Site icon IT World Canada

Another Emotet banking trojan campaign is spreading, warns Canadian managed security provider

danger sign, IT risks, security, malware, hackers

Image from Shutterstock Shutterstock.com

A Canadian security vendor  has warned of seeing evidence of an increase in the number of customers successfully infected by the Emotet banking trojan.

eSentire, a Cambridge, Ont.,-based managed security provider, said last week the malware is being spread via fake invoice email attachments. As part of the invoice there’s a Microsoft Word document users are asked to download and enable Word macros. That document leads to the downloading of payloads from command and control servers. When one machine is infected the malware moves laterally through a network by using the default $admin SMB file share across Windows machines. Depending on the infected user’s permission level, persistence can be gained through registry run keys or a service.

“Samples observed employed randomly generated file names by victim asset and altered its file composition on disk at regular intervals to evade detection based on file hash,” eSentire said in an advisory.

According to a detailed analysis earlier this year of the trojan by Malwarebytes, Emotel — which has been around since 2014 — Emotel has been able to evade many tools for attacking it because the makers often change the code. These changes range from slight variations to drastic changes such as moving from a VBA project to PowerShell scripting.

(Image from Malwarebytes)

“Emotet is one of the most active threats seen in the wild, with campaigns serving this malware daily to potential victims across the globe,” said Malwarebytes. “The level of code obfuscation and encryption used to hide the code is quite complex and well-executed. In fact, it is one of the most complex downloaders in circulation.”

eSentire advises infosec pros to

 

Exit mobile version