
• Hiddad is a modular backdoor for Android, which provides superuser rights to various malware, and also helps to introduce it into system processes. It can access key security mechanisms built into the OS, which allows it to receive confidential user data.

In the report by Any.Run, an interactive service for automated malware analysis, Emotet was named the main threat for the entire 2019.

The post Greta Thunberg became the most popular character in phishing campaigns appeared first on Gridinsoft Blog.