Banking Trojan Emotet Returns ‘With A Vengeance’ To Strike UK

The banking trojan Emotet has evolved and now a new variant is ‘now back with a vengeance’ and has the UK in its sights.

This is the warning from security researcher Zscaler, which said that 76 percent of Emotet’s attacks so far have been aimed at the United Kingdom.

The trojan first reared its head back in 2014, and it is main mission in life is to steal banking credentials and harvest emails.

Emotet Trojan

According to Zscaler the Emotet trojan is commonly distributed through documents with highly obfuscated macros. These macros contain “payloads to download and install the Trojan onto a victim’s machine.”

Emotet has also been known to download other malware nastiness on infected hosts and three years ago it “wreaked havoc in Europe and the United States.”

But now the Zscaler Threat Research team has been monitoring the new variant of Emotet since April 2017 and has recently seen a spike in Emotet related spam activity.

Emotet is described as multi-component malware which specialises in stealing credentials from browsers and mail clients. It also conducts bank theft via man-in-the-browser attack, email harvesting and propagation through spam emails from infected systems.

These spam campaigns often contain a malicious file attachment or a link to a malicious URL hosting a JavaScript or a document file. This in turn downloads and installs the Emotet payload.

But the new variant is utilising malicious files with highly obfuscated macro to serve the emotet payload.

“Obfuscated VBS macro code contains predetermined URLs with code to download and install Emotet payload on the victim machine,” warned Zscaler. “The downloaded executable is packed with a custom packer which has encrypted data hiding the Emotet executable and the code to load it. When executed, this data is decrypted in the memory using a custom algorithm.”

“Upon successful infection, Emotet registers the compromised host with the C&C server by sending information such as computer name, CPU architecture and OS version, as well as a list of active processes and whether they were executed with administrator privilege,” the security specialist warned.

Loading ...

Banking Trojan

Zscaler ThreatLabZ said it was actively monitoring this threat and will continue to ensure coverage for Zscaler customers.

Banking trojans are unfortunately fairly common nowadays. In April IBM security researchers  warned about a change in tactics by the operators of the TrickBot Trojan.

The researchers found that private banks, private wealth management firms, investment banking, and even a retirement insurance and annuity company were now in its cross-hairs.

Also this year security specialists Dr Web found a banking trojan based on the source code of the infamous Zeus malware.

Dubbed Trojan.PWS.Sphinx.2, that trojan’s main purpose it to inject malicious content into webpages, for example a fake form for inputting login and password details in order for cyber criminals to secretly harvest useful credentials for people browsing the web.

Quiz: Are you a security pro?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago