A banking Trojan, dubbed Emotet, first reported in 2014 has returned and is targeting users in the UK with phishing emails bearing documents that install the Trojan onto victims' PCs.
The new variant of the Emotet Trojan appears to be targeting the UK, with more than three-quarters of attacks reported in the UK, according to security software company Zscaler.
The Trojan is spread via phishing emails and, if activated, steals banking credentials and email addresses. It is commonly distributed through documents sent via email - phishing - with what Zscaler describes as highly obfuscated macros that serve payloads to download and install the Trojan onto a victim's machine.
Furthermore, warns Zscaler, there have also been reports that the Trojan can spread via network exploits, presumably using the US National Security Agency exploits ‘showcased' in the recent WannaCry and NotPetya malware outbreaks. However, these reports have yet to be confirmed and Zscaler admits that such features in the malware haven't yet been identified.
Emotet first emerged in 2014 when it wreaked havoc in the US and Europe, according to Zscaler, but has re-emerged this year, with the first reports coming in April 2017.
"Emotet is a multi-component malware which specialises in a multitude of nefarious activities, including stealing credentials from browsers and mail clients, banking theft via Man-in-the-Browser attack, email harvesting and propagation through spam emails from infected systems," warns Zscaler in its report.
The code is encrypted to obfuscate the attack from security software "[It] is decrypted in the memory using a custom algorithm involving ‘Base-64 decode' and ‘XOR'. A new process is created in suspended mode and the decrypted Emotet binary is written in the address space of this process".
A new process and system service is created in Windows and, once the service is started, a Windows API is invoked to periodically trigger core malicious code that is responsible for communication with the command and control (C&C) servers, send collected information, and await commands from the server.
Kicking Palantir off of AWS is among their demands, too
Rafaela Vasquez was watching The Voice at the time of the crash, new evidence shows
PUBG price slashed on Steam after selling more than 50 million copies - as daily player numbers plunge
Use the same password for every website? It might be time to change them all