Delaware, USA – November 23, 2018 – Appeared four years ago, Emotet banking trojan continues to evolve and to use new tricks to infect its victims. Late last month, attackers added email harvesting module, and malware started to exfiltrate email subjects and bodies targeting any message sent or received in the past 180 days. The new module is not bundled by default but is loaded from the command and control servers. The module poses the biggest threat to organizations, since the email body may contain sensitive information that can be used to prepare targeted attacks. In mid-November, malware operators started first campaigns using the information gathered. Researchers at Cofence discovered campaigns that are effectively spoofing major US financial institutions in part by including legitimate URLs wrapped in Proofpoint’s (PFPT) TAP URL Defense wrapping service and increasing the chances of malware infection. In these campaigns, Emotet was used to deliver IceID banking trojan.
On 19 November, adversaries started a US-centric Thanksgiving-themed campaign distributing malicious XML files instead of the traditional Word documents. Emotet is currently one of the most active threats targeting systems running Microsoft Windows.
You can use Netflow Security Monitor to uncover suspicious traffic spikes or data exfiltration attempts and Windows Security Monitor to spot suspicious operations in your corporate network.