In the U.S., the Emotet iteration employs malicious PDF file attachments with a link to javascript.
In the U.S., the Emotet iteration employs malicious PDF file attachments with a link to javascript.

A banking trojan that was first reported in June 2014 targeting banks in Germany and Austria and later in Switzerland has made its way to these shores, according to a blog post from the Center for Internet Security (CIS).

The trojan arrives in phishing emails embedded in a malicious PDF targeting federal, state, local, tribal and territorial (FSLTT) government employees. The emails appear to be documents and invoices from well-known organizations but are fake.

Emotet is an iteration of the Feodo trojan family, the CIS explained, which also includes Bugat and Dridex.

While the campaigns seemed to subside in late 2015 and all through 2016, starting around mid-April Forcepoint researchers detected an Emotet variant being used in a spam campaign in the U.K.

Then, on April 27, the MS-ISAC detected a spam campaign against FSLTT government employees in the U.S., which has ssince grown to include financial sector targets as well.

While the latest campaign bears similarities to the earlier U.K. campaign, the CIS researchers pointed out that rather than attempting to dupe recipients with a fake phone bill with malicious links, as the U.K. spam did, the scourge in the U.S. employs malicious PDF file attachments with a link to javascript (JS) which recipients are prompted to click on. As well, rather than relying on fake invoices, as was the case in the U.K. campaign, subject lines of the new variants pretend to be billing notices or urgent reports.

"Once the .JS file is run, it makes HTTP GET requests over port 8080 to the command and control (C2) IP with what the MS-ISAC believes is identification data encrypted within an encoded cookie string," the CIS report stated. Researchers at both Forcepoint and MS-ISAC recognized that the .js strings in both the U.K. and U.S. campaigns were similar: heavily obfuscated and containing a large batch of junk code.

When asked how the attackers continue to alter their coding in these banking trojans, a spokesperson at MS-ISAC told SC Media on Wednesday that to their eye, this wasn't so much a coding change as it was using existing code with a new delivery method. 

"That being said, making slight modifications to the malicious code is a common practice to temporarily evade common detection techniques like anti-virus," the spokesperson told SC.

Although researchers at MS-ISAC have now seen it shift back to a more traditional method of embedding a malicious link in an email, there were two differences at the start of the campaign they observed. "The first was it shifted to a PDF document that was attached and contained a link for the victim to click."

That's not a huge change, the spokesperson said, and actually requires a bit more user interaction to be successful. "However, it does suggest the actors were experimenting with what may have worked for them in the past."

Additionally, the second area of interest is that this change in tactic occurred around the same time as when the campaign made its way to the United States.

Unfortunately, this new delivery method does not tell the researchers much about the coders.

"Their use of malicious PDF attachments is a well-known technique so it's not really an increase in sophistication. At most it suggests that the actors are looking for their campaign to be more successful and are trying to find a way to accomplish that. Since the campaign has now switched back to using a link within an email, it's possible that this particular tactic wasn't as successful as the actors had hoped for."