Threat Management, Malware

New variant of Emotet loader spreads internally like worm

Samples of the malicious downloader Emotet have begun to surface with the ability to internally propagate, using credential brute-force techniques.

The latest evolution of the trojan, which typically drops credential stealers and banking trojans, was reported today in a Fidelis Cybersecurity blog post that suggests the actors behind the campaign may have been inspired by the Wannacry and NotPetya malware attacks that leveraged worm capabilities in order to spread rapidly across networks.

"It stands to reason that crimeware authors have taken note of the broad impact observed in these particular events and are looking to incorporate spreader components in their toolkits," the post reads. "The Wannacry and Petya campaigns have clearly demonstrated how inclusion of other techniques like credential dumpers (Mimikatz) and exploits (EternalBlue) can greatly accelerate propagation across enterprises."

Fidelis researchers started to suspect that some versions of Emotet became wormable over a month ago. Further research yielded the discovery of a self-extracting RAR file containing two files, including a "spreader bypass" component. This component, Fidelis explains, is "responsible for enumerating network resources to find shares that it can write to or trying to brute credentials so it can write. After finding available systems it then writes the service component and creates a service on the remote system."

Because the spreader package in the newer, wormable Emotet variant is not wrapped in the manner that traditional versions are, Fidelis researchers theorize that this package may not actually be a direct component of Emotet, but rather something that is delivered by one specific threat actor using the malware.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.