Developers of the malicious EMOTET program continue to improve the tactics of the spread of harm. Social engineering was again used.
Trojan Emotet was first discovered in 2014. Clients of German and Austrian banks were attacked by the virus. Attackers used it to gain access to the accounting data of users. Over time, Trojan spread around the world.
Later, Emotet evolved in a dropper, which installed other malicious programs for devices. These programs caused real harm to the system.
In 2021, Trojan was defeated after a coordinated disconnection of his infrastructure by the authorities, but by the end of the year he returned again. The virus spread mainly through phishing emails.
Emotet development is attributed to the TA542 cybercriminals group (aka Gold Crestwood or Mummy Spider). Now Emotet is distributed according to the “malicious software” model as a service (MAAS). It has a modular structure and can deploy many components on remote machines to extract confidential information and perform other harmful actions.
The last two additions to the ARSENAL of EMOTET modules include “SMB Spreader”, designed for self -propelity of Trojan on the network, and the abductor of bank cards operating in the Google Chrome browser. Researchers have long noticed constant attempts to re -equip Emotet to spread other malware, like Bumblebee and IceDid.
in recent reporting BlackBerry The mechanism is described in detail in detail distribution and work of fresh Emotet. The greatest interest is how harmfulness in general falls on the victim’s computer. This happens using the same phishing letters containing malicious .xls files. But since Microsoft constantly strengthens the safety of Office, unidentified .xls documents from the Internet are now automatically opened in secure viewing mode. This is the bad news for Emotet, because the recorded scripts are actually blocked at the application level. But the organizers of the harmful campaign thought of how to get around this restriction. They wrote detailed instructions for naive users so that they themselves open the “All paths” virus.
Face warning in the loaded .xls file
As can be seen in the image above, in the first line of the malicious document, cunning attackers placed the signature on the usual yellow background: “In accordance with the requirements of the security policy, to display the content of the document, copy this file to the next location and start again”.