Delaware, USA – October 9, 2018 — Security researcher Vishal Thakur dissected the newest version of Emotet downloader and discovered several new features that make malware even more stealthy and effective. Attackers used another obfuscation pattern to complicate detection, and downloader now drops Powershell.exe to Temp folder and then executes it. Also, the new version of malware has only one payload URI.
Emotet is distributed through phishing emails with an attached Word document that contains a malicious macro. If an attacked user enables macro, it creates a new folder in the Temp directory and copies over the contents of the Windows Powershell folder into it. Then it copies Powershell.exe into a new file and starts it to execute code from the remaining part of the macro, which downloads and installs the final payload. Copying of Powershell.exe helps to bypass security controls such as basic default-type Application Whitelisting that rely on process names or paths to block network traffic for a specific application as well as to bypass the Windows Firewall that can be configured to restrict PowerShell from downloading files from the Internet.
Malware authors evolve their techniques to maximize the profit. This summer they updated Emotet banking trojan and now use its infrastructure to delivery malware for other cybercriminals. To detect malicious activity, you can use your SIEM with APT Framework rule pack: https://my.socprime.com/en/integrations/apt-framework-arcsight