Security researchers are seeing signs that the Emotet banking trojan is about to awaken from its latest hiatus by deploying newly improved credential and email stealing modules.
Emotet last came to life in January 2020 but analysts with the Herjavec Group believe the new modules are being placed as a first step toward the launch of a new phishing campaign. If and when this is released targets will find themselves battling its anti-malware evasion and a hashbusting implementation which makes it more dangerous compared to previous versions. Hashbusting ensures that the malware will have a different hash on each system it infects, rendering hash-based detections useless.
Some of the technical changes incorporated include reworked malware code to incorporate the use of a state machine to obfuscate the control flow and branches of code being flattened into nested loops, which enables the code blocks to be in any order and operationally execute in order by the state machine.
Emotet’s last wave of attacks started on January 13, 2020 with a strong focus on the U.S., after a three-week break in activity. Reportedly, at the time many of the phishing emails contained business-related Microsoft Word attachments such as proof-of-delivery documents and agreements. Users who opened these attachments and enabled the malicious macros embedded within were subsequently infected with Emotet.
It is not known how an upcoming attack may present itself but Herjavec Group recommends:
- Block email attachments commonly associated with malware (e.g.,.dll and .exe).
- Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
- Implement Group Policy Object and firewall rules.
- Implement an antivirus program and a formalized patch management process.
- Implement filters at the email gateway, and block suspicious IP addresses at the firewall.