Rewterz Threat Advisory – Cisco Firepower Management Center FTP Security Bypass Vulnerability
July 12, 2018Rewterz Threat Advisory – CVE-2018-1336 and CVE-2018-8037 Apache Releases Security Updates for Apache Tomcat
July 23, 2018Rewterz Threat Advisory – Cisco Firepower Management Center FTP Security Bypass Vulnerability
July 12, 2018Rewterz Threat Advisory – CVE-2018-1336 and CVE-2018-8037 Apache Releases Security Updates for Apache Tomcat
July 23, 2018This is an advisory on Emotet, an advanced, modular banking Trojan also serving as a dropper of other banking Trojans.
IMPACT: HIGH
PUBLISH DATE: 20-07-2018
OVERVIEW
Emotet is a highly devastating banking Trojan. Its worm-like features ensure speedy network-wide infection, which are difficult to combat. Emotet infections have costed SLTT governments up to $1 million per incident to remediate. Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.
BACKGROUND INFORMATION
Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be one of the most expensive and destructive malwares, affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.
WORK FLOW ANALYSIS
Emotet is disseminated through emails containing malicious attachments or links, using similar branding to that of the recipient.
As of July 2018, the most recent campaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices.
Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro-enabled Microsoft Word document included in the spam email. Once downloaded, Emotet attempts to penetrate the local networks through incorporated spreader modules.
Currently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator.
- exe is a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives.
- Outlook scraper is a tool that scrapes names and email addresses from the victim’s Outlook accounts and uses that information to send out additional phishing emails from the compromised accounts.
- WebBrowserPassView is a password recovery tool that steals passwords stored on Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module.
- Mail PassView is a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module.
- Credential enumerator is a self-extracting RAR file containing two components: a bypass component and a service component. The bypass component is used for the enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account.
Once an available system is found, Emotet writes the service component on the system, which writes Emotet onto the disk.
Emotet’s access to SMB can result in the infection of entire domains (servers and clients).
To maintain persistence, Emotet injects code into explorer.exe and other running processes. It can also collect sensitive information, including system name, location, and operating system version, and connects to a remote command and control server (C2), usually through a generated 16-letter domain name that ends in “.eu.”
Once Emotet establishes a connection with the C2, it reports a new infection, receives configuration data, downloads and runs files, receives instructions, and uploads data to the C2 server.
Emotet artifacts usually mimic the names of known executables. Emotet creates randomly-named files in the system root directories that are run as Windows services. When executed, these services attempt to propagate the malware to adjacent systems via accessible administrative shares.
Note: Privileged accounts are not to be used while logging in to compromised systems during remediation, as that might speed up the propagation of the infection.
If you think you are a victim of a cyber-security attack. Immediately send an email to info@rewterz.com for a rapid response.