Emotet Banking Trojan Family Re-emerges, Taps Malicious PDF/Doc Files to Spread
The Emotet family of banking malware has made an enormous resurgence for a couple of weeks now, targeting bank customers using a new batch of trojan-infested email spam. The new strain is now capable of scanning the victim’s user account, including the archive emails containing banking information if any. As per ESET, a mainstream antivirus vendor, Emotet’s new variant has been released to the wild en-mass by its authors in order to make headlines.
“According to our telemetry, the latest Emotet activity was launched on November 5, 2018, following a period of low activity. Breaking those detections down by country, this latest Emotet campaign appears to be most active in the Americas, the UK, Turkey, and South Africa. In the November 2018 campaign, Emotet makes use of malicious Word and PDF attachments posing as invoices, payment notifications, bank account alerts, etc., seemingly coming from legitimate organizations. Alternately, the emails contain malicious links instead of attachments. The email subjects used in the campaign suggest a targeting of English and German-speaking users,” explained ESET in their official blog site.
Sample emails containing the malicious pdf files containing Emotet’s payload were submitted to ESET. One of which was a specially crafted email pretending itself as an official Bank of America email, with official logo of the said bank and a very convincing social engineering appeal to the bank’s customer. The moment the user opens the PDF file attached in the malicious email, the computer will start downloading the harmful payload in the background without the user knowing. Same way goes with its .doc malicious attachment counterpart.
“The compromise scenario in this November 2018 campaign starts with the victim opening a malicious Word or PDF file attached to a spam email seemingly coming from a legitimate and familiar organization. (When) the victim enables macros in Word or clicks on the link in the PDF. The Emotet payload is subsequently installed and launched, establishes persistence on the computer and reports the successful compromise to its C&C server. In turn, it receives instructions on which attack modules and secondary payloads to download. The modules extend the initial payload’s functionality with one or more of credential-stealing, network propagation, sensitive information harvesting, port forwarding, and other capabilities,” added ESET.
ESET has publicly published the Emotet’s and its companion modules’ official SHA-1 hashes, for those system administrators who want to further inspect the code’s operation:
Main Emotet Module:
SHA-1
- 51AAA2F3D967E80F4C0D8A86D39BF16FED626AEF
- EA51627AF1F08D231D7939DC4BA0963ED4C6025F
- 3438C75C989E83F23AFE6B19EF7BEF0F46A007CF
- 00D5682C1A67DA31929E80F57CA26660FDEEF0AF
Modules:
- 0E853B468E6CE173839C76796F140FB42555F46B
- 91DD70BBFF84D600142BA32C511D5B76BF7E351
- BACF1A0AD9EA9843105052A87BFA03E0548D2CDD
- A560E7FF75DC25C853BB6BB286D8353FE575E8ED
- 12150DEE07E7401E0707ABC13DB0E74914699AB4
- E711010E087885001B6755FF5E4DF1E4B9B46508
TrickBot Payload:
- B84BDB8F039B0AD9AE07E1632F72A6A5E86F37A1
- 9E111A643BACA9E2D654EEF9868D1F5A3F9AF767
IcedId Payload:
- 0618F522A7F4FE9E7FADCD4FBBECF36E045E22E3
ESET Research team also publicly revealed the Command and Control Servers of Emotet, as of Nov 9, 2018:
- 187.163.174[.]149:8080
- 70.60.50[.]60:8080
- 207.255.59[.]231:443
- 50.21.147[.]8:8090
- 118.69.186[.]155:8080
- 216.176.21[.]143:80
- 5.32.65[.]50:8080
- 96.246.206[.]16:80
- 187.163.49[.]123:8090
- 187.207.72[.]201:443
- 210.2.86[.]72:8080
- 37.120.175[.]15:80
- 77.44.98[.]67:8080
- 49.212.135[.]76:443
- 216.251.1[.]1:80
- 189.130.50[.]85:80
- 159.65.76[.]245:443
- 192.155.90[.]90:7080
- 210.2.86[.]94:8080
- 198.199.185[.]25:443
- 23.254.203[.]51:8080
- 67.237.41[.]34:8443
- 148.69.94[.]166:50000
- 107.10.139[.]119:443
- 186.15.60[.]167:443
- 133.242.208[.]183:8080
- 181.229.155[.]11:80
- 69.198.17[.]20:8080
- 5.9.128[.]163:8080
- 104.5.49[.]54:8443
- 139.59.242[.]76:8080
- 181.27.126[.]228:990
- 165.227.213[.]173:8080
Related Resources: